[Toybox] tar -I
Rob Landley
rob at landley.net
Thu Jan 16 20:18:24 PST 2025
On 1/16/25 14:49, enh wrote:
> TIL that apparently gnu tar's -I can be something like "prog -a -b
> -c", not just "prog".
According to strace, it's running it through /bin/bash -c:
tar -c -I 'echo $(touch walrus)' walrus.txt | cat
So yes, tar -I '$(rm -rf ~)' would probably be a bad idea.
> (found by someone trying to modify the compression level of the
> archiver they were using.)
I could cut the exec string at spaces, but -I'rm -rf /home' even WITHOUT
the extra parsing also seems kinda iffy. Then again it's already got
--to-command doing xpopen("sh", "-c", TT.to_command) so you can extract
the filename --to-command="rm -rf /home" because gnu.
> is there any precedent for that with other commands?
There are various commands that run their input through /bin/sh -c but
they're mostly things like chroot, linux32, watch, su where "running an
arbitrary command line" is already kinda the point.
(Also, looking at it: su uses pw_shell and the others use /bin/sh, and
the above xpopen() is calling sh out of the $PATH... I should probably
do a lib.c function. If $SHELL is reliably set at login then use that,
otherwise getpwuid(getpid())->pw_shell, and THEN fall back to /bin/sh.)
> i don't know
> whether gnu tar is calling system() or doing its own shell parsing,
strace says /bin/bash -c is getting called.
> but either sounds like a terrible idea. (-I should probably have been
> a list of strings instead.)
Alas, even the list of strings version still isn't safe to let arbitrary
inputs get passed to.
Rob
More information about the Toybox
mailing list