Seth Michael Larson: GZipped files and streams may contain names

It's just another day, you're sending a bunch of files to a friend. For no particular reason you decide to name the archive with your controversial movie opinions:

Realizing you'd be sharing this file with others, you decide to rename the file.

That's better! Now your secret is safe. You share the tarball with your colleague who notes your "good taste" in movies and proceeds to extract the archive.

Uh oh, your secret is out! The decompressed.tarfile was namedi-did-not-care-for-the-godfather.tarinstead ofi-love-the-godfather.tarlike we intended.How could this happen?

It turns out that GZip streams have fields for information about the original file including thefilename, modified timestamp, and comments. This means GZip streams can leak secret information if it's contained within the file metadata. Luckilytarwhen using$ tar -czf(which is the typical workflow) instead of thegzipandgunzipcommands doesn't preserve the original filename in the GZip stream.

If you do have to usegzip,use the--no-nameoption to strip this information from the GZip stream.Use a hex editor to check a GZip compressed file if you are unsure.

Thanks for keeping RSS alive! ♥

https://sethmlarson.dev/gzip-files-and-streams-may-contain-names?utm_campaign=rss

Follow us:

Applications

COMPANY

PRODUCTS

COMMUNITY

CHOOSE LANGUAGE