1 |
As of rsync 3, rsync reused the -e option to pass protocol information |
2 |
from the client to the server. We therefore cannot reject all -e |
3 |
options to rsync, only ones not sent with --server or containing |
4 |
something other than protocol information as an argument. |
5 |
|
6 |
Based on work by Robert Hardy. |
7 |
|
8 |
Debian Bug#471803 |
9 |
|
10 |
--- rssh.orig/util.c |
11 |
+++ rssh/util.c |
12 |
@@ -56,6 +56,7 @@ |
13 |
#ifdef HAVE_LIBGEN_H |
14 |
#include <libgen.h> |
15 |
#endif /* HAVE_LIBGEN_H */ |
16 |
+#include <regex.h> |
17 |
|
18 |
/* LOCAL INCLUDES */ |
19 |
#include "pathnames.h" |
20 |
@@ -183,6 +184,33 @@ |
21 |
} |
22 |
|
23 |
/* |
24 |
+ * check_rsync_e() - take the command line passed to rssh and look for a -e |
25 |
+ * option. If one is found, make sure --server is provided |
26 |
+ * and the option contains only the protocol information. |
27 |
+ * Returns 1 if the command line is safe; 0 otherwise. |
28 |
+ */ |
29 |
+static int check_rsync_e( char *cl ) |
30 |
+{ |
31 |
+ int status; |
32 |
+ regex_t re; |
33 |
+ |
34 |
+ /* |
35 |
+ * This is more complicated than it looks because we don't want to |
36 |
+ * trigger on the e in --server, but we do want to catch the common |
37 |
+ * case of -ltpre.iL (which contains -e.). |
38 |
+ */ |
39 |
+ static const char pattern[] = "[ \t\v\f]-([^-][^ ]*)?e[^.0-9]"; |
40 |
+ |
41 |
+ if ( strstr(cl, "--server") == NULL ) return 0; |
42 |
+ if ( regcomp(&re, pattern, REG_EXTENDED | REG_NOSUB) != 0 ){ |
43 |
+ return 0; |
44 |
+ } |
45 |
+ status = regexec(&re, cl, 0, NULL, 0); |
46 |
+ regfree(&re); |
47 |
+ return (status == 0) ? 0 : 1; |
48 |
+} |
49 |
+ |
50 |
+/* |
51 |
* check_command_line() - take the command line passed to rssh, and verify |
52 |
* that the specified command is one the user is |
53 |
* allowed to run. Return the path of the command |
54 |
@@ -226,9 +254,9 @@ |
55 |
|
56 |
if ( check_command(cl, opts, PATH_RSYNC, RSSH_ALLOW_RSYNC) ){ |
57 |
/* filter -e option */ |
58 |
- if ( opt_exist(cl, 'e') ){ |
59 |
+ if ( opt_exist(cl, 'e') && !check_rsync_e(cl) ){ |
60 |
fprintf(stderr, "\ninsecure -e option not allowed."); |
61 |
- log_msg("insecure -e option in rdist command line!"); |
62 |
+ log_msg("insecure -e option in rsync command line!"); |
63 |
return NULL; |
64 |
} |
65 |
|