Bug 1573 - module revealed thru error msg even with "list = no"
module revealed thru error msg even with "list = no"
Status: CLOSED FIXED
Product: rsync
Classification: Unclassified
Component: core
2.6.2
All Linux
: P3 normal
: ---
Assigned To: Wayne Davison
Rsync QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2004-07-30 11:23 UTC by Daniel Widyono
Modified: 2005-03-16 16:48 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Widyono 2004-07-30 11:23:37 UTC
"list = no" correctly hides via rsync _server_::, however if one tries
rsync _server_::_existing-module_/ and does not have permission, one gets
@ERROR: access denied to _user_ from _client_, whereas an attempt for a
non-existent module emits @ERROR: Unknown module '_non-existent-module_'

If "list = no" is used for security purposes (can't think of another reason at
the moment), this can be considered a security bug and thus I left severity at
normal instead of labeling it minor.
Comment 1 Wayne Davison 2004-07-30 13:12:41 UTC
It's easy enough to lie to the user and tell them that the module is unknown
when they fail to access a module that has "list = no" set (while still logging
the real error into the server's log file).  I've checked-in a change to CVS.