https://bugzilla.samba.org/show_bug.cgi?id=6251
Summary: security: rsync executes remote commands Product: rsync Version: 3.0.5 Platform: x86 OS/Version: Linux Status: NEW Severity: major Priority: P3 Component: core AssignedTo: way...@samba.org ReportedBy: muel...@relog.ch QAContact: rsync...@samba.org when a source file name listed on the rsync command line contains | or ; then whatever comes after is executed as a command on the remote machine. rsync somehost:/foobar\;date\>/tmp/date . (note the backslashes) will fail and leave behind the file /tmp/date on the somehost. this can cause serious trouble when file names can be picked by untrusted users. the problem doesn't seem to occur when evil file names occur in a tree being copied or when given as copy source. -- Configure bugmail: https://bugzilla.samba.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA contact for the bug, or are watching the QA contact. -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html