Skip to content

TarFile fails to extract even when symbolic link references into the output directory #77303

New issue
New issue
Closed
#77338
Closed
TarFile fails to extract even when symbolic link references into the output directory#77303
#77338
Labels
area-System.Formats.Tar
Milestone
8.0.0
@tmds

Description

@tmds
tmds
opened on Oct 21, 2022

I already have an open issue about TarFile not wanting to create symbolic links that point outside the output directory: #74140.

Triggered by #77096, I was curious to see if podman would have the same issue as docker.

I did:

$ podman pull hello-world
$ podman save hello-world -o hello-world.tar # uncompressed when saving a local image

The resulting archive fails to extract:

Unhandled exception. System.IO.IOException: Extracting the Tar entry '../8e128b102ca8161cb297e3aa73240b8e537af67422fd4c22bf43c296c91d13ad.tar' would have resulted in a link target outside the specified destination directory: '/tmp/bca4a72dc384466ab6abd59cc585bd5a'
   at System.Formats.Tar.TarEntry.GetDestinationAndLinkPaths(String destinationDirectoryPath)
   at System.Formats.Tar.TarEntry.ExtractRelativeToDirectoryAsync(String destinationDirectoryPath, Boolean overwrite, SortedDictionary`2 pendingModes, CancellationToken cancellationToken)
   at System.Formats.Tar.TarFile.ExtractToDirectoryInternalAsync(Stream source, String destinationDirectoryPath, Boolean overwriteFiles, Boolean leaveOpen, CancellationToken cancellationToken)
   at System.Formats.Tar.TarFile.ExtractToDirectoryInternalAsync(Stream source, String destinationDirectoryPath, Boolean overwriteFiles, Boolean leaveOpen, CancellationToken cancellationToken)
   at Program.<Main>$(String[] args) in /tmp/console/Program.cs:line 6
   at Program.<Main>(String[] args)

The symbolic link it considers problematic is actually still pointing inside the output directory.
These are the archive entries:

8e128b102ca8161cb297e3aa73240b8e537af67422fd4c22bf43c296c91d13ad.tar(RegularFile) -> 
c0e8b50899a56dcd91634bfbb7a8336f2c0f6f6a9bbb5ad9b747dc1547aaa9f4.json(RegularFile) -> 
00335d90e4f471aae0fdbae54765dd7a5a1cb276c55c2fc75bf64ab20c5c97d1/layer.tar(SymbolicLink) -> ../8e128b102ca8161cb297e3aa73240b8e537af67422fd4c22bf43c296c91d13ad.tar
00335d90e4f471aae0fdbae54765dd7a5a1cb276c55c2fc75bf64ab20c5c97d1/VERSION(RegularFile) -> 
00335d90e4f471aae0fdbae54765dd7a5a1cb276c55c2fc75bf64ab20c5c97d1/json(RegularFile) -> 
manifest.json(RegularFile) -> 
repositories(RegularFile) ->

cc @carlossanlop @jozkee @am11

Metadata

Metadata

Assignees

No one assigned

    Labels

    area-System.Formats.Tar

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions