mirror of
https://github.com/octoleo/lsyncd.git
synced 2024-12-13 14:43:09 +00:00
Properly sanitize mv parameters (CVE-2014-8990)
When using -rsyncssh option, some filenames
could -in addition of not syncing correctly-
crash the service and execute arbitrary commands
under the credentials of the remote user.
These issues have been assigned CVE-2014-8990
This commit fixes the incomplete and lua5.2-incompatible
sanitization performed by 18f02ad0
Signed-off-by: Sven Schwedas <sven.schwedas@tao.at>
This commit is contained in:
parent
18f02ad013
commit
e6016b3748
@ -77,8 +77,10 @@ rsyncssh.action = function( inlet )
|
||||
-- makes move local on target host
|
||||
-- if the move fails, it deletes the source
|
||||
if event.etype == 'Move' then
|
||||
local path1 = event.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$')
|
||||
local path2 = event2.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$')
|
||||
local path1 = config.targetdir .. event.path
|
||||
local path2 = config.targetdir .. event2.path
|
||||
path1 = "'" .. path1:gsub ('\'', '\'"\'"\'') .. "'"
|
||||
path2 = "'" .. path2:gsub ('\'', '\'"\'"\'') .. "'"
|
||||
|
||||
log(
|
||||
'Normal',
|
||||
@ -94,10 +96,10 @@ rsyncssh.action = function( inlet )
|
||||
config.ssh._computed,
|
||||
config.host,
|
||||
'mv',
|
||||
'\"' .. config.targetdir .. path1 .. '\"',
|
||||
'\"' .. config.targetdir .. path2 .. '\"',
|
||||
path1,
|
||||
path2,
|
||||
'||', 'rm', '-rf',
|
||||
'\"' .. config.targetdir .. path1 .. '\"'
|
||||
path1
|
||||
)
|
||||
|
||||
return
|
||||
|
Loading…
Reference in New Issue
Block a user