[Bug 15122] Potential vulnerability: rsync creates files outside the target directory
samba-bugs at samba.org
samba-bugs at samba.org
Tue Aug 30 23:43:55 UTC 2022
https://bugzilla.samba.org/show_bug.cgi?id=15122
--- Comment #3 from Aditya Basu <azb254 at psu.edu> ---
Apologies for the late response.
It is definitely a bad idea to mix multi-case systems. However, note that even
copying between case-honoring systems can have similar consequences, for ex.
case-insensitive (icase) ZFS considers K (unicode kelvin sign) and k (alphabet)
to be equivalent while icase ext4 does not.
I agree with you analysis of the ordering. However, IMHO traversing symlinks at
the target is not a wise choice. An *immediate* fix to this particular issue
would be to prevent rsync for traversing symlinks at the target. However, a
more *complete* fix should involve detecting collisions and stopping the copy.
We're currently exploring different types of defenses for collisions. If you're
interested, I will be happy to keep you in the loop.
Finally, does it make sense to get a CVE number assigned?
--
You are receiving this mail because:
You are the QA Contact for the bug.
More information about the rsync
mailing list