specifying a list of files to transfer

Wayne Davison wayned at users.sourceforge.net
Wed Jan 15 18:11:01 EST 2003

On Tue, Jan 14, 2003 at 10:01:47PM -0600, Lee Eakin wrote:
> Yes, people do restrict args via ssh key restrictions.

OK, I thank you both for enlightening me on the subject.  My current
patch applies the sanitize_path() function to all names read via the
--files-from option, regardless of whether we're pushing or pulling.
This means that all leading slashes are dropped from file names as
well as all leading "../" prefixes, and that any infix "dir/../"
combos are removed.  This ensures that we can't get above the root
dir that was specified on the command-line.

> so any sanitize code could first make sure all pathnames begin with a valid
> module and then make sure the file or dir is really inside that module.

This isn't needed since the module name is specified on the command-line
and then all paths are relative to the directory that was specified in
that module.  For instance:

    rsync --files-from=foo remote::module/bar

forces all pathnames read to be relative to the bar dir of the module.
If no "/bar" path was specified, the paths would all be relative to the
root-dir of the module.


More information about the rsync mailing list