From 0690802fc65ec25f1632963071d72cbf12faee53 Mon Sep 17 00:00:00 2001
From: Sven Schwedas <sven.schwedas@tao.at>
Date: Wed, 29 Oct 2014 13:32:20 +0100
Subject: [PATCH] Sanitize mv arguments:
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
1. Fixes crashes on file names containing `, $ or "
2. Also prevents shell execution of ``, $() … in file names, which can be
used to gain remote shell access as lsyncd's (target) user.
---
default-rsyncssh.lua | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/default-rsyncssh.lua b/default-rsyncssh.lua
index 90732f6..b775942 100644
--- a/default-rsyncssh.lua
+++ b/default-rsyncssh.lua
@@ -74,6 +74,9 @@ rsyncssh.action = function( inlet )
-- makes move local on target host
-- if the move fails, it deletes the source
if event.etype == 'Move' then
+ local path1 = event.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$')
+ local path2 = event2.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$')
+
log('Normal', 'Moving ',event.path,' -> ',event2.path)
spawn(
@@ -82,10 +85,10 @@ rsyncssh.action = function( inlet )
config.ssh._computed,
config.host,
'mv',
- '\"' .. config.targetdir .. event.path .. '\"',
- '\"' .. config.targetdir .. event2.path .. '\"',
+ '\"' .. config.targetdir .. path1 .. '\"',
+ '\"' .. config.targetdir .. path2 .. '\"',
'||', 'rm', '-rf',
- '\"' .. config.targetdir .. event.path .. '\"')
+ '\"' .. config.targetdir .. path1 .. '\"')
return
end
--
2.1.0