octoleo
/
lsyncd
mirror of https://github.com/octoleo/lsyncd.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Sanitize mv arguments: 

1. Fixes crashes on file names containing `, $ or "
2. Also prevents shell execution of ``, $() … in file names, which can be
   used to gain remote shell access as lsyncd's (target) user.
This commit is contained in:
Sven Schwedas 2014-10-29 13:32:20 +01:00
parent 4da2257758
commit 18f02ad013
1 changed files with 5 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
default-rsyncssh.lua
View File

@ -77,6 +77,8 @@ rsyncssh.action = function( inlet )
-- makes move local on target host
-- if the move fails, it deletes the source
if event.etype == 'Move' then
local path1 = event.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$')
local path2 = event2.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$')
log(
'Normal',
@ -92,10 +94,10 @@ rsyncssh.action = function( inlet )
config.ssh._computed,
config.host,
'mv',
'\"' .. config.targetdir .. event.path .. '\"',
'\"' .. config.targetdir .. event2.path .. '\"',
'\"' .. config.targetdir .. path1 .. '\"',
'\"' .. config.targetdir .. path2 .. '\"',
'||', 'rm', '-rf',
'\"' .. config.targetdir .. event.path .. '\"'
'\"' .. config.targetdir .. path1 .. '\"'
)
return