[Bug 13827] New: despite --copy-unsafe-links, rsync does not copy the referent of symlinks that point one level outside the copied tree
samba-bugs at samba.org
samba-bugs at samba.org
Sat Mar 9 12:12:40 UTC 2019
https://bugzilla.samba.org/show_bug.cgi?id=13827
Bug ID: 13827
Summary: despite --copy-unsafe-links, rsync does not copy the
referent of symlinks that point one level outside the
copied tree
Product: rsync
Version: 3.1.3
Hardware: All
OS: All
Status: NEW
Severity: major
Priority: P5
Component: core
Assignee: wayne at opencoder.net
Reporter: jan at bredereke-net.de
QA Contact: rsync-qa at samba.org
Created attachment 14913
--> https://bugzilla.samba.org/attachment.cgi?id=14913&action=edit
short shell script demonstrating the bug
Despite --copy-unsafe-links, rsync does not copy the referent of symlinks that
point one level outside the copied tree. The short shell script attached
demonstrates the problem. It also demonstrates two other cases where the checks
work as intended. The problem appears to be an off-by-one error in a check.
Accessing things outside the copied tree through a symlink is probably a
security problem. However, the restriction to only one directory level too far
makes it more difficult to expoit.
1)
Tested on Lubuntu 18.04.1 LTS
2)
rsync version 3.1.2, protocol version 31
(The most current version of rsync is 3.1.3. But its release notes do not
mention this bug to be fixed.)
The change & release notes of Lubuntu 18.04.1 do not mention rsync.
The bug tracker Ubuntu Launchpad does not mention this bug.
3)
I expected any symlink pointing outside the copied tree to be converted into a
copy, when I use --copy-unsafe-links.
4)
A symlink pointing just one level outside the copied tree is not converted.
This is always reproducible, see the demo script attached.
I submitted this bug to Ubuntu Launchpad first. But they told me to submit it
here. (Since I declared it a security relevant bug, it became non-public by
default.)
https://bugs.launchpad.net/ubuntu/+source/rsync/+bug/1816586
--
You are receiving this mail because:
You are the QA Contact for the bug.
More information about the rsync
mailing list