rsync 2.6.0: possible sanitization bug?
Adam Sampson
azz at us-lot.org
Fri Jan 30 11:52:17 GMT 2004
Hiya.
While merging the 2.6.0 changes into our modified version of rsync, I
noticed the following bit of code in 2.6.0's options.c:
extern int sanitize_paths;
if (sanitize_paths)
sanitize_path(strdup(files_from), NULL);
filesfrom_fd = open(files_from, O_RDONLY|O_BINARY);
Since sanitize_path modifies its first argument in place, the path that
open() gets there hasn't been sanitized, which could be a security issue
-- plus it leaks memory. Shouldn't that be something like this?
extern int sanitize_paths;
char *s = strdup(files_from);
if (sanitize_paths)
sanitize_path(s, NULL);
filesfrom_fd = open(s, O_RDONLY|O_BINARY);
free(s);
Thanks,
--
Adam Sampson <azz at us-lot.org> <http://offog.org/>
More information about the rsync
mailing list