In the past, I had restricted rsync so that the -e option was disallowed. As
of rsync-3.0.0, I'm now seeing the following requests being made (on the
server side):
rsync --server -vlogDtprze.iL .
I want to prevent '-e' as a client side option so arbitrary programs can't be
executed.
I found the following, but didn't trace through to verify exactly where I was
in the code base:
--- options.c ---
1785 /* We make use of the -e option to let the server know about any
1786 * pre-release protocol version && some behavior flags. */
1787 argstr[x++] = 'e';
1788 #if SUBPROTOCOL_VERSION != 0
1789 if (protocol_version == PROTOCOL_VERSION) {
1790 x += snprintf(argstr+x, sizeof argstr - x,
1791 "%d.%d", PROTOCOL_VERSION, SUBPROTOCOL_VERSION);
1792 } else
1793 #endif
1794 argstr[x++] = '.';
1795 set_allow_inc_recurse();
1796 if (allow_inc_recurse)
1797 argstr[x++] = 'i';
1798 #if defined HAVE_LUTIMES && defined HAVE_UTIMES
1799 argstr[x++] = 'L';
1800 #endif
1801 argstr[x] = '\0';
The above "e.iL" definitely matches, so I know I'm close.
Is it safe to allow 'e' if '--server' is also present?
Suggestions?
Thanks.
--Kaleb
--
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
