

Gnu tar happily connects to remote hosts, depending on filename - fooyc

Today I Learned:<p><pre><code>    $ tar xvzf wtf:foo.tar
    tar (child): Cannot connect to wtf: resolve failed
</code></pre>
Apparently the &quot;:&quot; in the filename tells tar to connect to &quot;wtf&quot; using the &quot;rsh&quot; command (aliased to &quot;ssh&quot;).<p>There is no mention of this in the man page: http:&#x2F;&#x2F;linuxcommand.org&#x2F;lc3_man_pages&#x2F;tar1.html ; apart from the rather surprising --rsh-command and --rmt-command options.<p>This actually is documented in the &quot;info&quot; pages:<p>http:&#x2F;&#x2F;www.gnu.org&#x2F;software&#x2F;tar&#x2F;manual&#x2F;tar.html#SEC152 :<p><pre><code>    ‘-f [hostname:]file’
    ‘--file=[hostname:]file’

        Use archive file or device file on hostname.

    If the file name contains a ‘:’, it is interpreted as ‘hostname:file
    name’. If the hostname contains an at sign (‘@’), it is treated as
    ‘user@hostname:file name’. In either case, tar will invoke the command
    rsh (or remsh) to start up an &#x2F;usr&#x2F;libexec&#x2F;rmt on the remote machine
</code></pre>
Isn&#x27;t it dangerous that a random filename could trigger &quot;tar&quot; to connect to remote hosts ?
======
munimkazia
It doesn't look particularly dangerous, but it could be irritating if your
filename has a colon character in it. Still, I never heard of this usage of
tar before, and I routinely manage several score linux servers. Pretty
surprising.

------
kwhitefoot
In what way? I mean to say that I could probably think of something, but do
you have some specific danger in mind?

~~~
mjn
The colon's a legal character in Unix filenames, so it's possible someone
could send you a file named somehostname:foo.tar and convince you to run tar
on it. Of course, if you quote the filename or escape the \:, as bash
autocompletion would do, it wouldn't be an issue, but I could imagine some
possible scenario.

~~~
pjungwir
I don't see how quoting or a shell-level backslash would change tar's behavior
to something safe. Tar would still see a colon in its argv either way. Right?

~~~
pankkake
No, it would see \:

