Bug#862899: rsync: insufficient escaping/quoting of arguments

2018-04-22 Thread Andrew Shadura 
Control: severity -1 normal

On Thu, 18 May 2017 13:16:23 +0200 Thorsten Glaser  wrote:
> Package: rsync
> Version: 3.1.2-2
> Severity: serious
> Tags: security upstream
> Justification: security-relevant
Since there wasn’t any activity on this bug, and there’s no sign of this
to be fixed any time soon, and rsync provides ways to work this around,
I don’t think having this bug marked as serious is justified.

If you disagree, please comment/update.

-- 
Cheers,
  Andrew

Bug#862899: rsync: insufficient escaping/quoting of arguments

2018-01-09 Thread Olaf van der Spek 
Hi,

Any updates?

-- 
Olaf

Bug#862899: rsync: insufficient escaping/quoting of arguments

2017-09-25 Thread Thorsten Glaser 
On Mon, 22 May 2017, Scott Leggett wrote:

> I think you just need to prefix your wildcard. This works for me:
>
> $ rsync -zavP --numeric-ids --stats $remote:./*4 .

It does work. Almost any insufficient quoting can be worked around
by the user applying extra quoting to the command line; this is not
a reason to not classify this as a bug with the capability to destroy
user data, though.

The fix is *probably* easy enough, separate the arguments from the
options by “--” on the command line that is passed to the remote side
(then apply extra escaping for ssh, of course).

bye,
//mirabilos
-- 
«MyISAM tables -will- get corrupted eventually. This is a fact of life. »
“mysql is about as much database as ms access” – “MSSQL at least descends
from a database” “it's a rebranded SyBase” “MySQL however was born from a
flatfile and went downhill from there” – “at least jetDB doesn’t claim to
be a database”  ‣‣‣ Please, http://deb.li/mysql and MariaDB, finally die!

Bug#862899: rsync: insufficient escaping/quoting of arguments

2017-05-22 Thread Scott Leggett 
On Thu, 18 May 2017 13:16:23 +0200 Thorsten Glaser  wrote:
> Package: rsync
> Version: 3.1.2-2
> Severity: serious
> Tags: security upstream
> Justification: security-relevant
> 
> Assume my home directory on 'remote' has no files matching '*4'.
> 
> Now run this:
> 
> remote$ touch ./-zT.mp4
> local$ mkdir test
> local$ cd test
> local$ rsync -zavPH --numeric-ids -S --stats '--rsh=ssh -T' $remote:\*4 .

I think you just need to prefix your wildcard. This works for me:

$ rsync -zavP --numeric-ids --stats $remote:./*4 .
receiving incremental file list
-zT.mp4
  0 100%0.00kB/s0:00:00 (xfr#1, to-chk=0/1)

  Number of files: 1 (reg: 1)
  Number of created files: 1 (reg: 1)
  Number of deleted files: 0
  Number of regular files transferred: 1
  Total file size: 0 bytes
  Total transferred file size: 0 bytes
  Literal data: 0 bytes
  Matched data: 0 bytes
  File list size: 37
  File list generation time: 0.001 seconds
  File list transfer time: 0.000 seconds
  Total bytes sent: 43
  Total bytes received: 88

  sent 43 bytes  received 88 bytes  262.00 bytes/sec
  total size is 0  speedup is 0.00

-- 
Regards,
Scott.


signature.asc
Description: PGP signature

Bug#862899: rsync: insufficient escaping/quoting of arguments

2017-05-18 Thread Thorsten Glaser 
Paul Slootman dixit:

>Please try again with the --protect-args option, which is meant for such
>situations.

Ah, new post-2.x… *tries*

No change, this still transfers the entire home directory.
I think it’s meant for something else (I usually do quote
whitespace and so on for remote if necessary).

>BTW, why specify '--rsh=ssh -T', what's wrong with the default?

The default can be anything, including rsh. By specifying this
always, I know that ⓐ ssh is called, ⓑ -T is passed which makes
ssh change its QoS from interactive to bulk, and ⓒ can add -4
or -6 to force the IP protocol version (I recently learnt that
Debian has a local patch to pass -4/-6 from rsync to ssh, but
Debian’s isn’t the only package I use). I always use a wrapper
around rsync calling it like this (incidentally called rcp…).

bye,
//mirabilos
-- 
> Wish I had pine to hand :-( I'll give lynx a try, thanks.

Michael Schmitz on nntp://news.gmane.org/gmane.linux.debian.ports.68k
a.k.a. {news.gmane.org/nntp}#news.gmane.linux.debian.ports.68k in pine

Bug#862899: rsync: insufficient escaping/quoting of arguments

2017-05-18 Thread Paul Slootman 
On Thu 18 May 2017, Thorsten Glaser wrote:

> Now run this:
> 
> remote$ touch ./-zT.mp4
> local$ mkdir test
> local$ cd test
> local$ rsync -zavPH --numeric-ids -S --stats '--rsh=ssh -T' $remote:\*4 .
> 
> Expected: the “-zT.mp4” file is transferred.
> 
> Actual:   the whole home directory of $remote, including subdirectories
>   and everything, is transferred.

Please try again with the --protect-args option, which is meant for such
situations.

BTW, why specify '--rsh=ssh -T', what's wrong with the default?


Paul

Bug#862899: rsync: insufficient escaping/quoting of arguments

2017-05-18 Thread Thorsten Glaser 
Package: rsync
Version: 3.1.2-2
Severity: serious
Tags: security upstream
Justification: security-relevant

Assume my home directory on 'remote' has no files matching '*4'.

Now run this:

remote$ touch ./-zT.mp4
local$ mkdir test
local$ cd test
local$ rsync -zavPH --numeric-ids -S --stats '--rsh=ssh -T' $remote:\*4 .

Expected: the “-zT.mp4” file is transferred.

Actual: the whole home directory of $remote, including subdirectories
and everything, is transferred.

Now imagine I had not cd’d into a new subdirectory. I have overwritten
all files in my own home directory that are present on remote’s before
I managed to press ^C and lost my TODO file and some dotfiles.

Yes, files starting with a U+002D HYPHEN-MINUS are problematic. I’d
still expect files that have passed muster on the local side to be
properly escaped to the remote side.

I think this is simply a case of a missing “--” argument before the
pathnames on the constructed rsh command line. When I do…
$ rsync -zavPH --numeric-ids -S --stats '--rsh=logger --' localhost:\* .
… I get this in syslog:
localhost rsync --server --sender -vlHogDtprSze.iLsfxC --numeric-ids . *

Now if after --numeric-ids there was a -- I believe the problem would
go away. (I’m aware of rsync’s capability to apply remote globs, and
this is not the problem here; in fact, the first command of mine above
relies on that. This is strictly about the hyphen-minus, which is not
uncommon in filenames created by youtube-dl.)

-- System Information:
Debian Release: 9.0
  APT prefers unreleased
  APT policy: (500, 'unreleased'), (500, 'buildd-unstable'), (500, 'unstable')
Architecture: x32
 (x86_64)
Foreign Architectures: i386, amd64

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/lksh
Init: sysvinit (via /sbin/init)

Versions of packages rsync depends on:
ii  base-files   9.9
ii  init-system-helpers  1.48
ii  libacl1  2.2.52-3+b1
ii  libattr1 1:2.4.47-2+b2
ii  libc62.24-10
ii  libpopt0 1.16-10+b2
ii  lsb-base 9.20161125

rsync recommends no packages.

Versions of packages rsync suggests:
ii  openssh-client  1:7.4p1-10
ii  openssh-server  1:7.4p1-10

-- no debconf information