[Bug 8445] Add a non-trusted filter-file option that would limit the rules and ignore syntax errors

samba-bugs at samba.org samba-bugs at samba.org
Sat Sep 10 15:06:52 MDT 2011 

https://bugzilla.samba.org/show_bug.cgi?id=8445

Wayne Davison <wayned at samba.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
            Summary|rsync crash when remote     |Add a non-trusted
                   |filter rule changes         |filter-file option that
                   |                            |would limit the rules and
                   |                            |ignore syntax errors
           Severity|critical                    |enhancement

--- Comment #1 from Wayne Davison <wayned at samba.org> 2011-09-10 21:06:51 UTC ---
(In reply to comment #0)
> invalid modifier sequence at 't' in filter rule: -/tmp

You'll note that rule is missing a space, so it was a fitler-rule syntax error.
 Rsync treats a failure to parse filter rules as something that it should
complain about in a fatal error so that you get a chance to fix it.

So, it seems to me that the issue here is that you're trusting user-generated
filter rules in a backup situation, which may not be a good idea (e.g. consider
the inclusion of a filter-rule import that references a secret file in order to
try to sniff its contents).  What you could do instead is to do a pre-copy
restrictive parse of all the filter files in the backup hierarchy and turn them
into a single set of global rules, dropping any syntax error lines and ignoring
any rules that shouldn't be trusted (you'd have to massage the paths and such).
 Then, run rsync with that filtered global exclude list rather than the per-dir
filter rules.

Another option is to mark the rules in the filter files as only hide rules (aka
a server-side-only exclude) which avoids an unwanted protect-from-deletion
effect of a normal exclude (thus users can specify things not to copy, but not
prevent things from being removed on the backup server).  This also avoids any
prefix/option interpretation in the per-dir files, so rsync won't generate an
error reading when it is parsing the files.  e.g.:

--filter=':-s .rsync-exclude'

You'd need to filter all the .rsync-filter files, changing the "- foo" rules
into just "foo" in the per-dir .rsync-exclude files for this to work, and let
your users know about the new filename (if you indeed change it) and the new
syntax.

-- 
Configure bugmail: https://bugzilla.samba.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

More information about the rsync mailing list