DO NOT REPLY [Bug 6251] security: rsync executes remote commands
samba-bugs at samba.org
samba-bugs at samba.org
Wed Apr 8 00:22:28 GMT 2009
https://bugzilla.samba.org/show_bug.cgi?id=6251
------- Comment #2 from matt at mattmccutchen.net 2009-04-07 19:22 CST -------
I think Urban is talking about a script that runs an rsync-over-ssh client on
behalf of an untrusted caller, in which case the ability to run arbitrary
remote commands would be a vulnerability in the script. Urban, to prevent the
command execution, you can add --protect-args to the script. Then rsync won't
pass the filenames through the remote shell, but the remote rsync will expand
globs itself. If you don't even want globbing, use --files-from and perhaps
--from0. I don't think a change to rsync is needed.
--
Configure bugmail: https://bugzilla.samba.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.
More information about the rsync
mailing list