[Bug 13827] New: despite --copy-unsafe-links, rsync does not copy the referent of symlinks that point one level outside the copied tree

samba-bugs at samba.org samba-bugs at samba.org
Sat Mar 9 12:12:40 UTC 2019 

https://bugzilla.samba.org/show_bug.cgi?id=13827

            Bug ID: 13827
           Summary: despite --copy-unsafe-links, rsync does not copy the
                    referent of symlinks that point one level outside the
                    copied tree
           Product: rsync
           Version: 3.1.3
          Hardware: All
                OS: All
            Status: NEW
          Severity: major
          Priority: P5
         Component: core
          Assignee: wayne at opencoder.net
          Reporter: jan at bredereke-net.de
        QA Contact: rsync-qa at samba.org

Created attachment 14913
  --> https://bugzilla.samba.org/attachment.cgi?id=14913&action=edit
short shell script demonstrating the bug

Despite --copy-unsafe-links, rsync does not copy the referent of symlinks that
point one level outside the copied tree. The short shell script attached
demonstrates the problem. It also demonstrates two other cases where the checks
work as intended. The problem appears to be an off-by-one error in a check.

Accessing things outside the copied tree through a symlink is probably a
security problem. However, the restriction to only one directory level too far
makes it more difficult to expoit.

1)
Tested on Lubuntu 18.04.1 LTS

2)
rsync version 3.1.2, protocol version 31
(The most current version of rsync is 3.1.3. But its release notes do not
mention this bug to be fixed.)
The change & release notes of Lubuntu 18.04.1 do not mention rsync.
The bug tracker Ubuntu Launchpad does not mention this bug.

3)
I expected any symlink pointing outside the copied tree to be converted into a
copy, when I use --copy-unsafe-links.

4)
A symlink pointing just one level outside the copied tree is not converted.
This is always reproducible, see the demo script attached.

I submitted this bug to Ubuntu Launchpad first. But they told me to submit it
here. (Since I declared it a security relevant bug, it became non-public by
default.)
https://bugs.launchpad.net/ubuntu/+source/rsync/+bug/1816586

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

More information about the rsync mailing list