On 8 Feb, Dave Dykstra wrote:
>
> The problem with full pathname symlinks and "use chroot = no" is that it
> can let somebody affect things outside of the module. For example,
> somebody could first upload a symlink to a directory outside of the module
> and then write into it. I implemented that functionality and I knew the
> removal of the leading slash would usually be the wrong thing to do but I
> thought it was better than having it bomb. In your case it could be
> smarter and check that a path is still within a module, but it is tricky to
> do that securely. If you make a patch, I'll look it over and if it looks
> OK I'll submit it to the rsync CVS. See the comment above sanitize_path()
> in util.c.
>
> - Dave Dykstra
>
Ok, I wasn't considering the fact that the client may be traversing
symbolic links to create the file list (I use the -x flag, and had
that fixed in my mindset).
As for determining if the path is within the module; df (under solaris
at least, probably for other unices as well) uniquely resolves the
filesystem that a file resides on. Using whatever technique it uses,
one could test whether or not the filesystems of the new file and the module
are the same. I'll have to ponder this.
Thanks,
Diab
