1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
|
Fix a security issue with rsyncd not properly sanitizing paths.
Ripped from upstream cvs.
Index: options.c
===================================================================
RCS file: /cvsroot/rsync/options.c,v
retrieving revision 1.139
retrieving revision 1.141
diff -u -b -B -r1.139 -r1.141
--- options.c
+++ options.c
@@ -21,6 +21,8 @@
#include "rsync.h"
#include "popt.h"
+extern int sanitize_paths;
+extern char curr_dir[MAXPATHLEN];
extern struct exclude_struct **exclude_list;
int make_backups = 0;
@@ -359,7 +361,7 @@
{"timeout", 0, POPT_ARG_INT, &io_timeout, 0, 0, 0 },
{"temp-dir", 'T', POPT_ARG_STRING, &tmpdir, 0, 0, 0 },
{"compare-dest", 0, POPT_ARG_STRING, &compare_dest, 0, 0, 0 },
- {"link-dest", 0, POPT_ARG_STRING, 0, OPT_LINK_DEST, 0, 0 },
+ {"link-dest", 0, POPT_ARG_STRING, &compare_dest, OPT_LINK_DEST, 0, 0 },
/* TODO: Should this take an optional int giving the compression level? */
{"compress", 'z', POPT_ARG_NONE, &do_compression, 0, 0, 0 },
{"daemon", 0, POPT_ARG_NONE, &daemon_opt, 0, 0, 0 },
@@ -469,6 +471,7 @@
{
int opt;
char *ref = lp_refuse_options(module_id);
+ const char *arg;
poptContext pc;
if (ref && *ref)
@@ -517,12 +520,18 @@
break;
case OPT_EXCLUDE_FROM:
- add_exclude_file(&exclude_list, poptGetOptArg(pc),
+ arg = poptGetOptArg(pc);
+ if (sanitize_paths)
+ arg = alloc_sanitize_path(arg, curr_dir);
+ add_exclude_file(&exclude_list, arg,
MISSING_FATAL, ADD_EXCLUDE);
break;
case OPT_INCLUDE_FROM:
- add_exclude_file(&exclude_list, poptGetOptArg(pc),
+ arg = poptGetOptArg(pc);
+ if (sanitize_paths)
+ arg = alloc_sanitize_path(arg, curr_dir);
+ add_exclude_file(&exclude_list, arg,
MISSING_FATAL, ADD_INCLUDE);
break;
@@ -566,7 +575,6 @@
case OPT_LINK_DEST:
#if HAVE_LINK
- compare_dest = (char *)poptGetOptArg(pc);
link_dest = 1;
break;
#else
@@ -660,6 +668,26 @@
if (relative_paths < 0)
relative_paths = files_from? 1 : 0;
+ *argv = poptGetArgs(pc);
+ if (*argv)
+ *argc = count_args(*argv);
+ else
+ *argc = 0;
+
+ if (sanitize_paths) {
+ int i;
+ for (i = *argc; i-- > 0; )
+ (*argv)[i] = alloc_sanitize_path((*argv)[i], NULL);
+ if (tmpdir)
+ tmpdir = alloc_sanitize_path(tmpdir, curr_dir);
+ if (compare_dest)
+ compare_dest = alloc_sanitize_path(compare_dest, curr_dir);
+ if (backup_dir)
+ backup_dir = alloc_sanitize_path(backup_dir, curr_dir);
+ if (files_from)
+ files_from = alloc_sanitize_path(files_from, curr_dir);
+ }
+
if (!backup_suffix)
backup_suffix = backup_dir ? "" : BACKUP_SUFFIX;
backup_suffix_len = strlen(backup_suffix);
@@ -690,12 +718,6 @@
if (do_progress && !verbose)
verbose = 1;
- *argv = poptGetArgs(pc);
- if (*argv)
- *argc = count_args(*argv);
- else
- *argc = 0;
-
if (files_from) {
char *colon;
if (*argc != 2) {
@@ -718,9 +740,6 @@
exit_cleanup(RERR_SYNTAX);
}
} else {
- extern int sanitize_paths;
- if (sanitize_paths)
- sanitize_path(strdup(files_from), NULL);
filesfrom_fd = open(files_from, O_RDONLY|O_BINARY);
if (filesfrom_fd < 0) {
rsyserr(FERROR, errno,
Index: clientserver.c
===================================================================
RCS file: /cvsroot/rsync/clientserver.c,v
retrieving revision 1.118
retrieving revision 1.117
diff -u -b -B -r1.118 -r1.117
--- clientserver.c
+++ clientserver.c
@@ -423,19 +423,6 @@
}
}
- if (sanitize_paths) {
- /*
- * Note that this is applied to all parameters, whether or not
- * they are filenames, but no other legal parameters contain
- * the forms that need to be sanitized so it doesn't hurt;
- * it is not known at this point which parameters are files
- * and which aren't.
- */
- for (i = 1; i < argc; i++) {
- sanitize_path(argv[i], NULL);
- }
- }
-
argp = argv;
ret = parse_arguments(&argc, (const char ***) &argp, 0);
Index: proto.h
===================================================================
RCS file: /cvsroot/rsync/proto.h,v
retrieving revision 1.184
retrieving revision 1.185
diff -u -b -B -r1.184 -r1.185
--- proto.h
+++ proto.h
@@ -260,6 +260,7 @@
void strlower(char *s);
void clean_fname(char *name);
void sanitize_path(char *p, char *reldir);
+char *alloc_sanitize_path(const char *path, const char *rootdir);
char *push_dir(char *dir, int save);
int pop_dir(char *dir);
char *full_fname(char *fn);
Index: util.c
===================================================================
RCS file: /cvsroot/rsync/util.c,v
retrieving revision 1.132
retrieving revision 1.133
diff -u -b -B -r1.132 -r1.133
--- util.c
+++ util.c
@@ -775,6 +775,34 @@
*sanp = '\0';
}
+/* Works much like sanitize_path(), with these differences: (1) a new buffer
+ * is allocated for the sanitized path rather than modifying it in-place; (2)
+ * a leading slash gets transformed into the rootdir value (which can be empty
+ * or NULL if you just want the slash to get dropped); (3) no "reldir" can be
+ * specified. */
+char *alloc_sanitize_path(const char *path, const char *rootdir)
+{
+ char *buf;
+ int rlen, plen = strlen(path);
+
+ if (*path == '/' && rootdir)
+ rlen = strlen(rootdir);
+ else
+ rlen = 0;
+ if (!(buf = new_array(char, rlen + plen + 1)))
+ out_of_memory("alloc_sanitize_path");
+ if (rlen)
+ memcpy(buf, rootdir, rlen);
+ memcpy(buf + rlen, path, plen + 1);
+
+ if (rlen)
+ rlen++;
+ sanitize_path(buf + rlen, NULL);
+ if (rlen && buf[rlen] == '.' && buf[rlen+1] == '\0')
+ buf[rlen-1] = '\0';
+
+ return buf;
+}
char curr_dir[MAXPATHLEN];
unsigned int curr_dir_len;
|
GitWeb