• libarchive disallowed filenames

    From Nightfox@DIGDIST to Digital Man on Saturday, May 14, 2022 14:34:10
    Hi DM,

    Just recently I was updating my archive viewer door to use Synchronet's Archive class (if possible) to view/extract archives. I'm using a try/catch with the Archive object, and for a few zip files, I noticed it threw an exception when extracting them due to disallowed filenames inside the zip file. For example, RIPTM154.ZIP is RIPTerm, and the following exception error was given when trying to extract it with Archive:

    RIPTM154.ZIP: Error: disallowed filename '3&HALF10.ICN' (after extracting 165 items successfully)

    Also, TM421-4.zip is the 4th zip file for Telemate, and Archivew threw an exception with this error:

    TM421-4.ZIP: Error: disallowed filename 'AT&T.SCR' (after extracting 20 items successfully)

    I don't seem to have these filenames in any of my configuration files. I checked my text/file.can, but the only filename I have in there is Photo.scr. It seems like Synchronet has a built-in list of disallowed filenames for files inside archives?
    I'm guessing those filenames are disallowed because of the & in their names? I imagine they were disallowed because & can be problematic in filenames for some filesystems?

    Nightfox

    ---
    ■ Synchronet ■ Digital Distortion: digitaldistortionbbs.com
  • From Digital Man to Nightfox on Sunday, May 15, 2022 23:08:49
    Re: libarchive disallowed filenames
    By: Nightfox to Digital Man on Sat May 14 2022 02:34 pm

    Hi DM,

    Just recently I was updating my archive viewer door to use Synchronet's Archive class (if possible) to view/extract archives. I'm using a try/catch with the Archive object, and for a few zip files, I noticed it threw an exception when extracting them due to disallowed filenames inside the zip file. For example, RIPTM154.ZIP is RIPTerm, and the following exception error was given when trying to extract it with Archive:

    RIPTM154.ZIP: Error: disallowed filename '3&HALF10.ICN' (after extracting 165 items successfully)

    Also, TM421-4.zip is the 4th zip file for Telemate, and Archivew threw an exception with this error:

    TM421-4.ZIP: Error: disallowed filename 'AT&T.SCR' (after extracting 20 items successfully)

    I don't seem to have these filenames in any of my configuration files. I checked my text/file.can, but the only filename I have in there is Photo.scr. It seems like Synchronet has a built-in list of disallowed filenames for files inside archives?

    Yes,
    #define SAFEST_FILENAME_CHARS "-._0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"

    These are the allowed filename characters unless you're extracting with path information, in which case, you trust this archive and any filename chars are allowed.

    I'm guessing those filenames are disallowed because of the & in their names?

    Correct.

    I imagine they were disallowed because & can be problematic in filenames for some filesystems?

    Problematic for *nix shell command-lines where '&' means to execute in the background. There can be work-arounds (e.g. escaping with a backslash) and it's not an issue unless you're passing the filename on a command-line in the first place.

    I can make the allowed filename characters an option to Archive.extract() and likely I was already planning to do that, but didn't get to it yet.
    --
    digital man (rob)

    Breaking Bad quote #18:
    Already, Operation: TBD, thanks for nothing Gomey. - Hank Schrader
    Norco, CA WX: 63.7°F, 61.0% humidity, 0 mph E wind, 0.00 inches rain/24hrs
  • From Nightfox@DIGDIST to Digital Man on Tuesday, May 17, 2022 08:52:45
    Re: libarchive disallowed filenames
    By: Digital Man to Nightfox on Sun May 15 2022 11:08 pm

    TM421-4.ZIP: Error: disallowed filename 'AT&T.SCR' (after extracting
    20 items successfully)


    Yes,
    #define SAFEST_FILENAME_CHARS "-._0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"

    These are the allowed filename characters unless you're extracting with path information, in which case, you trust this archive and any filename chars are allowed.

    Problematic for *nix shell command-lines where '&' means to execute in the background. There can be work-arounds (e.g. escaping with a backslash) and it's not an issue unless you're passing the filename on a command-line in the first place.

    Makes sense. Thanks.

    Nightfox

    ---
    ■ Synchronet ■ Digital Distortion: digitaldistortionbbs.com