From: Wayne Davison <wayned@samba.org>
Date: Wed, 9 Jan 2019 19:54:34 +0000 (-0800)
Subject: Improve check for ".." and guard against dash args.
X-Git-Tag: v3.2.0pre1~217
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a0274c08b5b561c489046e835063f1e384bedd9c;p=thirdparty%2Frsync.git

Improve check for ".." and guard against dash args.
---

diff --git a/support/rrsync b/support/rrsync
index 9195aa2f..6079c95d 100644
--- a/support/rrsync
+++ b/support/rrsync
@@ -207,13 +207,16 @@ while ($command =~ /((?:[^\s\\]+|\\.[^\s\\]*)+)/g) {
       s{//+}{/}g;
       s{^/}{};
       s{^$}{.};
-      die "$0: do not use .. in any path!\n" if m{(^|/)\\?\.\\?\.(\\?/|$)};
     }
     push(@args, bsd_glob($_, GLOB_LIMIT|GLOB_NOCHECK|GLOB_BRACE|GLOB_QUOTE));
   }
 }
 die "$0: invalid rsync-command syntax or options\n" if $in_options;
 
+if ($subdir ne '/') {
+    die "$0: do not use .. in any path!\n" if grep m{(^|/)\.\.(/|$)}, @args;
+}
+
 @args = ( '.' ) if !@args;
 
 if ($write_log) {
@@ -227,7 +230,7 @@ if ($write_log) {
 }
 
 # Note: This assumes that the rsync protocol will not be maliciously hijacked.
-exec(RSYNC, @opts, @args) or die "exec(rsync @opts @args) failed: $? $!";
+exec(RSYNC, @opts, '--', @args) or die "exec(rsync @opts -- @args) failed: $? $!";
 
 sub check_arg
 {