From 660438b485bcabac732ff4c63ee94826d66cf046 Mon Sep 17 00:00:00 2001 From: Sven Schwedas Date: Wed, 29 Oct 2014 13:32:20 +0100 Subject: [PATCH 1/2] Sanitize mv arguments: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 1. Fixes crashes on file names containing `, $ or " 2. Also prevents shell execution of ``, $() … in file names, which can be used to gain remote shell access as lsyncd's (target) user. --- default-rsyncssh.lua | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/default-rsyncssh.lua b/default-rsyncssh.lua index 90732f6..b775942 100644 --- a/default-rsyncssh.lua +++ b/default-rsyncssh.lua @@ -74,6 +74,9 @@ rsyncssh.action = function( inlet ) -- makes move local on target host -- if the move fails, it deletes the source if event.etype == 'Move' then + local path1 = event.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$') + local path2 = event2.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$') + log('Normal', 'Moving ',event.path,' -> ',event2.path) spawn( @@ -82,10 +85,10 @@ rsyncssh.action = function( inlet ) config.ssh._computed, config.host, 'mv', - '\"' .. config.targetdir .. event.path .. '\"', - '\"' .. config.targetdir .. event2.path .. '\"', + '\"' .. config.targetdir .. path1 .. '\"', + '\"' .. config.targetdir .. path2 .. '\"', '||', 'rm', '-rf', - '\"' .. config.targetdir .. event.path .. '\"') + '\"' .. config.targetdir .. path1 .. '\"') return end -- 2.2.2 From 396efd951ea3a20035cbf4ea52e1ff14ba018ef1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81ngel=20Gonz=C3=A1lez?= Date: Tue, 25 Nov 2014 23:49:25 +0100 Subject: [PATCH 2/2] Properly sanitize mv parameters (CVE-2014-8990) When using -rsyncssh option, some filenames could -in addition of not syncing correctly- crash the service and execute arbitrary commands under the credentials of the remote user. These issues have been assigned CVE-2014-8990 This commit fixes the incomplete and lua5.2-incompatible sanitization performed by 18f02ad0 Signed-off-by: Sven Schwedas (cherry picked from commit e6016b3748370878778b8f0b568d5281cc248aa4) Conflicts: default-rsyncssh.lua --- default-rsyncssh.lua | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/default-rsyncssh.lua b/default-rsyncssh.lua index b775942..4361a6c 100644 --- a/default-rsyncssh.lua +++ b/default-rsyncssh.lua @@ -74,8 +74,10 @@ rsyncssh.action = function( inlet ) -- makes move local on target host -- if the move fails, it deletes the source if event.etype == 'Move' then - local path1 = event.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$') - local path2 = event2.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$') + local path1 = config.targetdir .. event.path + local path2 = config.targetdir .. event2.path + path1 = "'" .. path1:gsub ('\'', '\'"\'"\'') .. "'" + path2 = "'" .. path2:gsub ('\'', '\'"\'"\'') .. "'" log('Normal', 'Moving ',event.path,' -> ',event2.path) @@ -85,10 +87,12 @@ rsyncssh.action = function( inlet ) config.ssh._computed, config.host, 'mv', - '\"' .. config.targetdir .. path1 .. '\"', - '\"' .. config.targetdir .. path2 .. '\"', + path1, + path2, '||', 'rm', '-rf', - '\"' .. config.targetdir .. path1 .. '\"') + path1 + ) + return end -- 2.2.2