New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

--uid,--gid don't validate their argument #1068

Closed
danielshahaf opened this Issue Sep 22, 2018 · 0 comments

Comments

Projects
None yet
1 participant
@danielshahaf

danielshahaf commented Sep 22, 2018

Basic Information
Version of libarchive: 3.2.2-5 Debian package (tested); latest HEAD (source inspection)
How you obtained it: Built from source
Operating system and version: Debian stretch
What compiler and/or IDE you are using (include version): clang version 3.8.1-24

Description of the problem you are seeing:
What did you do? bsdtar --uid=foo (literally)
What did you expect to happen? Error message: 'foo' is not an integer
What actually happened? Behaved as though --uid=0 was passed
What log files or error messages were produced? errno was 0 both before and after the atoi() call

How the libarchive developers can reproduce your problem:
What other software was involved? N/A
What other files were involved? N/A
How can we obtain any of the above? N/A

The argument to bsdtar's --uid option is parsed as follows:

libarchive/tar/bsdtar.c

Lines 650 to 656 in 23b142e

case OPTION_UID: /* cpio */
t = atoi(bsdtar->argument);
if (t < 0)
lafe_errc(1, 0,
"Argument to --uid must be positive");
bsdtar->uid = t;
break;

When the argument isn't numeric, atoi() returns 0 and bsdtar->uid is set to zero. I expect an error message instead.

All of the above applies to --gid as well.

@mmatuska mmatuska closed this in c16ce12 Sep 22, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment