rssh-rsync-protocol.patch (NEW) - [PATCH] Ha...

psz Thu, 20 Oct 2011 03:06:39 -0700

Author: psz                          Date: Thu Oct 20 10:06:26 2011 GMT
Module: packages                      Tag: HEAD
---- Log message:
- [PATCH] Handle the rsync v3 -e option for protocol information (from Debian 
Bug#471803)
- rel 3


---- Files affected:
packages/rssh:
   rssh.spec (1.49 -> 1.50) , rssh-rsync-protocol.patch (NONE -> 1.1)  (NEW)

---- Diffs:

================================================================
Index: packages/rssh/rssh.spec
diff -u packages/rssh/rssh.spec:1.49 packages/rssh/rssh.spec:1.50
--- packages/rssh/rssh.spec:1.49        Tue Oct 26 00:06:05 2010
+++ packages/rssh/rssh.spec     Thu Oct 20 12:06:20 2011
@@ -3,13 +3,14 @@
 Summary(pl.UTF-8):     Okrojona powłoka dająca dostęp tylko do scp i/lub sftp
 Name:          rssh
 Version:       2.3.3
-Release:       2
+Release:       3
 License:       BSD-like
 Group:         Applications/Shells
 Source0:       http://dl.sourceforge.net/rssh/%{name}-%{version}.tar.gz
 # Source0-md5: b0c147602fcc95737ed50573b92fc468
 Patch0:                %{name}-userbuild.patch
 Patch1:                %{name}-mkchroot.patch
+Patch2:                %{name}-rsync-protocol.patch
 URL:           http://www.pizzashack.org/rssh/
 BuildRequires: autoconf
 BuildRequires: automake
@@ -34,6 +35,7 @@
 %setup -q
 %patch0 -p1
 %patch1
+%patch2 -p1
 
 %build
 %{__aclocal}
@@ -112,6 +114,10 @@
 All persons listed below can be reached at <cvs_login>@pld-linux.org
 
 $Log$
+Revision 1.50  2011/10/20 10:06:20  psz
+- [PATCH] Handle the rsync v3 -e option for protocol information (from Debian 
Bug#471803)
+- rel 3
+
 Revision 1.49  2010/10/25 22:06:05  psz
 - rel 2
 

================================================================
Index: packages/rssh/rssh-rsync-protocol.patch
diff -u /dev/null packages/rssh/rssh-rsync-protocol.patch:1.1
--- /dev/null   Thu Oct 20 12:06:26 2011
+++ packages/rssh/rssh-rsync-protocol.patch     Thu Oct 20 12:06:20 2011
@@ -0,0 +1,78 @@
+From: Russ Allbery <[email protected]>
+Subject: [PATCH] Handle the rsync v3 -e option for protocol information
+
+As of rsync 3, rsync reused the -e option to pass protocol information
+from the client to the server.  We therefore cannot reject all -e
+options to rsync, only ones not sent with --server or containing
+something other than protocol information as an argument.
+
+Based on work by Robert Hardy.
+
+Debian Bug#471803
+
+Signed-off-by: Russ Allbery <[email protected]>
+
+---
+ util.c |   32 ++++++++++++++++++++++++++++++--
+ 1 files changed, 30 insertions(+), 2 deletions(-)
+
+diff --git a/util.c b/util.c
+index e576755..50a63e2 100644
+--- a/util.c
++++ b/util.c
+@@ -56,6 +56,7 @@
+ #ifdef HAVE_LIBGEN_H
+ #include <libgen.h>
+ #endif /* HAVE_LIBGEN_H */
++#include <regex.h>
+ 
+ /* LOCAL INCLUDES */
+ #include "pathnames.h"
+@@ -187,6 +188,33 @@ bool check_command( char *cl, ShellOptions_t *opts, char 
*cmd, int cmdflag )
+ }
+ 
+ /*
++ * check_rsync_e() - take the command line passed to rssh and look for a -e
++ *                   option.  If one is found, make sure --server is provided
++ *                   and the option contains only the protocol information.
++ *                   Returns 1 if the command line is safe; 0 otherwise.
++ */
++static int check_rsync_e( char *cl )
++{
++      int     status;
++      regex_t re;
++
++      /*
++       * This is more complicated than it looks because we don't want to
++       * trigger on the e in --server, but we do want to catch the common
++       * case of -ltpre.iL (which contains -e.).
++       */
++      static const char pattern[] = "[ \t\v\f]-([^-][^ ]*)?e[^.0-9]";
++
++      if ( strstr(cl, "--server") == NULL ) return 0;
++      if ( regcomp(&re, pattern, REG_EXTENDED | REG_NOSUB) != 0 ){
++              return 0;
++      }
++      status = regexec(&re, cl, 0, NULL, 0);
++      regfree(&re);
++      return (status == 0) ? 0 : 1;
++}
++
++/*
+  * check_command_line() - take the command line passed to rssh, and verify
+  *                      that the specified command is one the user is
+  *                      allowed to run.  Return the path of the command
+@@ -230,9 +258,9 @@ char *check_command_line( char *cl, ShellOptions_t *opts )
+ 
+       if ( check_command(cl, opts, PATH_RSYNC, RSSH_ALLOW_RSYNC) ){
+               /* filter -e option */
+-              if ( opt_exist(cl, 'e') ){
++              if ( opt_exist(cl, 'e') && !check_rsync_e(cl) ){
+                       fprintf(stderr, "\ninsecure -e option not allowed.");
+-                      log_msg("insecure -e option in rdist command line!");
++                      log_msg("insecure -e option in rsync command line!");
+                       return NULL;
+               }
+               
+-- 
+tg: (05d6ee0..) fixes/rsync-protocol (depends on: upstream)
================================================================

---- CVS-web:
    
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/rssh/rssh.spec?r1=1.49&r2=1.50&f=u

_______________________________________________
pld-cvs-commit mailing list
[email protected]
http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit

packages: rssh/rssh.spec, rssh/rssh-rsync-protocol.patch (NEW) - [PATCH] Ha...

Reply via email to