Bug 15122 - Potential vulnerability: rsync creates files outside the target directory
Summary: Potential vulnerability: rsync creates files outside the target directory
Status: NEW
Alias: None
Product: rsync
Classification: Unclassified
Component: core (show other bugs)
Version: 3.2.0
Hardware: All Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Wayne Davison
QA Contact: Rsync QA Contact
Depends on:
Reported: 2022-07-14 22:04 UTC by Aditya Basu
Modified: 2022-07-14 22:04 UTC (History)
1 user (show)

See Also:

POC of vulnerability (1.83 KB, application/x-shellscript)
2022-07-14 22:04 UTC, Aditya Basu
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Aditya Basu 2022-07-14 22:04:17 UTC
Created attachment 17422 [details]
POC of vulnerability

The problem arises when trying to copy from a "case-sensitive" source to a "case-insensitive" target. The copy involves directories, files, and symbolic links (to directories). A maliciously crafted source directory can result in rsync following symbolic links and writing data outside the target directory.

For a concrete example, consider the following source directory structure:
     secret (symlink to /tmp)
        config (file)

We use rsync to recursively copy from SRC/ to TARGET/.
Command: "rsync -a SRC/ TARGET/"
Additionally, TARGET/ is on case-insensitive filesystem.

Problem: During the copy, rsync creates the TOPDIR/secret/config (file) by following the symbolic link "topdir/secret". Hence, /tmp/config is created by rsync.

We found a flag called: --copy-links which makes rsync follow symlinks at source before doing the copy. However, my understanding is that rsync should not follow symbolic links at the target, esp. the symbolic links it creates.

I have attached a POC script that demonstrates this behavior. I have tested it on rsync versions 3.2.3 and 3.1.3. Compiling the latest version (3.2.4) of rsync results in an error during the ./configure step. Hence, I could not test it.

Running Proof of concept script:
The script requires two command line arguments:
- Argument 1 = any empty case-sensitive directory
- Argument 2 = any empty case-insensitive directory

Example of invoking script for WSL:
./rsync-poc.sh ~/src /mnt/c/Users/xyz/dst