octoleo/lsyncd
1
0
Fork 0
mirror of https://github.com/octoleo/lsyncd.git synced 2025-01-07 09:04:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #298 from creshal/master

Browse Source 
Properly sanitize mv parameters (CVE-2014-8990)
This commit is contained in:
Axel Kittenberger 2014-11-26 11:39:46 +01:00
commit e9ffda07f0
1 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
default-rsyncssh.lua
View File

@ -77,6 +77,10 @@ rsyncssh.action = function( inlet )
-- makes move local on target host -- makes move local on target host
-- if the move fails, it deletes the source -- if the move fails, it deletes the source
if event.etype == 'Move' then if event.etype == 'Move' then
local path1 = config.targetdir .. event.path
local path2 = config.targetdir .. event2.path
path1 = "'" .. path1:gsub ('\'', '\'"\'"\'') .. "'"
path2 = "'" .. path2:gsub ('\'', '\'"\'"\'') .. "'"
log( log(
'Normal', 'Normal',
@ -92,10 +96,10 @@ rsyncssh.action = function( inlet )
config.ssh._computed, config.ssh._computed,
config.host, config.host,
'mv', 'mv',
'\"' .. config.targetdir .. event.path .. '\"', path1,
'\"' .. config.targetdir .. event2.path .. '\"', path2,
'||', 'rm', '-rf', '||', 'rm', '-rf',
'\"' .. config.targetdir .. event.path .. '\"' path1
) )
return return