The Samba-Bugzilla – Attachment 14662 Details for
Bug 11879
escape rrsync restricted folder
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
rrsync patch again, third time's the charm
rsync3.patch (text/plain), 3.62 KB, created by
Nick Cleaton
on 2018-11-15 22:40:37 UTC
(
hide
)
Description:
rrsync patch again, third time's the charm
Filename:
MIME Type:
Creator:
Nick Cleaton
Created:
2018-11-15 22:40:37 UTC
Size:
3.62 KB
patch
obsolete
>diff --git a/packaging/cull_options b/packaging/cull_options >index 388d33f..56ceb9c 100755 >--- a/packaging/cull_options >+++ b/packaging/cull_options >@@ -77,6 +77,7 @@ foreach my $opt (sort keys %long_opt) { > $val = 1 if $opt =~ /^(max-|min-)/; > $val = 3 if $opt eq 'files-from'; > $val = '$ro ? -1 : ' . $val if $opt =~ /^remove-/; >+ $val = '$wo ? -1 : ' . $val if $opt eq 'sender'; > print " '$opt' => $val,\n"; > } > >diff --git a/support/rrsync b/support/rrsync >old mode 100644 >new mode 100755 >index 9195aa2..d30d002 >--- a/support/rrsync >+++ b/support/rrsync >@@ -8,11 +8,13 @@ use strict; > use Socket; > use Cwd 'abs_path'; > use File::Glob ':glob'; >+use Fcntl ':flock'; > > # You may configure these values to your liking. See also the section > # of options if you want to disable any options that rsync accepts. > use constant RSYNC => '/usr/bin/rsync'; > use constant LOGFILE => 'rrsync.log'; >+use constant LOCKFILE => '.rrsync.lock'; > > my $Usage = <<EOM; > Use 'command="$0 [-ro|-wo] SUBDIR"' >@@ -54,6 +56,12 @@ our $am_sender = $command =~ /^--server\s+--sender\s/; # Restrictive on purpose! > die "$0 sending to read-only server not allowed\n" if $only eq 'r' && !$am_sender; > die "$0 reading from write-only server not allowed\n" if $only eq 'w' && $am_sender; > >+# A lock file prevents an attacker from using one rrsync instance to make >+# filesystem changes underneath another running instance, tricking it into >+# leaving the restricted dir. >+open(LOCK_FH, '>>', LOCKFILE) or die "open lockfile: $!"; >+flock LOCK_FH, ($am_sender ? LOCK_SH : LOCK_EX) or die "lock lockfile: $!"; >+ > ### START of options data produced by the cull_options script. ### > > # These options are the only options that rsync might send to the server, >@@ -130,7 +138,7 @@ our %long_opt = ( > 'remove-sent-files' => $only eq 'r' ? -1 : 0, > 'remove-source-files' => $only eq 'r' ? -1 : 0, > 'safe-links' => 0, >- 'sender' => 0, >+ 'sender' => $only eq 'w' ? -1 : 0, > 'server' => 0, > 'size-only' => 0, > 'skip-compress' => 1, >@@ -147,6 +155,13 @@ our %long_opt = ( > > ### END of options data produced by the cull_options script. ### > >+if ($subdir ne '/') { >+ # Disable anything that might follow a symlink out of the restricted dir >+ $short_disabled .= 'LKk'; >+ $long_opt{'copy-unsafe-links'} = -1; >+ $long_opt{'no-implied-dirs'} = -1; >+} >+ > if ($short_disabled ne '') { > $short_no_arg =~ s/[$short_disabled]//go; > $short_with_num =~ s/[$short_disabled]//go; >@@ -216,6 +231,11 @@ die "$0: invalid rsync-command syntax or options\n" if $in_options; > > @args = ( '.' ) if !@args; > >+for (@args) { >+ die "$0: do not use .. in any path!\n" if m{(^|/)\.\.(/|$)}; >+ die "$0: arg not under subdir\n" unless abs_is_under($_, $subdir); >+} >+ > if ($write_log) { > my ($mm,$hh) = (localtime)[1,2]; > my $host = $ENV{SSH_CONNECTION} || 'unknown'; >@@ -227,7 +247,19 @@ if ($write_log) { > } > > # Note: This assumes that the rsync protocol will not be maliciously hijacked. >-exec(RSYNC, @opts, @args) or die "exec(rsync @opts @args) failed: $? $!"; >+exit system(RSYNC, @opts, '--', @args); >+ >+sub abs_is_under { >+ my ($path, $under_abspath) = @_; >+ for (;;) { >+ my $a = abs_path($path); >+ if (defined $a) { >+ return $a =~ m{^\Q$under_abspath\E(/|$)}; >+ } >+ die "abs_path failed on .: $!" if $path eq '.'; >+ $path =~ s{/[^/]*$}{} or $path = '.'; >+ } >+} > > sub check_arg > { >@@ -238,6 +270,8 @@ sub check_arg > die "Do not use .. in --$opt; anchor the path at the root of your restricted dir.\n" > if $arg =~ m{(^|/)\.\.(/|$)}; > $arg =~ s{^/}{$subdir/}; >+ die "--$opt value outside restricted dir.\n" >+ unless abs_is_under($arg, $subdir); > } > $arg; > }
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 11879
:
12132
|
14648
|
14658
| 14662