[media-types] Draft 3 Re: Internet media type application/tar; request review

[Sean Leonard <dev+ietf@seantek.com>]

Draft 3:

Registration Template [DRAFT]

Type name: application

Subtype name: tar

Required parameters: None.

Optional parameters: None.

Encoding considerations: binary

Security considerations:
TAR (Tape ARchive), as an archive format, can contain arbitrary files of
arbitrary types, including files that are not considered "regular files" 
(e.g., symbolic links, directories). Some of these files may be 
executable or contain executable data,
including scripts, that could compromise the security of a computer. 
Additionally, some files may contain directives such as URIs that, when 
accessed, can compromise privacy. As POSIX file system
information can be recorded in this format, user and group permissions,
dates, and the like can also be overwritten when the data is extracted. 
Extracting a tar file runs the possibility of overwriting system files, 
and device nodes might be included that could be written to by later 
resources in the same archive. If extracted into an existing directory 
instead of a designated new directory, the contents can appear to 
"explode" and make locating existing files difficult (such an archive is 
known as a "tarbomb"). Furthermore, when encoding data in this format, 
personal data such as user and group permissions from a source computer 
system can be surreptitiously included in the format as a method of 
exfiltrating that data. The format permits extensions ("pax 
extensions")--these extensions may have their own security risks.

Interoperability considerations:
TAR is a widely-recognized archive format on all modern computer 
systems, especially those relating to UNIX and the POSIX standards. The 
format has undergone several iterations; the main current variations are 
"pax" and "ustar", which are compatible with each other.

Published specification:
POSIX.1-2008, IEEE Std 1003.1-2008 (2013 Edition), IEEE Standard for 
Information Technology - Portable Operating System Interface (POSIX)" 
Shell and Utilities - pax - EXTENDED DESCRIPTION - pax Interchange 
Format, ustar Interchange Format

http://pubs.opengroup.org/onlinepubs/9699919799/utilities/pax.html


Applications that use this media type:
pax is the POSIX utility. Most UNIX-compatible implementations also 
include a utility called tar.
Most software archiving programs of any notoriety process this format; 
implementations are too numerous to list.

Fragment identifier considerations: N/A

Additional information:

  Deprecated alias names for this type: N/A
  Magic number(s): hex: 75 73 74 61 72 00 30 30, aka
                   US-ASCII: u s t a r NUL 0 0,
                   at octet 257
  File extension(s): tar
  Macintosh file type code(s): N/A

Person & email address to contact for further information:
  Sean Leonard <dev+ietf@seantek.com>
  Andrew Josey <ogdirector-platform@opengroup.org>

Intended usage: COMMON

Restrictions on usage: None.

Author:
The Austin Common Standards Revision Group (CSRG)
The Institute of Electrical and Electronics Engineers (IEEE)
The Open Group

Change controller: CSRG <ogdirector-platform@opengroup.org>

Provisional registration? (standards tree only): No