The Samba-Bugzilla – Attachment 14648 Details for
Bug 11879
escape rrsync restricted folder
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
rrysnc patch to avoid following symlinks out of the restricted dir
rrsync.patch (text/plain), 2.28 KB, created by
Nick Cleaton
on 2018-11-13 06:23:43 UTC
(
hide
)
Description:
rrysnc patch to avoid following symlinks out of the restricted dir
Filename:
MIME Type:
Creator:
Nick Cleaton
Created:
2018-11-13 06:23:43 UTC
Size:
2.28 KB
patch
obsolete
>diff --git a/support/rrsync b/support/rrsync >old mode 100644 >new mode 100755 >index 9195aa2..0d55474 >--- a/support/rrsync >+++ b/support/rrsync >@@ -8,11 +8,13 @@ use strict; > use Socket; > use Cwd 'abs_path'; > use File::Glob ':glob'; >+use Fcntl ':flock'; > > # You may configure these values to your liking. See also the section > # of options if you want to disable any options that rsync accepts. > use constant RSYNC => '/usr/bin/rsync'; > use constant LOGFILE => 'rrsync.log'; >+use constant LOCKFILE => '.rrsync.lock'; > > my $Usage = <<EOM; > Use 'command="$0 [-ro|-wo] SUBDIR"' >@@ -54,6 +56,12 @@ our $am_sender = $command =~ /^--server\s+--sender\s/; # Restrictive on purpose! > die "$0 sending to read-only server not allowed\n" if $only eq 'r' && !$am_sender; > die "$0 reading from write-only server not allowed\n" if $only eq 'w' && $am_sender; > >+# A lock file prevents an attacker from using one rrsync instance to make >+# filesystem changes underneath another running instance, tricking it into >+# leaving the restricted dir. >+open(LOCK_FH, '>>', LOCKFILE) or die "open lockfile: $!"; >+flock LOCK_FH, ($am_sender ? LOCK_SH : LOCK_EX) or die "lock lockfile: $!"; >+ > ### START of options data produced by the cull_options script. ### > > # These options are the only options that rsync might send to the server, >@@ -216,6 +224,11 @@ die "$0: invalid rsync-command syntax or options\n" if $in_options; > > @args = ( '.' ) if !@args; > >+for (@args) { >+ die "$0: do not use .. in any path!\n" if m{(^|/)\.\.(/|$)}; >+ die "$0: arg not under subdir\n" unless relpath_abs_is_under($_, $subdir); >+} >+ > if ($write_log) { > my ($mm,$hh) = (localtime)[1,2]; > my $host = $ENV{SSH_CONNECTION} || 'unknown'; >@@ -227,7 +240,20 @@ if ($write_log) { > } > > # Note: This assumes that the rsync protocol will not be maliciously hijacked. >-exec(RSYNC, @opts, @args) or die "exec(rsync @opts @args) failed: $? $!"; >+exit system(RSYNC, @opts, '--', @args); >+ >+sub relpath_abs_is_under { >+ my ($relpath, $under_abspath) = @_; >+ die "relpath must be a relative path" if $relpath =~ m{^/}; >+ for (;;) { >+ my $a = abs_path($relpath); >+ if (defined $a) { >+ return $a =~ m{^\Q$under_abspath\E(/|$)}; >+ } >+ die "abs_path failed on .: $!" if $relpath eq '.'; >+ $relpath =~ s{/[^/]*$}{} or $relpath = '.'; >+ } >+} > > sub check_arg > {
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=14648">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 11879
:
12132
|
14648
|
14658
|
14662