minitar 0.5.4 → 0.6

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 110bdb26f19a848935a086caa42ea6eb583601bb
+  data.tar.gz: 99b2ba5ae2238ed1aa3902287a8fd9520576323e
+SHA512:
+  metadata.gz: daadd21c3c02bfd11bb9a6d7294d0e7bac36410d1c391cc4e97a53b89d6c6cdbf5ee763dc777736460177dc88d9332d82370048bfc8470ca8f2edfd5872e73ee
+  data.tar.gz: 0541e16a13d4516494f4365c0c7e607996c837e192eb5d16754d4f36a21fd8fad847df9f233f59b358be7d164d2794c54fb7312b6e85866450f7147bf9eb9180

data/Code-of-Conduct.md

@@ -0,0 +1,74 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to making participation in our project and
+our community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, gender identity and expression, level of experience,
+nationality, personal appearance, race, religion, or sexual identity and
+orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment
+include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or
+advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic
+  address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community. Examples of
+representing a project or community include using an official project e-mail
+address, posting via an official social media account, or acting as an appointed
+representative at an online or offline event. Representation of a project may be
+further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project team at [INSERT EMAIL ADDRESS]. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an incident.
+Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
+available at [http://contributor-covenant.org/version/1/4][version]
+
+[homepage]: http://contributor-covenant.org
+[version]: http://contributor-covenant.org/version/1/4/

data/Contributing.md

@@ -0,0 +1,84 @@
+## Contributing
+
+I value any contribution to minitar you can provide: a bug report, a feature
+request, or code contributions. There are a few guidelines for contributing to
+minitar:
+
+*   Code changes *will not* be accepted without tests. The test suite is
+    written with [Minitest][].
+*   Match my coding style.
+*   Use a thoughtfully-named topic branch that contains your change. Rebase
+    your commits into logical chunks as necessary.
+*   Use [quality commit messages][].
+*   Do not change the version number; when your patch is accepted and a release
+    is made, the version will be updated at that point.
+*   Submit a GitHub pull request with your changes.
+*   New or changed behaviours require appropriate documentation.
+
+### Test Dependencies
+
+minitar uses Ryan Davis’s [Hoe][] to manage the release process, and it adds a
+number of rake tasks. You will mostly be interested in:
+
+    $ rake
+
+which runs the tests the same way that:
+
+    $ rake test
+    $ rake travis
+
+will do.
+
+To assist with the installation of the development dependencies for minitar, I
+have provided the simplest possible Gemfile pointing to the (generated)
+`minitar.gemspec` file. This will permit you to do:
+
+    $ bundle install
+
+to get the development dependencies. If you aleady have `hoe` installed, you
+can accomplish the same thing with:
+
+    $ rake newb
+
+This task will install any missing dependencies, run the tests/specs, and
+generate the RDoc.
+
+You can run tests with code coverage analysis by running:
+
+    $ rake test:coverage
+
+### Workflow
+
+Here's the most direct way to get your work merged into the project:
+
+*   Fork the project.
+*   Clone down your fork (`git clone git://github.com/<username>/minitar.git`).
+*   Create a topic branch to contain your change (`git checkout -b
+    my_awesome_feature`).
+*   Hack away, add tests. Not necessarily in that order.
+*   Make sure everything still passes by running `rake`.
+*   If necessary, rebase your commits into logical chunks, without errors.
+*   Push the branch up (`git push origin my_awesome_feature`).
+*   Create a pull request against halostatue/minitar and describe what your
+    change does and the why you think it should be merged.
+
+### Contributors
+
+*   Austin Ziegler created minitar, based on work originally written by
+    Mauricio Fernández for rpa-base.
+
+Thanks to everyone who has contributed to minitar:
+
+*   Antoine Toulme
+*   Curtis Sampson
+*   Daniel J. Berger
+*   Kazuyoshi Kato
+*   Matthew Kent
+*   Michal Suchanek
+*   Mike Furr
+*   Pete Fritchman
+*   Zach Dennis
+
+[Minitest]: https://github.com/seattlerb/minitest
+[quality commit messages]: http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html
+[Hoe]: https://github.com/seattlerb/hoe

data/History.md

@@ -0,0 +1,107 @@
+## 0.6 / 2017-02-07
+
+*   Breaking Changes:
+
+    *   Extracted `bin/minitar` into a new gem, `minitar-cli`. No, I am *not*
+        going to bump the major version for this. As far as I can tell, few
+        people use the command-line utility anyway. (Installing
+        `archive-tar-minitar` will install both `minitar` and `minitar-cli`, at
+        least until version 1.0.)
+
+    *   Minitar extraction before 0.6 traverses directories if the tarball
+        includes a relative directory reference, as reported in [#16][] by
+        @ecneladis. This has been disallowed entirely and will throw a
+        SecureRelativePathError when found. Additionally, if the final
+        destination of an entry is an already-existing symbolic link, the
+        existing symbolic link will be removed and the file will be written
+        correctly (on platforms that support symblic links).
+
+*   Enhancements:
+
+    *   Licence change. After speaking with Mauricio Fernández, we have changed
+        the licensing of this library to Ruby and Simplified BSD and have
+        dropped the GNU GPL license. This takes effect from the 0.6 release.
+    *   Printing a deprecation warning for including Archive::Tar to put
+        Minitar in the top-level namespace.
+    *   Printing a deprecation warning for including Archive::Tar::Minitar into
+        a class (Minitar will be a class for version 1.0).
+    *   Moved Archive::Tar::PosixHeader to Archive::Tar::Minitar::PosixHeader
+        with a deprecation warning. Do not depend on
+        Archive::Tar::Minitar::PosixHeader, as it will be moving to
+        ::Minitar::PosixHeader in a future release.
+    *   Added an alias, ::Minitar, for Archive::Tar::Minitar, opted in with
+        `require 'minitar'`. In future releases, this alias will be enabled by
+        default, and the Archive::Tar namespace will be removed entirely for
+        version 1.0.
+    *   Modified the handling of `mtime` in PosixHeader to do an integer
+        conversion (#to_i) so that a Time object can be used instead of the
+        integer value of the time object.
+    *   Writer::RestrictedStream was renamed to Writer::WriteOnlyStream for
+        clarity. No alias or deprecation warning was provided for this as it is
+        an internal implementation detail.
+    *   Writer::BoundedStream was renamed to Writer::BoundedWriteStream for
+        clarity. A deprecation warning is provided on first use because a
+        BoundedWriteStream may raise a BoundedWriteStream::FileOverflow
+        exception.
+    *   Writer::BoundedWriteStream::FileOverflow has been renamed to
+        Writer::WriteBoundaryOverflow and inherits from StandardError instead
+        of RuntimeError. Note that for Ruby 2.0 or higher, an error will be
+        raised when specifying Writer::BoundedWriteStream::FileOverflow because
+        Writer::BoundedWriteStream has been declared a private constant.
+    *   Modified Writer#add_file_simple to accept the data for a
+        file in `opts[:data]`. When `opts[:data]` is provided, a stream block
+        must not be provided. Improved the documentation for this method.
+    *   Modified Writer#add_file to accept `opts[:data]` and transparently call
+        Writer#add_file_simple in this case.
+    *   Methods that require blocks are no longer required, so the
+        Archive::Tar::Minitar::BlockRequired exception has been removed with a
+        warning (this may not work on Ruby 1.8).
+    *   Dramatically reduced the number of strings created when creating a
+        POSIX tarball header.
+    *   Added a helper, Input.each_entry that iterates over each entry in an
+        opened entry object.
+
+*   Bugs:
+
+    *   Fix [#2][] to handle IO streams that are not seekable, such as pipes,
+        STDIN, or STDOUT.
+    *   Fix [#3][] to make the test timezone resilient.
+    *   Fix [#4][] for supporting the reading of tar files with filenames in
+        the GNU long filename extension format. Ported from @atoulme’s fork,
+        originally provided by Curtis Sampson.
+    *   Fix [#6][] by making it raise the correct error for a long filename
+        with no path components.
+    *   Fix [#13][] provided by @fetep fixes an off-by-one error on filename
+        splitting.
+    *   Fix [#14][] provided by @kzys should fix Windows detection issues.
+    *   Fix [#16][] as specified above.
+    *   Fix an issue where Minitar.pack would not include Unix hidden files
+        when creating a tarball.
+
+*   Development:
+
+    *   Modernized minitar tooling around Hoe.
+    *   Added travis and coveralls.
+
+## 0.5.2 / 2008-02-26
+
+* Bugs:
+  * Fixed a Ruby 1.9 compatibility error.
+
+## 0.5.1 / 2004-09-27
+
+* Bugs:
+  * Fixed a variable name error.
+
+## 0.5.0
+
+* Initial release. Does files and directories. Command does create, extract,
+  and list.
+
+[#2]: https://github.com/halostatue/minitar/issues/2
+[#3]: https://github.com/halostatue/minitar/issues/3
+[#4]: https://github.com/halostatue/minitar/issues/4
+[#6]: https://github.com/halostatue/minitar/issues/6
+[#13]: https://github.com/halostatue/minitar/issues/13
+[#14]: https://github.com/halostatue/minitar/issues/14
+[#16]: https://github.com/halostatue/minitar/issues/16

data/Licence.md

@@ -0,0 +1,15 @@
+## Licence
+
+minitar is free software that may be redistributed and/or modified under the
+terms of Ruby’s licence or the Simplified BSD licence.
+
+* Copyright 2004–2017 Austin Ziegler.
+* Portions copyright 2004 Mauricio Julio Fernández Pradier.
+
+### Simplified BSD Licence
+
+See the file docs/bsdl.txt in the main distribution.
+
+### Ruby’s Licence
+
+See the file docs/ruby.txt in the main distribution.

data/Manifest.txt

@@ -0,0 +1,24 @@
+Code-of-Conduct.md
+Contributing.md
+History.md
+Licence.md
+Manifest.txt
+README.rdoc
+Rakefile
+docs/bsdl.txt
+docs/ruby.txt
+lib/archive-tar-minitar.rb
+lib/archive/tar/minitar.rb
+lib/archive/tar/minitar/input.rb
+lib/archive/tar/minitar/output.rb
+lib/archive/tar/minitar/posix_header.rb
+lib/archive/tar/minitar/reader.rb
+lib/archive/tar/minitar/writer.rb
+lib/minitar.rb
+test/minitest_helper.rb
+test/support/tar_test_helpers.rb
+test/test_tar_header.rb
+test/test_tar_input.rb
+test/test_tar_output.rb
+test/test_tar_reader.rb
+test/test_tar_writer.rb

data/README.rdoc

@@ -0,0 +1,81 @@
+= minitar
+
+home :: https://github.com/halostatue/minitar/
+code :: https://github.com/halostatue/minitar/
+bugs :: https://github.com/halostatue/minitar/issues
+rdoc :: http://rdoc.info/gems/minitar/
+cli  :: https://github.com/halostatue/minitar-cli
+continuous integration :: {<img src="https://travis-ci.org/halostatue/minitar.svg" />}[https://travis-ci.org/halostatue/minitar]
+                          {<img src="https://ci.appveyor.com/api/projects/status/bj4gqn3gp3gu45sa?svg=true" />}[https://ci.appveyor.com/project/halostatue/minitar]
+test coverage :: {<img src="https://coveralls.io/repos/halostatue/minitar/badge.svg" alt="Coverage Status" />}[https://coveralls.io/r/halostatue/minitar]
+
+== Description
+
+The minitar library is a pure-Ruby library that provides the ability to deal
+with POSIX tar(1) archive files.
+
+This is release 0.6, providing a number of bug fixes including a directory
+traversal vulnerability, CVE-2016-10173. This release starts the migration and
+modernization of the code:
+
+*   the licence has been changed to match the modern Ruby licensing scheme
+    (Ruby and Simplified BSD instead of Ruby and GNU GPL);
+*   the +minitar+ command-line program has been separated into the
+    +minitar-cli+ gem; and
+*   the +archive-tar-minitar+ gem now points to the +minitar+ and +minitar-cli+
+    gems and discourages its installation.
+
+Some of these changes may break existing programs that depend on the internal
+structure of the minitar library, but every effort has been made to ensure
+compatibility; inasmuch as is possible, this compatibility will be maintained
+through the release of minitar 1.0 (which will have strong breaking changes).
+
+minitar (previously called Archive::Tar::Minitar) is based heavily on code
+originally written by Mauricio Julio Fernández Pradier for the rpa-base
+project.
+
+== Synopsis
+
+Using minitar is easy. The simplest case is:
+
+  require 'minitar'
+
+  # Packs everything that matches Find.find('tests').
+  # test.tar will automatically be closed by Minitar.pack.
+  Minitar.pack('tests', File.open('test.tar', 'wb'))
+
+  # Unpacks 'test.tar' to 'x', creating 'x' if necessary.
+  Minitar.unpack('test.tar', 'x')
+
+A gzipped tar can be written with:
+
+  require 'zlib'
+  # test.tgz will be closed automatically.
+  Minitar.pack('tests', Zlib::GzipWriter.new(File.open('test.tgz', 'wb'))
+
+  # test.tgz will be closed automatically.
+  Minitar.unpack(Zlib::GzipReader.new(File.open('test.tgz', 'rb')), 'x')
+
+As the case above shows, one need not write to a file. However, it will
+sometimes require that one dive a little deeper into the API, as in the case of
+StringIO objects. Note that I'm not providing a block with Minitar::Output, as
+Minitar::Output#close automatically closes both the Output object and the
+wrapped data stream object.
+
+  begin
+    sgz = Zlib::GzipWriter.new(StringIO.new(String.new))
+    tar = Output.new(sgz)
+    Find.find('tests') do |entry|
+      Minitar.pack_file(entry, tar)
+    end
+  ensure
+      # Closes both tar and sgz.
+    tar.close
+  end
+
+== minitar Semantic Versioning
+
+The minitar library uses a {Semantic Versioning}[http://semver.org/] scheme
+with one change:
+
+* When PATCH is zero (+0+), it will be omitted from version references.

data/Rakefile

@@ -1,113 +1,52 @@
-#! /usr/bin/env rake
-$LOAD_PATH.unshift('lib')
+# -*- ruby encoding: utf-8 -*-
 
 require 'rubygems'
-require 'rake/gempackagetask'
-require 'rake/contrib/rubyforgepublisher'
-require 'archive/tar/minitar'
-require 'zlib'
-
-DISTDIR = "archive-tar-minitar-#{Archive::Tar::Minitar::VERSION}"
-TARDIST = "../#{DISTDIR}.tar.gz"
-
-DATE_RE = %r<(\d{4})[./-]?(\d{2})[./-]?(\d{2})(?:[\sT]?(\d{2})[:.]?(\d{2})[:.]?(\d{2})?)?>
-
-if ENV['RELEASE_DATE']
-  year, month, day, hour, minute, second = DATE_RE.match(ENV['RELEASE_DATE']).captures
-  year ||= 0
-  month ||= 0
-  day ||= 0
-  hour ||= 0
-  minute ||= 0
-  second ||= 0
-  ReleaseDate = Time.mktime(year, month, day, hour, minute, second)
-else
-  ReleaseDate = nil
-end
-
-task :test do |t|
-  require 'test/unit/testsuite'
-  require 'test/unit/ui/console/testrunner'
-
-  runner = Test::Unit::UI::Console::TestRunner
-
-  $LOAD_PATH.unshift('tests')
-  Dir['tests/tc_*.rb'].each do |testcase|
-    load testcase
-  end
-
-  suite = Test::Unit::TestSuite.new
-
-  ObjectSpace.each_object(Class) do |testcase|
-    suite << testcase.suite if testcase < Test::Unit::TestCase
-  end
-
-  runner.run(suite)
-end
-
-spec = eval(File.read("archive-tar-minitar.gemspec"))
-desc "Build the RubyGem for Archive::Tar::Minitar."
-task :gem => [ :test ]
-Rake::GemPackageTask.new(spec) do |g|
-  g.need_tar    = false
-  g.need_zip    = false
-  g.package_dir = ".."
-end
-
-desc "Build an Archive::Tar::Minitar .tar.gz distribution."
-task :tar => [ TARDIST ]
-file TARDIST do |t|
-  current = File.basename(Dir.pwd)
-  Dir.chdir("..") do
-    begin
-      files = Dir["#{current}/**/*"].select { |dd| dd !~ %r{(?:/CVS/?|~$)} }
-      files.map! do |dd|
-        ddnew = dd.gsub(/^#{current}/, DISTDIR)
-        mtime = ReleaseDate || File.stat(dd).mtime
-        if File.directory?(dd)
-          { :name => ddnew, :mode => 0755, :dir => true, :mtime => mtime }
-        else
-          if dd =~ %r{bin/}
-            mode = 0755
-          else
-            mode = 0644
-          end
-          data = File.read(dd)
-          { :name => ddnew, :mode => mode, :data => data, :size => data.size,
-            :mtime => mtime }
-        end
-      end
-
-      ff = File.open(t.name.gsub(%r{^\.\./}o, ''), "wb")
-      gz = Zlib::GzipWriter.new(ff)
-      tw = Archive::Tar::Minitar::Writer.new(gz)
-
-      files.each do |entry|
-        if entry[:dir]
-          tw.mkdir(entry[:name], entry)
-        else
-          tw.add_file_simple(entry[:name], entry) { |os| os.write(entry[:data]) }
-        end
-      end
-    ensure
-      tw.close if tw
-      gz.close if gz
+require 'hoe'
+require 'rake/clean'
+
+$LOAD_PATH.unshift('support')
+
+Hoe.plugin :doofus
+Hoe.plugin :gemspec2
+Hoe.plugin :git
+Hoe.plugin :minitest
+Hoe.plugin :travis
+Hoe.plugin :deprecated_gem
+Hoe.plugin :email unless ENV['CI'] or ENV['TRAVIS']
+
+spec = Hoe.spec 'minitar' do
+  developer('Austin Ziegler', 'halostatue@gmail.com')
+
+  require_ruby_version '>= 1.8'
+
+  self.history_file = 'History.md'
+  self.readme_file = 'README.rdoc'
+  self.licenses = ['Ruby', 'BSD-2-Clause']
+
+  self.post_install_message = <<-EOS
+The `minitar` executable is no longer bundled with `minitar`. If you are
+expecting this executable, make sure you also install `minitar-cli`.
+  EOS
+
+  extra_dev_deps << ['hoe-doofus', '~> 1.0']
+  extra_dev_deps << ['hoe-gemspec2', '~> 1.1']
+  extra_dev_deps << ['hoe-git', '~> 1.6']
+  extra_dev_deps << ['hoe-rubygems', '~> 1.0']
+  extra_dev_deps << ['hoe-travis', '~> 1.2']
+  extra_dev_deps << ['minitest', '~> 5.3']
+  extra_dev_deps << ['minitest-autotest', ['>= 1.0', '<2']]
+  extra_dev_deps << ['rake', '>= 10.0', '< 12']
+  extra_dev_deps << ['rdoc', '>= 0.0']
+end
+
+if RUBY_VERSION >= '2.0' && RUBY_ENGINE == 'ruby'
+  namespace :test do
+    desc 'Run test coverage'
+    task :coverage do
+      spec.test_prelude = 'load ".simplecov-prelude.rb"'
+      Rake::Task['test'].execute
     end
   end
-end
-task TARDIST => [ :test ]
-
-def sign(file)
-  sh %("C:\\Program Files\\Windows Privacy Tools\\GnuPG\\Gpg.exe" -ba #{file})
-end
-
-task :signtar => [ :tar ] do
-  sign TARDIST
-end
-task :signgem => [ :gem ] do
-  sign "../#{DISTDIR}.gem"
-end
 
-desc "Build everything."
-task :default => [ :signtar, :signgem ] do
+  Rake::Task['travis'].prerequisites.replace(%w(test:coverage))
 end