- Package:
- bsdtar
- Source:
- libarchive
- Submitter:
- Jakub Wilk
- Date:
- 2025-07-28 20:27:03 UTC
- Severity:
- minor
- Tags:
I wanted to create a tar archive with a path that had multiple leading slashes[0]. But this doesn't seem to be possible with bsdtar: $ bsdtar -Pcf test.tar //bin/true && tar -Ptf test.tar /bin/true For comparison, GNU tar is happy to create such an archive: $ tar -Pcf test.tar //bin/true && tar -Ptf test.tar //bin/true [0] In case you wonder why would anyone want to do that: I'm trying to craft archives for testing various archive extraction software against directory traversal: https://bitbucket.org/jwilk/path-traversal-samples
control: tag -1 + confirmed upstream control: forward -1 https://github.com/libarchive/libarchive/issues/740 Hi, Thanks for taking a look at libarchive and bsdtar for your tests! Well, I do understand your case, and I forwarded it to the upstream GitHub issue tracker. However, the fact remains that this behavior: - has been with libarchive since pretty much the very beginning, or at least the moment when it was broken out of FreeBSD as a standalone project, and - there are arguments in favor of the current behavior: in the common case multiple slashes are, at best, useless, and, at worst, harmful on, say, Windows with its //hostname/path network share syntax So let's see what the upstream authors say; in the worst case we may decide to carry this as a Debian-specific patch for the benefit of compatibility with GNU tar, but, to be honest, I see a couple of potential drawbacks with this approach, too; some might even mumble something about "gratuitous differences in behavior" and "POLA violations" when writing portable scripts using bsdtar :) Still, thanks for reporting this and for doing the path traversal tests at all! G'luck, Peter
control: tag -1 + confirmed upstream control: forward -1 https://github.com/libarchive/libarchive/issues/740 Hi, Thanks for taking a look at libarchive and bsdtar for your tests! Well, I do understand your case, and I forwarded it to the upstream GitHub issue tracker. However, the fact remains that this behavior: - has been with libarchive since pretty much the very beginning, or at least the moment when it was broken out of FreeBSD as a standalone project, and - there are arguments in favor of the current behavior: in the common case multiple slashes are, at best, useless, and, at worst, harmful on, say, Windows with its //hostname/path network share syntax So let's see what the upstream authors say; in the worst case we may decide to carry this as a Debian-specific patch for the benefit of compatibility with GNU tar, but, to be honest, I see a couple of potential drawbacks with this approach, too; some might even mumble something about "gratuitous differences in behavior" and "POLA violations" when writing portable scripts using bsdtar :) Still, thanks for reporting this and for doing the path traversal tests at all! G'luck, Peter
Hi Peter! Thanks for forwarding the bug. * Peter Pentchev <roam@ringlet.net>, 2016-07-09, 02:29: Yeah, let's not go this way.
* Jakub Wilk <jwilk@debian.org>, 2015-01-02, 22:07: I no longer use bsdtar, so feel free to close this bug.