archive-tar-minitar

Release 0.8

'archive-tar-minitar' has been deprecated; just install 'minitar'. The minitar library is a pure-Ruby library that provides the ability to deal with POSIX tar(1) archive files. This is release 0.7, providing fixes for several issues and clarifying the Minitar security stance. There are two minor breaking changes in this version so that exceptions will be thrown if a negative size is provided in a tar stream header or if the tar stream header is otherwise invalid. This release continues the migration and modernization of the code: * the licence has been changed to match the modern Ruby licensing scheme (Ruby and Simplified BSD instead of Ruby and GNU GPL); * the +minitar+ command-line program has been separated into the +minitar-cli+ gem; and * the +archive-tar-minitar+ gem now points to the +minitar+ and +minitar-cli+ gems and discourages its installation. Some of these changes may break existing programs that depend on the internal structure of the minitar library, but every effort has been made to ensure compatibility; inasmuch as is possible, this compatibility will be maintained through the release of minitar 1.0 (which will have strong breaking changes). minitar (previously called Archive::Tar::Minitar) is based heavily on code originally written by Mauricio Julio Fernández Pradier for the rpa-base project.

Homepage Repository Rubygems Ruby Documentation Download

Licenses
Ruby/BSD-2-Clause
Install
gem install archive-tar-minitar -v 0.8

Documentation

minitar

home

github.com/halostatue/minitar/

code

github.com/halostatue/minitar/

bugs

github.com/halostatue/minitar/issues

rdoc

rdoc.info/gems/minitar/

cli

github.com/halostatue/minitar-cli

travis

appveyor

coveralls

Coverage Status

Description

The minitar library is a pure-Ruby library that provides the ability to deal with POSIX tar(1) archive files.

This is release 0.9, adding a minor feature to Minitar.unpack and Minitar::Input#extract_entry that when :fsync => false is provided, fsync will be skipped.

minitar (previously called Archive::Tar::Minitar) is based heavily on code originally written by Mauricio Julio Fernández Pradier for the rpa-base project.

Synopsis

Using minitar is easy. The simplest case is:

require 'minitar'

# Packs everything that matches Find.find('tests').
# test.tar will automatically be closed by Minitar.pack.
Minitar.pack('tests', File.open('test.tar', 'wb'))

# Unpacks 'test.tar' to 'x', creating 'x' if necessary.
Minitar.unpack('test.tar', 'x')

A gzipped tar can be written with:

require 'zlib'
# test.tgz will be closed automatically.
Minitar.pack('tests', Zlib::GzipWriter.new(File.open('test.tgz', 'wb'))

# test.tgz will be closed automatically.
Minitar.unpack(Zlib::GzipReader.new(File.open('test.tgz', 'rb')), 'x')

As the case above shows, one need not write to a file. However, it will sometimes require that one dive a little deeper into the API, as in the case of StringIO objects. Note that I'm not providing a block with Minitar::Output, as Minitar::Output#close automatically closes both the Output object and the wrapped data stream object.

begin
  sgz = Zlib::GzipWriter.new(StringIO.new(String.new))
  tar = Output.new(sgz)
  Find.find('tests') do |entry|
    Minitar.pack_file(entry, tar)
  end
ensure
    # Closes both tar and sgz.
  tar.close
end

Minitar and Security

Minitar aims to be secure by default for the data inside of a tarfile. If there are any security issues discovered, please feel free to open an issue. Should you wish to make a more confidential report, you can find my PGP key information at Keybase. Bear with me: I do not use PGP regularly, so it may take some time to remember the command invocations required to successfully handle this.

Minitar does not perform validation of path names provided to the convenience calsses Minitar::Output and Minitar::Input, which use Kernel.open for their underlying implementations when not given an IO-like object.

Improper use of these classes with arbitrary input filenames may leave your your software to the same class of vulnerability as reported for Net::FTP (CVE-2017-17405). Of particular note, “if the localfile argument starts with the '|' pipe character, the command following the pipe character is executed.”

Additionally, the use of the `open-uri` library (which extends Kernel.open with transparent implementations of Net::HTTP, Net::HTTPS, and Net::FTP), there are other possible vulnerabilities when accepting arbitrary input, as detailed by Egor Homakov.

These security vulnerabilities may be avoided, even with the Minitar::Output and Minitar::Input convenience classes, by providing IO-like objects instead of pathname-like objects as the source or destination of these classes.

minitar Semantic Versioning

The minitar library uses a Semantic Versioning scheme with one change:

  • When PATCH is zero (0), it will be omitted from version references.

Stats

Dependencies
2
Dependent packages
137
Dependent repositories
5.46K
Total releases
5
Latest release
First release
Stars
38
Forks
24
Watchers
6
Contributors
7
Repository size
737 KB
SourceRank
17

Development practices

Source repo 2FA enabled
TEXT!
Package manager 2FA enabled
TEXT!
Is security responsive
TEXT!
Dependencies are managed
TEXT!
Issue-free release available
TEXT!
Succession plan available
TEXT!
Package manager 2FA enabled
TEXT!

The Tidelift Subscription provides access to a continuously curated stream of human-researched and maintainer-verified data on open source packages and their licenses, releases, vulnerabilities, and development practices.

Learn more

Releases

0.8
0.6.1
0.6
0.5.1
0.5.2

Maintainers

austin alan

Contributors

Austin Ziegler Kazuyoshi Kato dearblue Akinori Musha inkstak Kevin McDermott Jorie Tappa


See all contributors

Something wrong with this page? Make a suggestion

Export .ABOUT file for this package

Last synced: 2024-04-05 16:29:10 UTC

Login to resync this project