[Bug 15122] Potential vulnerability: rsync creates files outside the target directory

samba-bugs at samba.org samba-bugs at samba.org
Tue Aug 30 23:43:55 UTC 2022


--- Comment #3 from Aditya Basu <azb254 at psu.edu> ---
Apologies for the late response.

It is definitely a bad idea to mix multi-case systems. However, note that even
copying between case-honoring systems can have similar consequences, for ex.
case-insensitive (icase) ZFS considers K (unicode kelvin sign) and k (alphabet)
to be equivalent while icase ext4 does not.

I agree with you analysis of the ordering. However, IMHO traversing symlinks at
the target is not a wise choice. An *immediate* fix to this particular issue
would be to prevent rsync for traversing symlinks at the target. However, a
more *complete* fix should involve detecting collisions and stopping the copy.

We're currently exploring different types of defenses for collisions. If you're
interested, I will be happy to keep you in the loop.

Finally, does it make sense to get a CVE number assigned?

You are receiving this mail because:
You are the QA Contact for the bug.

More information about the rsync mailing list