MadPogo has asked for the wisdom of the Perl Monks concerning the following question:

I am currently working on a project where I am attempting to utilize the Tar.pm module. I have noticed that it seems when you use the extract_archive method - if the tar file uses relative paths it works like a champ, when you specify absolute references (Eg. /WEB/CGI/nasty.cgi) it seems to ignore the file extraction and returns no error (as I would prefer - avoiding abuse, though an error would be appreciated). However when I tar the file specifying (Eg. ../CGI/nasty.cgi) it will extract the file in the parent directory of the current working directory. I am trying to determine how to prevent a user from abusing this and creating a potential security hole but would appreciate any insight you Monks might have. Am I overlooking something? And if so are their any **GOOD** references out there on Archive::Tar usage? Thanx in advance.

Replies are listed 'Best First'.
•Re: Security Hole in Archive::Tar ??
by merlyn (Sage) on Apr 02, 2002 at 23:54 UTC
[reply]
      That's not how GNU tar behaves.

      (Ok, so gnu tar is a lot smarter than standard tar. But standard tar, at least on Solaris, will expand absolute paths...)

      Using gnu tar (on cygwin, although it shouldn't matter) 

      $ mkdir a
$ cd a
$ touch a_file
$ mkdir b
$ cd b
$ touch b_file
$ tar cvf /tmp/abc.tar b_file ../a_file
$ tar cvf /tmp/abc.tar b_file ../a_file
b_file
tar: Member names contain `..'
../a_file
$ tar tvf /tmp/abc.tar
-rw-r--r-- mike/mike      0 2002-04-03 06:48:08 b_file
-rw-r--r-- mike/mike      0 2002-04-03 06:48:02 ../a_file
$ rm b_file ../a_file
$ tar xvf /tmp/abc.tar
b_file
../a_file
tar: ../a_file: Member name contains `..'
tar: Error exit delayed from previous errors
$ ls . ..
.:
b_file

..:
b

      [download]
      See? The file in .. was not extracted.

      Wish I had time to download Archive::Tar to test what it would do, but I have to run to get to work.
      --
      Mike

[reply]
[d/l]
        I had the same error " member name contains `..' " when extracting an archive (and running it through gzip). # tar -zxvf my_tar_file.tar.gz The problem - I think - is that I created a tarball while being in some subdirectory. To cut the leading `\' from filenames I used the -P option. So the new cmd is: tar -zxvfP my_tar_file.tar.gz
[reply]
Re: Security Hole in Archive::Tar ??
by agentv (Friar) on Apr 03, 2002 at 01:10 UTC
    ...can you in fact, confirm that the module will refuse to extract files that need an absolute path? In a simple test with tar (gnu tar v1.13.17) I find that tar will simply ignore the leading slash and install files relative to the local directory.

    I would expect Tar.pm to do the same (will test it when I get home).

    One approach you might take is to have your program inspect the pathnames on component files of a tarball to see if absolute paths or "upward" references are used. Your program can then provide the logic to deal with these cases.

    I'll see if I can provide an example of this.

    ---v

[reply]
Re: Security Hole in Archive::Tar ??
by zengargoyle (Deacon) on Apr 03, 2002 at 01:36 UTC

    I get the auto stripping also...

    But, you could do this type of evil... 

    [root@localhost root]# mkdir /foo.chroot /foo.chroot/lib
[root@localhost root]# ldd /bin/tar
        librt.so.1 => /lib/librt.so.1 (0x40027000)
        libc.so.6 => /lib/libc.so.6 (0x40039000)
        libpthread.so.0 => /lib/libpthread.so.0 (0x40177000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
[root@localhost root]# (cd /lib && cp -p librt.so.1 libc.so.6 libpthre
+ad.so.0 ld-linux.so.2 /foo.chroot/lib)
[root@localhost root]# cp -p /bin/tar /foo.chroot
[root@localhost root]#
[root@localhost root]# cat >/etc/passwd.gotcha
gotcha!
^D
[root@localhost root]# tar cvf gotcha.tar /etc/passwd.gotcha
tar: Removing leading `/' from member names
etc/passwd.gotcha
[root@localhost root]# man tar
...
[root@localhost root]# tar Pcvf gotcha.tar /etc/passwd.gotcha
/etc/passwd.gotcha
[root@localhost root]# tar tvf gotcha.tar
-rw-r--r-- root/root         8 2002-04-02 17:15:50 /etc/passwd.gotcha
[root@localhost root]# rm -f /etc/passwd.gotcha
[root@localhost root]# tar xvf gotcha.tar
/etc/passwd.gotcha
tar: Removing leading `/' from member names
[root@localhost root]# ls ./etc/passwd.gotcha
./etc/passwd.gotcha
[root@localhost root]# rm ./etc/passwd.gotcha
[root@localhost root]# tar Pxvf gotcha.tar
/etc/passwd.gotcha
[root@localhost root]# ls /etc/passwd.gotcha
/etc/passwd.gotcha
[root@localhost root]# rm /etc/passwd.gotcha
[root@localhost root]# # ob. untested perl ;)
[root@localhost root]# perl -e 'print qx(cat gotcha.tar | chroot /foo.
+chroot ./tar Pxvf -)'
/etc/passwd.gotcha
[root@localhost root]# ls /etc/passwd.gotcha
ls: /etc/passwd.gotcha: No such file or directory
[root@localhost root]# ls /foo.chroot/etc/passwd.gotcha
/foo.chroot/etc/passwd.gotcha

    [download]
[reply]
[d/l]

Back to Seekers of Perl Wisdom