Skip to content

Commit 18f02ad

Browse files
committed
Sanitize mv arguments:
1. Fixes crashes on file names containing `, $ or " 2. Also prevents shell execution of ``, $() … in file names, which can be used to gain remote shell access as lsyncd's (target) user.
1 parent 4da2257 commit 18f02ad

File tree

1 file changed

+5
-3
lines changed

1 file changed

+5
-3
lines changed

Diff for: default-rsyncssh.lua

+5-3
Original file line numberDiff line numberDiff line change
@@ -77,6 +77,8 @@ rsyncssh.action = function( inlet )
7777
-- makes move local on target host
7878
-- if the move fails, it deletes the source
7979
if event.etype == 'Move' then
80+
local path1 = event.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$')
81+
local path2 = event2.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$')
8082

8183
log(
8284
'Normal',
@@ -92,10 +94,10 @@ rsyncssh.action = function( inlet )
9294
config.ssh._computed,
9395
config.host,
9496
'mv',
95-
'\"' .. config.targetdir .. event.path .. '\"',
96-
'\"' .. config.targetdir .. event2.path .. '\"',
97+
'\"' .. config.targetdir .. path1 .. '\"',
98+
'\"' .. config.targetdir .. path2 .. '\"',
9799
'||', 'rm', '-rf',
98-
'\"' .. config.targetdir .. event.path .. '\"'
100+
'\"' .. config.targetdir .. path1 .. '\"'
99101
)
100102

101103
return

0 commit comments

Comments
 (0)