[Rubygems-developers] Bug in RubyGems/rpa-base's restricted
implementation of tar?
Mauricio Fernández
batsman.geo at yahoo.com
Mon Aug 23 18:08:50 EDT 2004
On Mon, Aug 23, 2004 at 01:53:10PM +0200, Mauricio Fernández wrote:
> <Austin__> chad: probably. he was space-padding instead of null-padding.
It seems that bug (in the writer) wasn't really there, but I've found
another fairly subtle one (in the tar reader).
Here's a patch for the test case showcasing the bug (it corresponds to
the rpa-base tree so I don't know if it will apply cleanly to RubyGems',
but it should, if you rename the files in the preamble):
--- tc_Package.rb (revision 695)
+++ tc_Package.rb (working copy)
@@ -141,6 +141,14 @@
assert_equal("", h.prefix)
assert_equal("ustar", h.magic)
end
+
+ def test_new_from_stream_with_evil_name
+ header = tar_file_header("a \0" + "\0" * 97, "", 012345, 10)
+ h = nil
+ header = StringIO.new header
+ assert_nothing_raised{ h = TarHeader.new_from_stream header }
+ assert_equal("a ", h.name)
+ end
end
In cleartext, when reading a tar archive, files whose name contains
trailing spaces are silently renamed (in the example above "a " becomes
"a"). It is not very likely that this will bite anybody in practice
(I don't remember having seen a filename with *trailing* spaces ever),
since I doubt anybody would create a gem containing such an entry, but I
shall show no mercy towards this bug and it will be squashed tomorrow :-)
I'm soon providing a patch for this...
--
Running Debian GNU/Linux Sid (unstable)
batsman dot geo at yahoo dot com
More information about the Rubygems-developers
mailing list