Bug 8965 - unexpected --exclude behaviour which can lead to a data breach
Summary: unexpected --exclude behaviour which can lead to a data breach
Alias: None
Product: rsync
Classification: Unclassified
Component: core (show other bugs)
Version: 3.1.0
Hardware: All All
: P5 major (vote)
Target Milestone: ---
Assignee: Wayne Davison
QA Contact: Rsync QA Contact
Depends on:
Reported: 2012-05-30 23:13 UTC by devkral
Modified: 2012-06-16 17:40 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description devkral 2012-05-30 23:13:48 UTC
rsync --exclude /h/xy/* /source /target
causes rsync to sync /h/xy/* into target
expected behaviour:
sync /source with /target and exclude files beyond /h/xy/
Comment 1 Kevin Korb 2012-05-30 23:16:10 UTC
That is your shell globbing the * and turning it into multiple parameters all except the first being a list of sources.  You need to quote your exclude with a wildcard like: --exclude '/h/xy/*'
Comment 2 devkral 2012-05-31 10:19:50 UTC
ah, ok. But it would be nice if rsync would warn at least. Nothing is so frustrating as to exclude some directories and suddenly rsync leaks informations from a similar named directory
Comment 3 Kevin Korb 2012-05-31 15:58:43 UTC
Rsync has no way to know that you tried to use a * or that you did not intend to use a list of sources.  If the explanation isn't clear try running your command again with an "echo" in front of the "rsync".  That will show you what your shell expands the command to before passing it to rsync.
Comment 4 Wayne Davison 2012-06-16 17:40:14 UTC
A couple ways to avoid such an issue in the future:

 * Always quote any wildcards that you aren't wanting to match files (i.e. don't depend on your shell to pass non-matches as literal wildcards to any program).  If you can ask your shell to return an error for non-matched wildcards (instead of running the command), that can help get in the habit (e.g. use zsh's "setopt NOMATCH").
 * Get in the habit of using --exclude=ARG so that unquoted wildcards are less likely to match anything.