DO NOT REPLY [Bug 6151] New: --safe-links can be fooled by adding extra slashes to the path

samba-bugs at samba-bugs at
Mon Mar 2 21:54:00 GMT 2009

           Summary: --safe-links can be fooled by adding extra slashes to
                    the path
           Product: rsync
           Version: 3.1.0
          Platform: x64
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P3
         Component: core
        AssignedTo: wayned at
        ReportedBy: erik.sjolund at
         QAContact: rsync-qa at

The rsync option flags 
are not working correctly. It is possible to fool the function 
unsafe_symlink(const char *dest, const char *src) in util.c
by adding extra slashes as the following example shows:

$ mkdir /tmp/a
$ cd /tmp/a
$ ln -s ../../etc/passwd passwd1
$ ln -s .////../../etc/passwd passwd2
$ rsync -av --safe-links /tmp/a/ /tmp/b
sending incremental file list
created directory /tmp/b
ignoring unsafe symlink "/tmp/b/passwd1" -> "../../etc/passwd"
passwd2 -> .////../../etc/passwd

sent 115 bytes  received 18 bytes  266.00 bytes/sec
total size is 37  speedup is 0.28
$ ls -l /tmp/b
total 0
lrwxrwxrwx 1 esjolund users 21 2009-03-02 22:33 passwd2 ->

We see that rsync correctly detects /tmp/a/passwd1 as being a symlink pointing
outside the tree and rsync therefore ignores that symlink. But rsync fails to
discover that /tmp/a/passwd2 also points outside the tree.

The rsync version used in the above example was compiled from:
on a Centos Linux 5.2 x86_64

Configure bugmail:
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.

More information about the rsync mailing list