Hiya.
While merging the 2.6.0 changes into our modified version of rsync, I
noticed the following bit of code in 2.6.0's options.c:
extern int sanitize_paths;
if (sanitize_paths)
sanitize_path(strdup(files_from), NULL);
filesfrom_fd = open(files_from, O_RDONLY|O_BINARY);
Since sanitize_path modifies its first argument in place, the path that
open() gets there hasn't been sanitized, which could be a security issue
-- plus it leaks memory. Shouldn't that be something like this?
extern int sanitize_paths;
char *s = strdup(files_from);
if (sanitize_paths)
sanitize_path(s, NULL);
filesfrom_fd = open(s, O_RDONLY|O_BINARY);
free(s);
Thanks,
--
Adam Sampson <[EMAIL PROTECTED]> <http://offog.org/>
--
To unsubscribe or change options: http://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
