This is the mail archive of the
binutils@sourceware.org
mailing list for the binutils project.
Re: Add ar --output
- From: Fangrui Song <i at maskray dot me>
- To: Nick Clifton <nickc at redhat dot com>
- Cc: binutils at sourceware dot org
- Date: Sat, 2 Nov 2019 10:01:56 -0700
- Subject: Re: Add ar --output
- References: <20191025061359.26fmpvlx3l6xww2k@gmail.com> <2d235e79-16c2-d61a-90d0-56eb40eab573@redhat.com> <20191029175203.k4vk5awdtjnkdmvu@gmail.com> <02939d25-1ea7-6963-f77f-807c0932f076@redhat.com>
On 2019-10-30, Nick Clifton wrote:
Hi Fangrui,
I think that the --output option should keep the is_valid_archive_path
check.
Ok, I will leave that it in. If users complain in the future then we can
revisit this decision.
I sent a patch a few days ago:
https://sourceware.org/ml/binutils/2019-10/msg00193.html (both absolute
Oops, sorry, I missed that.
So I have taken your patch, added a few tweaks of my own, and checked in
the following:
Cheers
Nick
binutils/ChangeLog
2019-10-30 Fangrui Song <i@maskray.me>
Nick Clifton <nickc@redhat.com>
* ar.c (emum long option numbers): Declare. Use to provide
numerical values for long options.
(long_options): Add --output option.
(usage): Mention the --output option.
(open_output_file): New function. Create a filepath for an output
file and open it.
(extract_file): Use open_output_file().
(open_output_file):
* testsuite/binutils-all/ar.exp: Add a test of the new feature.
* doc/binutils.texi: Document the new feature.
* NEWS: Mention the new feature.
Hi Nick,
Thanks for pushing this, however, I think the landed commit does not
support absolute paths or paths that contain ..
ar --output=/tmp x a.a file
ar --output=../dir x a.a file
Only the `ar --output=relative/to/pwd x a.a` form is supported.
While I agree that `ar x a.a ../file` and `ar x a.a /tmp/file` may lead
to directory traversal vulnerabilities, I think people who specify
--output will likely use an absolute path or a path containing ..