octoleo
/
lsyncd
mirror of https://github.com/octoleo/lsyncd.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #298 from creshal/master 

Properly sanitize mv parameters (CVE-2014-8990)
This commit is contained in:
Axel Kittenberger 2014-11-26 11:39:46 +01:00
parent 4da2257758 e6016b3748
commit e9ffda07f0
1 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
default-rsyncssh.lua
View File

@ -77,6 +77,10 @@ rsyncssh.action = function( inlet )
-- makes move local on target host
-- if the move fails, it deletes the source
if event.etype == 'Move' then
local path1 = config.targetdir .. event.path
local path2 = config.targetdir .. event2.path
path1 = "'" .. path1:gsub ('\'', '\'"\'"\'') .. "'"
path2 = "'" .. path2:gsub ('\'', '\'"\'"\'') .. "'"
log(
'Normal',
@ -92,10 +96,10 @@ rsyncssh.action = function( inlet )
config.ssh._computed,
config.host,
'mv',
'\"' .. config.targetdir .. event.path .. '\"',
'\"' .. config.targetdir .. event2.path .. '\"',
path1,
path2,
'||', 'rm', '-rf',
'\"' .. config.targetdir .. event.path .. '\"'
path1
)
return