Daemon exclude fix [Re: CVS update: rsyncweb]

Matt McCutchen matt at mattmccutchen.net
Sun Dec 16 22:56:57 GMT 2007

On Sun, 2007-12-16 at 22:39 +0000, Wayne Davison wrote:
> Updated security-release info includes 3.0.0pre7 release.

You should make it clear that, even after this fix, daemon-excluded
files are still vulnerable to a client that combines a --*-dest or
--*-dir above the excluded files (which the filter doesn't prevent) with
file-list path information.  To close this vulnerability, rsync would
have to check the path of each individual alternate basis, partial,
backup, or temporary file against the filters before accessing the file.


More information about the rsync mailing list