LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 04-08-2014, 04:57 PM   #1
Myk267
Member
 
Registered: Apr 2012
Location: California
Posts: 422
Blog Entries: 16

Rep: Reputation: Disabled
Is there a fancy script somewhere to prevent tar/zip bombs?


Things that explode into the cwd are almost never what I want, and I figure that someone has written this so I don't have to.

There's gotta be some script that operates at a layer above tar/unzip/etc that can extract things in a safe way. I feel like I've described half of Perl's Extract Module, but maybe someone's already written the other half?
 
Old 04-08-2014, 05:22 PM   #2
haertig
Senior Member
 
Registered: Nov 2004
Distribution: Mint, MX, antiX, SystemRescue
Posts: 2,337

Rep: Reputation: 358Reputation: 358Reputation: 358Reputation: 358
Not sure what a tar/zip bomb is. I assume a file that un-tar's everything into your current directory without first creating a subdirectory to contain things (that behavior is dependant on how the archive was created in the first place, not something within the tar command itself).

Do you mean like this?
Code:
mkdir target_dir; cd target_dir; tar xvzf ../the_bomb_file.tar.gz; cd ..
There is also a -C option to tar to change directory, which may be what you are wanting.
 
Old 04-08-2014, 05:27 PM   #3
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982

Rep: Reputation: 492Reputation: 492Reputation: 492Reputation: 492Reputation: 492
Here are some bash scripts that use Xdialog to help extract and compress files using p7zip, they always create a directory and extract into that directory to prevent messes.

Code:
#!/bin/sh
# use 7z and tar to extract arhives, and Xdialog for gui

newdir="$(echo "$@" | rev | cut -d. -f1 --complement | rev)"

error() # error
{
	Xdialog --title "Error" --msgbox "$1" 0 0
	exit 1
}

success() # directory
{
	# make sure archive doesn't make a mess
	name="$(ls -1A "$1")"
	if test "$(echo "$name" | wc -l)" = 1
	then
		if test -e "$1/../$name"
		then
			if test "$name" = "$(basename "$1")"
			then
				if test ! -e "$1-$$"
				then
					mv "$1" "$1-$$" && mv "$1-$$/$name" "$1-$$/.." && rmdir "$1-$$"
				fi
			fi
		else
			mv "$1/$name" "$1/.." && rmdir "$1"
		fi
	fi
	Xdialog --title "Success" --msgbox "Extraction successful" 5 30
	exit 0
}

extract() # archive outputdir
{
	# try to extract the archive first
	if 7z x "-o$2" "$1"
	then
		success "$2"
	else
		# we reach here if archive is encrypted, or broken, or an incomplete part
		pass=-p"$(Xdialog --stdout --password --title "Archive password" --inputbox "Enter archive password:" 8 30 | grep -o '\<.*\>')"
		if test "$pass" != '-p'
		then
			# extract encrypted archive using password
			if 7z x "-o$2" "-y" "$pass" "$1"
			then
				success "$2"
			elif test "$(du -s "$2" | awk '{ print $1 }')" = 0
			then
				rm -rf "$2"
				error "Bad password"
			else
				error "Broken archive"
			fi
		else
			# clicking cancel and incomplete part archive lead here
			if test "$(du -s "$2" | awk '{ print $1 }')" = 0
			then
				rm -rf "$2"
			fi
			exit 1
		fi
	fi
}

mkorfail() # directory
{
	if ! mkdir "$1"
	then
		error "$1 exists"
	fi
}

# handle tar archives first
if 7z l "$@" | grep 'Type = tar'
then
	mkorfail "$newdir"
	if tar -C "$newdir" -xf "$@"
	then
		success "$newdir"
	else
		error "Broken archive"
	fi
fi

# handle lzip archives next
if test '0000000 114 132 111 120' = "$(od -N4 -b "$@" | head -n1)"
then
	if echo "$newdir" | grep '\.tar$'
	then
		newdir="$(echo "$newdir" | sed 's|\.tar$||')"
	fi
	mkorfail "$newdir"
	# assume it contains a tar
	if plzip -cd "$@" | tar -C "$newdir" -xf -
	then
		success "$newdir"
	else
		# it may not contain a tar
		if plzip -cd "$@" > "$newdir/$(basename "$newdir")"
		then
			success "$newdir"
		else
			# it is corrupt so try to fix it
			if lziprecover -R "$@"
			then
				error "Broken archive has been fixed so check it"
			else
				error "Broken archive"
			fi
		fi
	fi
fi

# handle all other archive types
if 7z l "$@" | tail -n 1 | grep '1 files, 0 folders'
then
	if 7z l "$@" | tail -n 3 | head -n 1 | awk '{ print $NF }' | grep '\.tar$'
	then
		# it contains a tar, assume no password, check and fix newdir name
		if echo "$newdir" | grep '\.tar$'
		then
			newdir="$(echo "$newdir" | sed 's|\.tar$||')"
		fi
		mkorfail "$newdir"
		if 7z x -so "$@" | tar -C "$newdir" -xf -
		then
			success "$newdir"
		elif test "$(du -s "$newdir" | awk '{ print $1 }')" = 0
		then
			extract "$@" "$newdir"
		else
			error "Broken archive"
		fi
	else
		mkorfail "$newdir"
		extract "$@" "$newdir"
	fi
else
	mkorfail "$newdir"
	extract "$@" "$newdir"
fi
Code:
#!/bin/sh
# use 7z and tar to create arhives, and Xdialog for gui

success()
{
	Xdialog --title "Success" --msgbox "Compression successful" 5 30
	exit 0
}

error() # error
{
	Xdialog --title "Error" --msgbox "$1" 0 0
	exit 1
}

# file or directory
if test -f "$@"
then
	format="$(Xdialog --stdout --title "Compress file" --menu "Choose compression:" 0 0 0 "lz" "lzip" "gz" "gzip" "bz2" "bzip2" "xz" "xz" "7z" "7zip (no pass)" "7z-pass" "7zip (with pass)" "zip" "zip (no pass)" "zip-pass" "zip (with pass)")"
elif test -d "$@"
then
	format="$(Xdialog --stdout --title "Compress directory" --menu "Choose compression:" 0 0 0 "tlz" "tar.lzip" "tgz" "tar.gzip" "tbz" "tar.bzip2" "txz" "tar.xz" "7z" "7zip (no pass)" "7z-pass" "7zip (with pass)" "zip" "zip (no pass)" "zip-pass" "zip (with pass)")"
else
	error "Cannot compress input"
fi

if test -e "$@.$format"
then
	error "$@.$format exists"
else
	case "$format" in
	tlz)
		if tar -C "$@/.." -cf - "$(basename "$@")" | plzip > "$@.$format"
		then
			success
		else
			error "Compression failed"
		fi
	;;
	lz)
		if plzip -k "$@"
		then
			success
		else
			error "Compression failed"
		fi
	;;
	tgz|tbz|txz)
		if tar -C "$@/.." -cf - "$(basename "$@")" | 7za a -si "$@.$format"
		then
			success
		else
			error "Compression failed"
		fi
	;;
	7z-pass|zip-pass)
		# extra test needed
		if test -e "$@.$(echo $format | cut -d- -f1)"
		then
			error "$@.$(echo $format | cut -d- -f1) exists"
		fi

		# get password
		pass=-p"$(Xdialog --stdout --password --title "Archive password" --inputbox "Enter archive password:" 8 30)"
		if test "$pass" != '-p'
		then
			if 7z a "$pass" "$@.$(echo $format | cut -d- -f1)" "$@"
			then
				success
			else
				error "Compression failed"
			fi
		else
			exit 1
		fi
	;;
	*)
		if 7z a "$@.$format" "$@"
		then
			success
		else
			error "Compression failed"
		fi
	;;
	esac
fi
If you want you can remove lzip support which I added to it recently. p7zip doesn't support lzip so more code had to go into it. I think it is worth it for lzip's ability to recover from corruption.

There are other programs you can try:
http://freecode.com/projects/patool
http://freecode.com/projects/peazip
 
Old 04-08-2014, 07:33 PM   #4
Shadow_7
Senior Member
 
Registered: Feb 2003
Distribution: debian
Posts: 4,137
Blog Entries: 1

Rep: Reputation: 875Reputation: 875Reputation: 875Reputation: 875Reputation: 875Reputation: 875Reputation: 875
I tend to mkdir a temp directory and extract the archives while cd'd into the temp directory. The --directory for tar probably does the same thing, not that I've used that method to know for sure. There's options to list the contents of a tar / zip before you extract. And other ways to avoid explosions to the current working directory. The safe route is to assume that archives will ALWAYS expand to the cwd (current working directory).
 
Old 04-08-2014, 11:24 PM   #5
John VV
LQ Muse
 
Registered: Aug 2005
Location: A2 area Mi.
Posts: 17,647

Rep: Reputation: 2655Reputation: 2655Reputation: 2655Reputation: 2655Reputation: 2655Reputation: 2655Reputation: 2655Reputation: 2655Reputation: 2655Reputation: 2655Reputation: 2655
-- bomb --
http://www.explainxkcd.com/wiki/index.php/1168:_tar

but there is a way to crunch 4+ Tb of "0"'s into a 80 Kb archive
 
Old 04-09-2014, 11:54 AM   #6
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982

Rep: Reputation: 492Reputation: 492Reputation: 492Reputation: 492Reputation: 492
For specifically crafted files you would want to check the extracted size and make sure it is reasonable before extracting. It's not common, so I'm not overly concerned. They are also likely to be stored as sparse files so they are unlikely to cause major problems.

Last edited by metaschima; 04-09-2014 at 11:55 AM.
 
Old 04-09-2014, 02:29 PM   #7
brianL
LQ 5k Club
 
Registered: Jan 2006
Location: Oldham, Lancs, England
Distribution: Slackware64 15; SlackwareARM-current (aarch64); Debian 12
Posts: 8,311
Blog Entries: 61

Rep: Reputation: Disabled
Not a script, but this sounds as if it might be what you're looking for:
http://slackbuilds.org/repository/14.1/system/atool/

Last edited by brianL; 04-09-2014 at 02:32 PM.
 
1 members found this post helpful.
Old 04-10-2014, 12:37 PM   #8
Myk267
Member
 
Registered: Apr 2012
Location: California
Posts: 422

Original Poster
Blog Entries: 16

Rep: Reputation: Disabled
Quote:
Originally Posted by brianL View Post
Not a script, but this sounds as if it might be what you're looking for:
http://slackbuilds.org/repository/14.1/system/atool/
That is golden! And indeed, it's written in perl.

Thanks a bunch guys.
 
  


Reply

Tags
atool, aunpack


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Help with a backup script, tar, zip, bzip2 syntax. Joey.Dale Linux - Software 6 05-30-2012 01:58 AM
How can i create .tar.gz,.tar.bz2,.zip file and upload with filezilla=> uncompress? cola Linux - General 1 09-14-2011 02:32 PM
Bash Script bombs on embedded Linux system (Altiris) GNUJoshua Programming 3 01-29-2009 01:15 PM
LXer: Bash One-Liner Script To Produce Somewhat-Fancy Output Of Who's On Your Linux O LXer Syndicated Linux News 0 11-19-2008 02:40 AM
uncompress .zip with "tar -ixz Filename.zip" , can it be done ??? htetnaing Linux - Newbie 2 08-17-2008 06:10 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 02:41 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration