Hi Wayne, Thank you for your detailed answer and links.
Gratefully, Mark Esler On Wed, Aug 17, 2022 at 6:52 PM Wayne Davison <wa...@opencoder.net> wrote: > > On Wed, Aug 17, 2022 at 9:30 AM Mark Esler wrote: >> >> I am curious if CVE-2022-29154 affects rsync 3.2.3 or rrsync 3.2.3 and >> earlier. > > > The security page covers this: it's all versions prior to 3.2.5. > >> if old_style_args is set to true then the add_implied_include function >> promptly returns. > > > The NEWS discusses this under PACKAGING: the new verification feature > requires the quoted args feature from 3.2.4. Without that change, rsync can't > reliably determine what the remote arguments actually are (many people add > quotes to old-style args, expect splitting on spaces, variables can be > expanded, etc). Asking to use unprotected remote args therefore implies > trusting the sender. There is some discussion about this in the manpage. > > One alternative would be to force --protect-args on by default (there is a > configure --with-protected-args option for that) and then base the security > bypass on protect_args being 0 instead of old_style_args being non-0. > > ..wayne.. -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html