X-Git-Url: https://wimlib.net/git/?a=blobdiff_plain;f=doc%2Fimagex-apply.1.in;h=1a6d0a4114e404404f5cdb46c59ed7bd7355c035;hb=ea914185bfdd6d2a000a341566f4dbbb7ecc2319;hp=64d195e311d1c0b18f09da2648965a2aa4131f08;hpb=f0134c285fae01e5c943ed2b96cb8656ba01bf5a;p=wimlib diff --git a/doc/imagex-apply.1.in b/doc/imagex-apply.1.in index 64d195e3..1a6d0a41 100644 --- a/doc/imagex-apply.1.in +++ b/doc/imagex-apply.1.in @@ -1,4 +1,4 @@ -.TH WIMLIB-IMAGEX "1" "November 2013" "@IMAGEX_PROGNAME@ @VERSION@" "User Commands" +.TH WIMLIB-IMAGEX "1" "January 2014" "@IMAGEX_PROGNAME@ @VERSION@" "User Commands" .SH NAME @IMAGEX_PROGNAME@-apply \- Extract one image, or all images, from a WIM archive .SH SYNOPSIS @@ -372,16 +372,26 @@ differing only in case, one will be chosen to extract arbitrarily; however, with \fB--include-invalid-names\fR, all names will be sanitized and extracted in some form. .SH NOTES +\fIData integrity\fR: WIM files include SHA1 message digests for file data. \fB@IMAGEX_PROGNAME@ apply\fR calculates the SHA1 message digest of every file -stream it extracts and verifies that it is the same as the SHA1 message digest -provided in the WIM file. It is an error if the message digests don't match. -It's also considered to be an error if any WIM resources that need to be -extracted cannot be found in the stream lookup table. So you can be fairly -certain that the file streams are extracted correctly, even though -\fB@IMAGEX_PROGNAME@ apply\fR don't have a \fB/verify\fR option like Microsoft's -ImageX does. Note that this is separate from the integrity table of the WIM, -which provides SHA1 message digests over raw chunks of the entire WIM file and -is checked separately if the \fB--check\fR option is specified. +it extracts and issues an error if it is not equal to the SHA1 message digest +provided in the WIM. (This default behavior seems equivalent to the +\fB/verify\fR option of ImageX.) Note that this is separate from the integrity +table of the WIM, which provides SHA1 message digests over raw chunks of the +entire WIM file and is checked separately if the \fB--check\fR option is +specified. +.PP +\fIESD files\fR: wimlib v1.6.0 and later can extract files from version 3584 +WIMs, which usually contain LZMS-compressed solid blocks and may carry the +\fI.esd\fR file extension rather than \fI.wim\fR. However, \fI.esd\fR files +downloaded directly by the Windows 8 web downloader have encrypted segments, and +wimlib cannot extract such files until they are first decrypted. +.PP +\fIDirectory traversal attacks\fR: wimlib validates filenames before extracting +them and is not vulnerable to directory traversal attacks. This is in contrast +to Microsoft WIMGAPI/Imagex/Dism which can override arbitrary files on the +target drive when extracting a malicious WIM file containing files named +\fI..\fR or containing path separators. .SH EXAMPLES Extract the first image from the Windows PE image on the Windows Vista/7/8 installation media to the directory "boot": @@ -425,16 +435,6 @@ partition!) An example of applying a pipable WIM from a pipe can be found in \fBPIPABLE WIMS\fR, and an example of applying a split WIM can be found in \fBSPLIT WIMS\fR. -.PP -And finally, just for fun, a silly way to recursively copy a directory tree -\fIsrc\fR to \fIdst\fR (but subject to the documented limitations, e.g. -platform and filesystem-dependent, of the capture and apply functionality of -\fB@IMAGEX_PROGNAME@\fR): -.RS -.PP -@IMAGEX_PROGNAME@ capture src - | @IMAGEX_PROGNAME@ apply - dst -.RE -.PP .SH SEE ALSO .BR @IMAGEX_PROGNAME@ (1) .BR @IMAGEX_PROGNAME@-capture (1)