Commit 962f8b90045ab331fc04c9e65f80f1a53e68243b fixed an issue where malicious servers can utilize a just sent symlink to overwrite arbitrary files (CVE-2014-9512). The check was implemented for the inc-recurse algorithm only. An evil sender can bypass the check and still use the symlink vector by negotiating protocol < 30. You might consider fixing this in the non-incremental recursive algorithm as well.
You'll have to be more specific, since the fix was implemented in both inc-recursive and non-inc-recursive modes (in separate fixes). I tested --protocol=29 and --no-inc-recursive w/o issue (though the older protocol isn't good enough to make the error visible on a "push" (such as a local copy), since it doesn't retrieve remote errors like protocol 30 does when the remote side dies. You can see the error via --msgs2stderr, or just rely on the error's protocol-incompatibility exit error code.
FYI, the other commit is: e12a6c087ca1eecdb8eae5977be239c24f4dd3d9
(In reply to Wayne Davison from comment #2) Thanks, I just found the commit too, I completely missed it before. I reproduced this on a patched 3.1.1, not 3.1.2, if I remember it correctly. So this report is likely invalid, I'll verify it on Monday. Thanks for your quick response.
(In reply to Wayne Davison from comment #2) The commit (https://git.samba.org/rsync.git/?p=rsync.git;a=commit;h=e12a6c087ca1eecdb8eae5977be239c24f4dd3d9) indeed fixes the issue for the older recursive algorithm.