Bug#862899: rsync: insufficient escaping/quoting of arguments
Control: severity -1 normal On Thu, 18 May 2017 13:16:23 +0200 Thorsten Glaserwrote: > Package: rsync > Version: 3.1.2-2 > Severity: serious > Tags: security upstream > Justification: security-relevant Since there wasn’t any activity on this bug, and there’s no sign of this to be fixed any time soon, and rsync provides ways to work this around, I don’t think having this bug marked as serious is justified. If you disagree, please comment/update. -- Cheers, Andrew
Bug#862899: rsync: insufficient escaping/quoting of arguments
Hi, Any updates? -- Olaf
Bug#862899: rsync: insufficient escaping/quoting of arguments
On Mon, 22 May 2017, Scott Leggett wrote: > I think you just need to prefix your wildcard. This works for me: > > $ rsync -zavP --numeric-ids --stats $remote:./*4 . It does work. Almost any insufficient quoting can be worked around by the user applying extra quoting to the command line; this is not a reason to not classify this as a bug with the capability to destroy user data, though. The fix is *probably* easy enough, separate the arguments from the options by “--” on the command line that is passed to the remote side (then apply extra escaping for ssh, of course). bye, //mirabilos -- «MyISAM tables -will- get corrupted eventually. This is a fact of life. » “mysql is about as much database as ms access” – “MSSQL at least descends from a database” “it's a rebranded SyBase” “MySQL however was born from a flatfile and went downhill from there” – “at least jetDB doesn’t claim to be a database” ‣‣‣ Please, http://deb.li/mysql and MariaDB, finally die!
Bug#862899: rsync: insufficient escaping/quoting of arguments
On Thu, 18 May 2017 13:16:23 +0200 Thorsten Glaserwrote: > Package: rsync > Version: 3.1.2-2 > Severity: serious > Tags: security upstream > Justification: security-relevant > > Assume my home directory on 'remote' has no files matching '*4'. > > Now run this: > > remote$ touch ./-zT.mp4 > local$ mkdir test > local$ cd test > local$ rsync -zavPH --numeric-ids -S --stats '--rsh=ssh -T' $remote:\*4 . I think you just need to prefix your wildcard. This works for me: $ rsync -zavP --numeric-ids --stats $remote:./*4 . receiving incremental file list -zT.mp4 0 100%0.00kB/s0:00:00 (xfr#1, to-chk=0/1) Number of files: 1 (reg: 1) Number of created files: 1 (reg: 1) Number of deleted files: 0 Number of regular files transferred: 1 Total file size: 0 bytes Total transferred file size: 0 bytes Literal data: 0 bytes Matched data: 0 bytes File list size: 37 File list generation time: 0.001 seconds File list transfer time: 0.000 seconds Total bytes sent: 43 Total bytes received: 88 sent 43 bytes received 88 bytes 262.00 bytes/sec total size is 0 speedup is 0.00 -- Regards, Scott. signature.asc Description: PGP signature
Bug#862899: rsync: insufficient escaping/quoting of arguments
Paul Slootman dixit: >Please try again with the --protect-args option, which is meant for such >situations. Ah, new post-2.x… *tries* No change, this still transfers the entire home directory. I think it’s meant for something else (I usually do quote whitespace and so on for remote if necessary). >BTW, why specify '--rsh=ssh -T', what's wrong with the default? The default can be anything, including rsh. By specifying this always, I know that ⓐ ssh is called, ⓑ -T is passed which makes ssh change its QoS from interactive to bulk, and ⓒ can add -4 or -6 to force the IP protocol version (I recently learnt that Debian has a local patch to pass -4/-6 from rsync to ssh, but Debian’s isn’t the only package I use). I always use a wrapper around rsync calling it like this (incidentally called rcp…). bye, //mirabilos -- > Wish I had pine to hand :-( I'll give lynx a try, thanks. Michael Schmitz on nntp://news.gmane.org/gmane.linux.debian.ports.68k a.k.a. {news.gmane.org/nntp}#news.gmane.linux.debian.ports.68k in pine
Bug#862899: rsync: insufficient escaping/quoting of arguments
On Thu 18 May 2017, Thorsten Glaser wrote: > Now run this: > > remote$ touch ./-zT.mp4 > local$ mkdir test > local$ cd test > local$ rsync -zavPH --numeric-ids -S --stats '--rsh=ssh -T' $remote:\*4 . > > Expected: the “-zT.mp4” file is transferred. > > Actual: the whole home directory of $remote, including subdirectories > and everything, is transferred. Please try again with the --protect-args option, which is meant for such situations. BTW, why specify '--rsh=ssh -T', what's wrong with the default? Paul
Bug#862899: rsync: insufficient escaping/quoting of arguments
Package: rsync Version: 3.1.2-2 Severity: serious Tags: security upstream Justification: security-relevant Assume my home directory on 'remote' has no files matching '*4'. Now run this: remote$ touch ./-zT.mp4 local$ mkdir test local$ cd test local$ rsync -zavPH --numeric-ids -S --stats '--rsh=ssh -T' $remote:\*4 . Expected: the “-zT.mp4” file is transferred. Actual: the whole home directory of $remote, including subdirectories and everything, is transferred. Now imagine I had not cd’d into a new subdirectory. I have overwritten all files in my own home directory that are present on remote’s before I managed to press ^C and lost my TODO file and some dotfiles. Yes, files starting with a U+002D HYPHEN-MINUS are problematic. I’d still expect files that have passed muster on the local side to be properly escaped to the remote side. I think this is simply a case of a missing “--” argument before the pathnames on the constructed rsh command line. When I do… $ rsync -zavPH --numeric-ids -S --stats '--rsh=logger --' localhost:\* . … I get this in syslog: localhost rsync --server --sender -vlHogDtprSze.iLsfxC --numeric-ids . * Now if after --numeric-ids there was a -- I believe the problem would go away. (I’m aware of rsync’s capability to apply remote globs, and this is not the problem here; in fact, the first command of mine above relies on that. This is strictly about the hyphen-minus, which is not uncommon in filenames created by youtube-dl.) -- System Information: Debian Release: 9.0 APT prefers unreleased APT policy: (500, 'unreleased'), (500, 'buildd-unstable'), (500, 'unstable') Architecture: x32 (x86_64) Foreign Architectures: i386, amd64 Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/lksh Init: sysvinit (via /sbin/init) Versions of packages rsync depends on: ii base-files 9.9 ii init-system-helpers 1.48 ii libacl1 2.2.52-3+b1 ii libattr1 1:2.4.47-2+b2 ii libc62.24-10 ii libpopt0 1.16-10+b2 ii lsb-base 9.20161125 rsync recommends no packages. Versions of packages rsync suggests: ii openssh-client 1:7.4p1-10 ii openssh-server 1:7.4p1-10 -- no debconf information