Patch: disable path sanitization for modules rooted at "/"

Thor Simon Thor.Simon at
Wed Sep 7 13:05:37 UTC 2022

When running in daemon mode with a module rooted at "/", it is not possible to "escape" the module.

Not by prefixing a link target with "../../../../../../..".
Not by prefixing a link target with "/" nor "////".

So it seems to me that path sanitization is not useful in this case.  And it breaks stuff.  In particular, I have a file distribution system where large numbers of authenticated users can use rsync in daemon mode as a forced SSH command, authenticating as themselves, and path sanitization damages links like "../../../../../../../etc/localtime" in user directories - which may be dubious in purpose, but which are harmless.  And I am not the arbiter of my users' data in this sense.  Turning on symlink munging of course damages these data even more - I would prefer to not have it damaged at all.

Trivial fix attached.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: clientserver.diff
Type: application/octet-stream
Size: 687 bytes
Desc: clientserver.diff
URL: <>

More information about the rsync mailing list