Client can trick daemon into running server code with am_server == 0
Matt McCutchen
hashproduct+rsync at gmail.com
Thu Feb 15 03:31:18 GMT 2007
Dear rsync people (particularly Wayne),
I noticed that an rsync daemon counts on the client sending a --server
option so that am_server gets set to 1. If the client doesn't supply
this option, am_server remains 0 but the daemon runs start_server
anyway. This is potentially dangerous and might lead to a security
hole, although I haven't found one yet. I suggest that the daemon
either set am_server = 1 explicitly or drop the connection with an
error if the client doesn't supply --server.
Matt
More information about the rsync
mailing list