Add ar --output
Fangrui Song
i@maskray.me
Sat Nov 2 17:02:00 GMT 2019
On 2019-10-30, Nick Clifton wrote:
>Hi Fangrui,
>
>> I think that the --output option should keep the is_valid_archive_path
>> check.
>
>Ok, I will leave that it in. If users complain in the future then we can
>revisit this decision.
>
>> I sent a patch a few days ago:
>> https://sourceware.org/ml/binutils/2019-10/msg00193.html (both absolute
>
>Oops, sorry, I missed that.
>
>So I have taken your patch, added a few tweaks of my own, and checked in
>the following:
>
>Cheers
> Nick
>
>binutils/ChangeLog
>2019-10-30 Fangrui Song <i@maskray.me>
> Nick Clifton <nickc@redhat.com>
>
> * ar.c (emum long option numbers): Declare. Use to provide
> numerical values for long options.
> (long_options): Add --output option.
> (usage): Mention the --output option.
> (open_output_file): New function. Create a filepath for an output
> file and open it.
> (extract_file): Use open_output_file().
> (open_output_file):
> * testsuite/binutils-all/ar.exp: Add a test of the new feature.
> * doc/binutils.texi: Document the new feature.
> * NEWS: Mention the new feature.
Hi Nick,
Thanks for pushing this, however, I think the landed commit does not
support absolute paths or paths that contain ..
ar --output=/tmp x a.a file
ar --output=../dir x a.a file
Only the `ar --output=relative/to/pwd x a.a` form is supported.
While I agree that `ar x a.a ../file` and `ar x a.a /tmp/file` may lead
to directory traversal vulnerabilities, I think people who specify
--output will likely use an absolute path or a path containing ..
More information about the Binutils
mailing list