From a0274c08b5b561c489046e835063f1e384bedd9c Mon Sep 17 00:00:00 2001 From: Wayne Davison Date: Wed, 9 Jan 2019 11:54:34 -0800 Subject: [PATCH] Improve check for ".." and guard against dash args. --- support/rrsync | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/support/rrsync b/support/rrsync index 9195aa2f..6079c95d 100644 --- a/support/rrsync +++ b/support/rrsync @@ -207,13 +207,16 @@ while ($command =~ /((?:[^\s\\]+|\\.[^\s\\]*)+)/g) { s{//+}{/}g; s{^/}{}; s{^$}{.}; - die "$0: do not use .. in any path!\n" if m{(^|/)\\?\.\\?\.(\\?/|$)}; } push(@args, bsd_glob($_, GLOB_LIMIT|GLOB_NOCHECK|GLOB_BRACE|GLOB_QUOTE)); } } die "$0: invalid rsync-command syntax or options\n" if $in_options; +if ($subdir ne '/') { + die "$0: do not use .. in any path!\n" if grep m{(^|/)\.\.(/|$)}, @args; +} + @args = ( '.' ) if !@args; if ($write_log) { @@ -227,7 +230,7 @@ if ($write_log) { } # Note: This assumes that the rsync protocol will not be maliciously hijacked. -exec(RSYNC, @opts, @args) or die "exec(rsync @opts @args) failed: $? $!"; +exec(RSYNC, @opts, '--', @args) or die "exec(rsync @opts -- @args) failed: $? $!"; sub check_arg { -- 2.47.2