From 18f02ad013b41a72753912155ae2ba72f2a53e52 Mon Sep 17 00:00:00 2001
From: Sven Schwedas <sven.schwedas@tao.at>
Date: Wed, 29 Oct 2014 13:32:20 +0100
Subject: [PATCH] Sanitize mv arguments:
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1. Fixes crashes on file names containing `, $ or "
2. Also prevents shell execution of ``, $() … in file names, which can be
   used to gain remote shell access as lsyncd's (target) user.
---
 default-rsyncssh.lua | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/default-rsyncssh.lua b/default-rsyncssh.lua
index 58b2af0..589837d 100644
--- a/default-rsyncssh.lua
+++ b/default-rsyncssh.lua
@@ -77,6 +77,8 @@ rsyncssh.action = function( inlet )
 	-- makes move local on target host
 	-- if the move fails, it deletes the source
 	if event.etype == 'Move' then
+		local path1 = event.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$')
+		local path2 = event2.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$')
 
 		log(
 			'Normal',
@@ -92,10 +94,10 @@ rsyncssh.action = function( inlet )
 			config.ssh._computed,
 			config.host,
 			'mv',
-			'\"' .. config.targetdir .. event.path .. '\"',
-			'\"' .. config.targetdir .. event2.path .. '\"',
+			'\"' .. config.targetdir .. path1 .. '\"',
+			'\"' .. config.targetdir .. path2 .. '\"',
 			'||', 'rm', '-rf',
-			'\"' .. config.targetdir .. event.path .. '\"'
+			'\"' .. config.targetdir .. path1 .. '\"'
 		)
 
 		return