busybox/testsuite/tar.tests
Denys Vlasenko a84db18fc7 tar,unzip: postpone creation of symlinks with "suspicious" targets
This mostly reverts commit bc9bbeb2b81001e8731cd2ae501c8fccc8d87cc7
"libarchive: do not extract unsafe symlinks unless $EXTRACT_UNSAFE_SYMLINKS=1"

Users report that it is somewhat too restrictive. See
https://bugs.busybox.net/show_bug.cgi?id=8411

In particular, this interferes with unpacking of busybox-based
filesystems with links like "sbin/applet" -> "../bin/busybox".

The change is made smaller by deleting ARCHIVE_EXTRACT_QUIET flag -
it is unused since 2010, and removing conditionals on it
allows commonalizing some error message codes.

function                                             old     new   delta
create_or_remember_symlink                             -      94     +94
create_symlinks_from_list                              -      64     +64
tar_main                                            1002    1006      +4
unzip_main                                          2732    2724      -8
data_extract_all                                     984     891     -93
unsafe_symlink_target                                147       -    -147
------------------------------------------------------------------------------
(add/remove: 2/1 grow/shrink: 1/2 up/down: 162/-248)          Total: -86 bytes

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2018-02-20 16:06:53 +01:00

369 lines
10 KiB
Bash
Executable File
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#!/bin/sh
# Copyright 2009 by Denys Vlasenko
# Licensed under GPLv2, see file LICENSE in this source tree.
. ./testing.sh
unset LANG
unset LANGUAGE
unset LC_COLLATE
unset LC_ALL
umask 022
# testing "test name" "script" "expected result" "file input" "stdin"
testing "Empty file is not a tarball" '\
tar xvf - 2>&1; echo $?
' "\
tar: short read
1
" \
"" ""
SKIP=
optional FEATURE_SEAMLESS_GZ GUNZIP
# In NOMMU case, "invalid magic" message comes from gunzip child process.
# Otherwise, it comes from tar.
# Need to fix output up to avoid false positive.
testing "Empty file is not a tarball.tar.gz" '\
{ tar xvzf - 2>&1; echo $?; } | grep -Fv "invalid magic"
' "\
tar: short read
1
" \
"" ""
SKIP=
testing "Two zeroed blocks is a ('truncated') empty tarball" '\
dd if=/dev/zero bs=512 count=2 2>/dev/null | tar xvf - 2>&1; echo $?
' "\
0
" \
"" ""
SKIP=
testing "Twenty zeroed blocks is an empty tarball" '\
dd if=/dev/zero bs=512 count=20 2>/dev/null | tar xvf - 2>&1; echo $?
' "\
0
" \
"" ""
SKIP=
mkdir tar.tempdir && cd tar.tempdir || exit 1
# "tar cf test.tar input input_dir/ input_hard1 input_hard2 input_hard1 input_dir/ input":
# GNU tar 1.26 records as hardlinks:
# input_hard2 -> input_hard1
# input_hard1 -> input_hard1 (!!!)
# input_dir/file -> input_dir/file
# input -> input
# As of 1.24.0, we don't record last two: for them, nlink==1
# and we check for "hardlink"ness only files with nlink!=1
# We also don't use "hrw-r--r--" notation for hardlinks in "tar tv" listing.
optional FEATURE_TAR_CREATE FEATURE_LS_SORTFILES
testing "tar hardlinks and repeated files" '\
>input_hard1
ln input_hard1 input_hard2
mkdir input_dir
>input_dir/file
chmod -R 644 *
chmod 755 input_dir
tar cf test.tar input input_dir/ input_hard1 input_hard2 input_hard1 input_dir/ input
tar tvf test.tar | sed "s/.*[0-9] input/input/"
rm -rf input_dir
tar xf test.tar 2>&1
echo Ok: $?
ls -l . input_dir/* | grep input_ | sed "s/\\(^[^ ]*\\) .* input/\\1 input/"
' "\
input
input_dir/
input_dir/file
input_hard1
input_hard2 -> input_hard1
input_hard1 -> input_hard1
input_dir/
input_dir/file
input
Ok: 0
-rw-r--r-- input_dir/file
drwxr-xr-x input_dir
-rw-r--r-- input_hard1
-rw-r--r-- input_hard2
" \
"" ""
SKIP=
cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null
mkdir tar.tempdir && cd tar.tempdir || exit 1
optional FEATURE_TAR_CREATE FEATURE_LS_SORTFILES
testing "tar hardlinks mode" '\
>input_hard1
chmod 741 input_hard1
ln input_hard1 input_hard2
mkdir input_dir
ln input_hard1 input_dir
ln input_hard2 input_dir
chmod 550 input_dir
# On some filesystems, input_dir/input_hard2 is returned by readdir
# BEFORE input_dir/input_hard1! Thats why we cant just "tar cf ... input_*":
tar cf test.tar input_dir/input_hard* input_hard*
tar tvf test.tar | sed "s/.*[0-9] input/input/"
chmod 770 input_dir
rm -rf input_*
tar xf test.tar 2>&1
echo Ok: $?
ls -l . input_dir/* | grep "input.*hard" | sed "s/\\(^[^ ]*\\) .* input/\\1 input/"
' "\
input_dir/input_hard1
input_dir/input_hard2 -> input_dir/input_hard1
input_hard1 -> input_dir/input_hard1
input_hard2 -> input_dir/input_hard1
Ok: 0
-rwxr----x input_dir/input_hard1
-rwxr----x input_dir/input_hard2
-rwxr----x input_hard1
-rwxr----x input_hard2
" \
"" ""
SKIP=
cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null
mkdir tar.tempdir && cd tar.tempdir || exit 1
optional FEATURE_TAR_CREATE FEATURE_LS_SORTFILES
testing "tar symlinks mode" '\
>input_file
chmod 741 input_file
ln -s input_file input_soft
mkdir input_dir
ln input_file input_dir
ln input_soft input_dir
chmod 550 input_dir
tar cf test.tar input_dir/* input_[fs]*
tar tvf test.tar | sed "s/.*[0-9] input/input/" | sort
chmod 770 input_dir
rm -rf input_*
tar xf test.tar 2>&1
echo Ok: $?
ls -l . input_dir/* | grep "input_[fs]" | sed "s/\\(^[^ ]*\\) .* input/\\1 input/"
' "\
input_dir/input_file
input_dir/input_soft -> input_file
input_file -> input_dir/input_file
input_soft -> input_dir/input_soft
Ok: 0
-rwxr----x input_dir/input_file
lrwxrwxrwx input_file
-rwxr----x input_file
lrwxrwxrwx input_file
" \
"" ""
SKIP=
cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null
mkdir tar.tempdir && cd tar.tempdir || exit 1
optional FEATURE_TAR_CREATE FEATURE_TAR_LONG_OPTIONS
testing "tar --overwrite" "\
ln input input_hard
tar cf test.tar input_hard
echo WRONG >input
# --overwrite opens 'input_hard' without unlinking,
# thus 'input_hard' still linked to 'input' and we write 'Ok' into it
tar xf test.tar --overwrite 2>&1 && cat input
" "\
Ok
" \
"Ok\n" ""
SKIP=
cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null
mkdir tar.tempdir && cd tar.tempdir || exit 1
test x"$SKIP_KNOWN_BUGS" = x"" && {
# Needs to be run under non-root for meaningful test
optional FEATURE_TAR_CREATE
testing "tar writing into read-only dir" '\
mkdir input_dir
>input_dir/input_file
chmod 550 input_dir
tar cf test.tar input_dir
tar tvf test.tar | sed "s/.*[0-9] input/input/"
chmod 770 input_dir
rm -rf input_*
tar xf test.tar 2>&1
echo Ok: $?
ls -l input_dir/* . | grep input_ | sed "s/\\(^[^ ]*\\) .* input/\\1 input/"
chmod 770 input_dir
' "\
input_dir/
input_dir/input_file
Ok: 0
-rw-r--r-- input_dir/input_file
dr-xr-x--- input_dir
" \
"" ""
SKIP=
}
cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null
mkdir tar.tempdir && cd tar.tempdir || exit 1
# Had a bug where on extract autodetect first "switched off" -z
# and then failed to recognize .tgz extension
optional FEATURE_TAR_CREATE FEATURE_SEAMLESS_GZ GUNZIP
testing "tar extract tgz" "\
dd count=1 bs=1M if=/dev/zero of=F0 2>/dev/null
tar -czf F0.tgz F0
rm F0
tar -xzvf F0.tgz && echo Ok
rm F0 || echo BAD
" "\
F0
Ok
" \
"" ""
SKIP=
cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null
mkdir tar.tempdir && cd tar.tempdir || exit 1
# Do we detect XZ-compressed data (even w/o .tar.xz or txz extension)?
# (the uuencoded hello_world.txz contains one empty file named "hello_world")
optional UUDECODE FEATURE_TAR_AUTODETECT FEATURE_SEAMLESS_XZ
testing "tar extract txz" "\
uudecode -o input && tar tf input && echo Ok
" "\
hello_world
Ok
" \
"" "\
begin-base64 644 hello_world.txz
/Td6WFoAAATm1rRGAgAhARYAAAB0L+Wj4AX/AEldADQZSe6ODIZQ3rSQ8kAJ
SnMPTX+XWGKW3Yu/Rwqg4Ik5wqgQKgVH97J8yA8IvZ4ahaCQogUNHRkXibr2
Q615wcb2G7fJU49AhWAAAAAAUA8gu9DyXfAAAWWADAAAAB5FXGCxxGf7AgAA
AAAEWVo=
====
"
SKIP=
cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null
mkdir tar.tempdir && cd tar.tempdir || exit 1
# On extract, everything up to and including last ".." component is stripped
optional FEATURE_TAR_CREATE
testing "tar strips /../ on extract" "\
rm -rf input_* test.tar 2>/dev/null
mkdir input_dir
echo Ok >input_dir/file
tar cf test.tar ./../tar.tempdir/input_dir/../input_dir 2>&1
rm -rf input_* 2>/dev/null
tar -vxf test.tar 2>&1
cat input_dir/file 2>&1
" "\
tar: removing leading './../tar.tempdir/input_dir/../' from member names
input_dir/
input_dir/file
Ok
" \
"" ""
SKIP=
cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null
mkdir tar.tempdir && cd tar.tempdir || exit 1
# attack.tar.bz2 has symlink pointing to a system file
# followed by a regular file with the same name
# containing "root::0:0::/root:/bin/sh":
# lrwxrwxrwx root/root passwd -> /tmp/passwd
# -rw-r--r-- root/root passwd
# naive tar implementation may end up creating the symlink
# and then writing into it.
# The correct implementation unlinks target before
# creating the second file.
# We test that /tmp/passwd remains empty:
optional UUDECODE FEATURE_TAR_AUTODETECT FEATURE_SEAMLESS_BZ2
testing "tar does not extract into symlinks" "\
>>/tmp/passwd && uudecode -o input && tar xf input 2>&1 && rm passwd; cat /tmp/passwd; echo \$?
" "\
tar: can't create symlink 'passwd' to '/tmp/passwd'
0
" \
"" "\
begin-base64 644 attack.tar.bz2
QlpoOTFBWSZTWRVn/bIAAKt7hMqwAEBAAP2QAhB0Y96AAACACCAAlISgpqe0
po0DIaDynqAkpDRP1ANAhiYNSPR8VchKhAz0AK59+DA6FcMKBggOARIJdVHL
DGllrjs20ATUgR1HmccBX3EhoMnpMJaNyggmxgLDMz54lBnBTJO/1L1lbMS4
l4/V8LDoe90yiWJhOJvIypgEfxdyRThQkBVn/bI=
====
"
SKIP=
cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null
mkdir tar.tempdir && cd tar.tempdir || exit 1
# And same with -k
optional UUDECODE FEATURE_TAR_AUTODETECT FEATURE_SEAMLESS_BZ2
testing "tar -k does not extract into symlinks" "\
>>/tmp/passwd && uudecode -o input && tar xf input -k 2>&1 && rm passwd; cat /tmp/passwd; echo \$?
" "\
tar: can't create symlink 'passwd' to '/tmp/passwd'
0
" \
"" "\
begin-base64 644 attack.tar.bz2
QlpoOTFBWSZTWRVn/bIAAKt7hMqwAEBAAP2QAhB0Y96AAACACCAAlISgpqe0
po0DIaDynqAkpDRP1ANAhiYNSPR8VchKhAz0AK59+DA6FcMKBggOARIJdVHL
DGllrjs20ATUgR1HmccBX3EhoMnpMJaNyggmxgLDMz54lBnBTJO/1L1lbMS4
l4/V8LDoe90yiWJhOJvIypgEfxdyRThQkBVn/bI=
====
"
SKIP=
cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null
mkdir tar.tempdir && cd tar.tempdir || exit 1
optional UNICODE_SUPPORT FEATURE_TAR_GNU_EXTENSIONS FEATURE_SEAMLESS_BZ2 FEATURE_TAR_AUTODETECT
testing "Pax-encoded UTF8 names and symlinks" '\
tar xvf ../tar.utf8.tar.bz2 2>&1; echo $?
export LANG=en_US.UTF-8
ls -l etc/ssl/certs/* | sed "s:.*etc/:etc/:" | sort
unset LANG
rm -rf etc usr
' "\
etc/ssl/certs/3b2716e5.0
etc/ssl/certs/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.pem
etc/ssl/certs/f80cc7f6.0
usr/share/ca-certificates/mozilla/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.crt
0
etc/ssl/certs/3b2716e5.0 -> EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.pem
etc/ssl/certs/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.pem -> /usr/share/ca-certificates/mozilla/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.crt
etc/ssl/certs/f80cc7f6.0 -> EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.pem
" \
"" ""
SKIP=
cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null
mkdir tar.tempdir && cd tar.tempdir || exit 1
optional FEATURE_SEAMLESS_BZ2 FEATURE_TAR_AUTODETECT
testing "Symlink attack: create symlink and then write through it" '\
exec 2>&1
uudecode -o input && tar xvf input; echo $?
ls /tmp/bb_test_evilfile
ls bb_test_evilfile
ls symlink/bb_test_evilfile
' "\
anything.txt
symlink
symlink/bb_test_evilfile
tar: can't create symlink 'symlink' to '/tmp'
1
ls: /tmp/bb_test_evilfile: No such file or directory
ls: bb_test_evilfile: No such file or directory
symlink/bb_test_evilfile
" \
"" "\
begin-base64 644 tar_symlink_attack.tar.bz2
QlpoOTFBWSZTWZgs7bQAALT/hMmQAFBAAf+AEMAGJPPv32AAAIAIMAC5thlR
omAjAmCMADQT1BqNE0AEwAAjAEwElTKeo9NTR6h6gaeoA0DQNLVdwZZ5iNTk
AQwCAV6S00QFJYhrlfFkVCEDEGtgNVqYrI0uK3ggnt30gqk4e1TTQm5QIAKa
SJqzRGSFLMmOloHSAcvLiFxxRiQtQZF+qPxbo173ZDISOAoNoPN4PQPhBhKS
n8fYaKlioCTzL2oXYczyUUIP4u5IpwoSEwWdtoA=
====
"
SKIP=
cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null
exit $FAILCOUNT