Skip to content

Commit e6016b3

Browse files
Ángel Gonzálezcreshal
Ángel González
authored andcommitted
Properly sanitize mv parameters (CVE-2014-8990)
When using -rsyncssh option, some filenames could -in addition of not syncing correctly- crash the service and execute arbitrary commands under the credentials of the remote user. These issues have been assigned CVE-2014-8990 This commit fixes the incomplete and lua5.2-incompatible sanitization performed by 18f02ad Signed-off-by: Sven Schwedas <sven.schwedas@tao.at>
1 parent 18f02ad commit e6016b3

File tree

1 file changed

+7
-5
lines changed

1 file changed

+7
-5
lines changed

Diff for: default-rsyncssh.lua

+7-5
Original file line numberDiff line numberDiff line change
@@ -77,8 +77,10 @@ rsyncssh.action = function( inlet )
7777
-- makes move local on target host
7878
-- if the move fails, it deletes the source
7979
if event.etype == 'Move' then
80-
local path1 = event.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$')
81-
local path2 = event2.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$')
80+
local path1 = config.targetdir .. event.path
81+
local path2 = config.targetdir .. event2.path
82+
path1 = "'" .. path1:gsub ('\'', '\'"\'"\'') .. "'"
83+
path2 = "'" .. path2:gsub ('\'', '\'"\'"\'') .. "'"
8284

8385
log(
8486
'Normal',
@@ -94,10 +96,10 @@ rsyncssh.action = function( inlet )
9496
config.ssh._computed,
9597
config.host,
9698
'mv',
97-
'\"' .. config.targetdir .. path1 .. '\"',
98-
'\"' .. config.targetdir .. path2 .. '\"',
99+
path1,
100+
path2,
99101
'||', 'rm', '-rf',
100-
'\"' .. config.targetdir .. path1 .. '\"'
102+
path1
101103
)
102104

103105
return

0 commit comments

Comments
 (0)