From 0690802fc65ec25f1632963071d72cbf12faee53 Mon Sep 17 00:00:00 2001
From: Sven Schwedas <sven.schwedas@tao.at>
Date: Wed, 29 Oct 2014 13:32:20 +0100
Subject: [PATCH] Sanitize mv arguments:
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1. Fixes crashes on file names containing `, $ or "
2. Also prevents shell execution of ``, $() … in file names, which can be
   used to gain remote shell access as lsyncd's (target) user.
---
 default-rsyncssh.lua | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/default-rsyncssh.lua b/default-rsyncssh.lua
index 90732f6..b775942 100644
--- a/default-rsyncssh.lua
+++ b/default-rsyncssh.lua
@@ -74,6 +74,9 @@ rsyncssh.action = function( inlet )
 	-- makes move local on target host
 	-- if the move fails, it deletes the source
 	if event.etype == 'Move' then
+		local path1 = event.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$')
+		local path2 = event2.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$')
+
 		log('Normal', 'Moving ',event.path,' -> ',event2.path)
 
 		spawn(
@@ -82,10 +85,10 @@ rsyncssh.action = function( inlet )
 			config.ssh._computed,
 			config.host,
 			'mv',
-			'\"' .. config.targetdir .. event.path .. '\"',
-			'\"' .. config.targetdir .. event2.path .. '\"',
+			'\"' .. config.targetdir .. path1 .. '\"',
+			'\"' .. config.targetdir .. path2 .. '\"',
 			'||', 'rm', '-rf',
-			'\"' .. config.targetdir .. event.path .. '\"')
+			'\"' .. config.targetdir .. path1 .. '\"')
 		return
 	end
 
-- 
2.1.0