octoleo
/
lsyncd
mirror of https://github.com/octoleo/lsyncd.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Properly sanitize mv parameters (CVE-2014-8990) 

When using -rsyncssh option, some filenames
could -in addition of not syncing correctly-
crash the service and execute arbitrary commands
under the credentials of the remote user.

These issues have been assigned CVE-2014-8990

This commit fixes the incomplete and lua5.2-incompatible
sanitization performed by 18f02ad0

Signed-off-by: Sven Schwedas <sven.schwedas@tao.at>
This commit is contained in:
Ángel González 2014-11-25 23:49:25 +01:00 committed by Sven Schwedas
parent 18f02ad013
commit e6016b3748
1 changed files with 7 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
default-rsyncssh.lua
View File

@ -77,8 +77,10 @@ rsyncssh.action = function( inlet )
-- makes move local on target host
-- if the move fails, it deletes the source
if event.etype == 'Move' then
local path1 = event.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$')
local path2 = event2.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$')
local path1 = config.targetdir .. event.path
local path2 = config.targetdir .. event2.path
path1 = "'" .. path1:gsub ('\'', '\'"\'"\'') .. "'"
path2 = "'" .. path2:gsub ('\'', '\'"\'"\'') .. "'"
log(
'Normal',
@ -94,10 +96,10 @@ rsyncssh.action = function( inlet )
config.ssh._computed,
config.host,
'mv',
'\"' .. config.targetdir .. path1 .. '\"',
'\"' .. config.targetdir .. path2 .. '\"',
path1,
path2,
'||', 'rm', '-rf',
'\"' .. config.targetdir .. path1 .. '\"'
path1
)
return