git.ipfire.org Git - thirdparty/rsync.git/commit

author	Andrew Tridgell <andrew@tridgell.net>
	Sun, 24 May 2026 22:08:42 +0000 (08:08 +1000)
committer	Andrew Tridgell <andrew@tridgell.net>
	Mon, 25 May 2026 21:43:00 +0000 (07:43 +1000)
commit	f196279c2916cabebea9aad1354fed78ffb127cf
tree	e2d8c6dffec43fc4782f7511018603273c14bd89	tree \| snapshot
parent	ed11852ed03a82e750c52bf3de949dff2d34b887	commit \| diff

testsuite: add positive controls to the symlink-race security tests

The symlink-race tests only asserted that an outside sentinel was unchanged or
unlisted while ignoring rsync's exit status, so an attack transfer/listing that
failed before reaching the vulnerable receiver/sender path would pass without
the security property ever being exercised. Add a positive control to each --
an ordinary in-module write (bare-do-open, chdir) or an in-module listing
(sender-flist-leak) that must succeed -- so a globally broken/refusing daemon
can no longer make the sentinel checks vacuous, and assert the attack run did
not die from a signal.

clean-fname-underflow now also enforces a non-zero exit: clean_fname()
collapses "a/../test" to "test", whose merge file is absent, so rsync must
reject it; accepting it (rc 0) would mean the crafted name was mis-collapsed.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

testsuite/bare-do-open-symlink-race_test.py		diff \| blob \| blame \| history
testsuite/chdir-symlink-race_test.py		diff \| blob \| blame \| history
testsuite/clean-fname-underflow_test.py		diff \| blob \| blame \| history
testsuite/sender-flist-symlink-leak_test.py		diff \| blob \| blame \| history