archive/tar: reject bad key-value pairs for PAX records

We forbid empty keys or keys with '=' because it leads to ambiguous parsing. Relevent PAX specification: <<< A keyword shall not include an <equals-sign>. >>> Also, we forbid the writer from encoding records with an empty value. While, this is a valid record syntactically, the semantics of an empty value is that previous records with that key should be deleted. Since we have no support (and probably never will) for global PAX records, deletion is a non-sensible operation. <<< If the <value> field is zero length, it shall delete any header block field, previously entered extended header value, or global extended header value of the same name. >>> Fixes #20698 Fixes #15567 Change-Id: Ia29c5c6ef2e36cd9e6d7f6cff10e92b96a62f0d1 Reviewed-on: https://go-review.googlesource.com/55571 Reviewed-by: Ian Lance Taylor <iant@golang.org>
2024-10-02 08:18:32 -06:00 · 2017-08-14 15:57:46 -07:00 · 2017-08-14 15:57:46 -07:00 · 1da0e7e28e
commit 1da0e7e28e
parent 2bcc24e977
3 changed files with 17 additions and 5 deletions
--- a/src/archive/tar/common.go
+++ b/src/archive/tar/common.go
@ -160,7 +160,9 @@ func (h *Header) allowedFormats() (format int, paxHdrs map[string]string) {
 		format &= formatPAX // PAX only
 	}
 	for k, v := range paxHdrs {
-		if !validPAXRecord(k, v) {
+		// Forbid empty values (which represent deletion) since usage of
+		// them are non-sensible without global PAX record support.
+		if !validPAXRecord(k, v) || v == "" {
 			return formatUnknown, nil // Invalid PAX key
 		}
 	}
--- a/src/archive/tar/strconv.go
+++ b/src/archive/tar/strconv.go
@ -240,9 +240,6 @@ func formatPAXTime(ts time.Time) (s string) {
 // parsePAXRecord parses the input PAX record string into a key-value pair.
 // If parsing is successful, it will slice off the currently read record and
 // return the remainder as r.
-//
-// A PAX record is of the following form:
-//	"%d %s=%s\n" % (size, key, value)
 func parsePAXRecord(s string) (k, v, r string, err error) {
 	// The size field ends at the first space.
 	sp := strings.IndexByte(s, ' ')
@ -295,12 +292,19 @@ func formatPAXRecord(k, v string) (string, error) {
 	return record, nil
 }

-// validPAXRecord reports whether the key-value pair is valid.
+// validPAXRecord reports whether the key-value pair is valid where each
+// record is formatted as:
+//	"%d %s=%s\n" % (size, key, value)
+//
 // Keys and values should be UTF-8, but the number of bad writers out there
 // forces us to be a more liberal.
 // Thus, we only reject all keys with NUL, and only reject NULs in values
 // for the PAX version of the USTAR string fields.
+// The key must not contain an '=' character.
 func validPAXRecord(k, v string) bool {
+	if k == "" || strings.IndexByte(k, '=') >= 0 {
+		return false
+	}
 	switch k {
 	case paxPath, paxLinkpath, paxUname, paxGname:
 		return strings.IndexByte(v, 0) < 0
--- a/src/archive/tar/tar_test.go
+++ b/src/archive/tar/tar_test.go
@ -438,6 +438,12 @@ func TestHeaderAllowedFormats(t *testing.T) {
 		header:  &Header{Xattrs: map[string]string{"用戶名": "\x00hello"}},
 		paxHdrs: map[string]string{paxXattr + "用戶名": "\x00hello"},
 		formats: formatPAX,
+	}, {
+		header:  &Header{Xattrs: map[string]string{"foo=bar": "baz"}},
+		formats: formatUnknown,
+	}, {
+		header:  &Header{Xattrs: map[string]string{"foo": ""}},
+		formats: formatUnknown,
 	}, {
 		header:  &Header{ModTime: time.Unix(0, 0)},
 		formats: formatUSTAR | formatPAX | formatGNU,