Properly sanitize mv parameters (CVE-2014-8990)

When using -rsyncssh option, some filenames
could -in addition of not syncing correctly-
crash the service and execute arbitrary commands
under the credentials of the remote user.

These issues have been assigned CVE-2014-8990

This commit fixes the incomplete and lua5.2-incompatible
sanitization performed by 18f02ad0

Signed-off-by: Sven Schwedas <sven.schwedas@tao.at>
This commit is contained in:
Ángel González 2014-11-25 23:49:25 +01:00 committed by Sven Schwedas
parent 18f02ad013
commit e6016b3748

View File

@ -77,8 +77,10 @@ rsyncssh.action = function( inlet )
-- makes move local on target host -- makes move local on target host
-- if the move fails, it deletes the source -- if the move fails, it deletes the source
if event.etype == 'Move' then if event.etype == 'Move' then
local path1 = event.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$') local path1 = config.targetdir .. event.path
local path2 = event2.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$') local path2 = config.targetdir .. event2.path
path1 = "'" .. path1:gsub ('\'', '\'"\'"\'') .. "'"
path2 = "'" .. path2:gsub ('\'', '\'"\'"\'') .. "'"
log( log(
'Normal', 'Normal',
@ -94,10 +96,10 @@ rsyncssh.action = function( inlet )
config.ssh._computed, config.ssh._computed,
config.host, config.host,
'mv', 'mv',
'\"' .. config.targetdir .. path1 .. '\"', path1,
'\"' .. config.targetdir .. path2 .. '\"', path2,
'||', 'rm', '-rf', '||', 'rm', '-rf',
'\"' .. config.targetdir .. path1 .. '\"' path1
) )
return return