https://bugzilla.samba.org/show_bug.cgi?id=6251
Summary: security: rsync executes remote commands
Product: rsync
Version: 3.0.5
Platform: x86
OS/Version: Linux
Status: NEW
Severity: major
Priority: P3
Component: core
AssignedTo: way...@samba.org
ReportedBy: muel...@relog.ch
QAContact: rsync...@samba.org
when a source file name listed on the rsync command line contains | or ; then
whatever comes after is executed as a command on the remote machine.
rsync somehost:/foobar\;date\>/tmp/date .
(note the backslashes)
will fail and leave behind the file /tmp/date on the somehost. this can cause
serious trouble when file names can be picked by untrusted users.
the problem doesn't seem to occur when evil file names occur in a tree being
copied or when given as copy source.
--
Configure bugmail: https://bugzilla.samba.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.
--
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
