packages: rssh/rssh.spec, rssh/rssh-rsync-protocol.patch (NEW) - [PATCH] Ha...
psz
psz at pld-linux.org
Thu Oct 20 12:06:26 CEST 2011
Author: psz Date: Thu Oct 20 10:06:26 2011 GMT
Module: packages Tag: HEAD
---- Log message:
- [PATCH] Handle the rsync v3 -e option for protocol information (from Debian Bug#471803)
- rel 3
---- Files affected:
packages/rssh:
rssh.spec (1.49 -> 1.50) , rssh-rsync-protocol.patch (NONE -> 1.1) (NEW)
---- Diffs:
================================================================
Index: packages/rssh/rssh.spec
diff -u packages/rssh/rssh.spec:1.49 packages/rssh/rssh.spec:1.50
--- packages/rssh/rssh.spec:1.49 Tue Oct 26 00:06:05 2010
+++ packages/rssh/rssh.spec Thu Oct 20 12:06:20 2011
@@ -3,13 +3,14 @@
Summary(pl.UTF-8): Okrojona powłoka dająca dostęp tylko do scp i/lub sftp
Name: rssh
Version: 2.3.3
-Release: 2
+Release: 3
License: BSD-like
Group: Applications/Shells
Source0: http://dl.sourceforge.net/rssh/%{name}-%{version}.tar.gz
# Source0-md5: b0c147602fcc95737ed50573b92fc468
Patch0: %{name}-userbuild.patch
Patch1: %{name}-mkchroot.patch
+Patch2: %{name}-rsync-protocol.patch
URL: http://www.pizzashack.org/rssh/
BuildRequires: autoconf
BuildRequires: automake
@@ -34,6 +35,7 @@
%setup -q
%patch0 -p1
%patch1
+%patch2 -p1
%build
%{__aclocal}
@@ -112,6 +114,10 @@
All persons listed below can be reached at <cvs_login>@pld-linux.org
$Log$
+Revision 1.50 2011/10/20 10:06:20 psz
+- [PATCH] Handle the rsync v3 -e option for protocol information (from Debian Bug#471803)
+- rel 3
+
Revision 1.49 2010/10/25 22:06:05 psz
- rel 2
================================================================
Index: packages/rssh/rssh-rsync-protocol.patch
diff -u /dev/null packages/rssh/rssh-rsync-protocol.patch:1.1
--- /dev/null Thu Oct 20 12:06:26 2011
+++ packages/rssh/rssh-rsync-protocol.patch Thu Oct 20 12:06:20 2011
@@ -0,0 +1,78 @@
+From: Russ Allbery <rra at stanford.edu>
+Subject: [PATCH] Handle the rsync v3 -e option for protocol information
+
+As of rsync 3, rsync reused the -e option to pass protocol information
+from the client to the server. We therefore cannot reject all -e
+options to rsync, only ones not sent with --server or containing
+something other than protocol information as an argument.
+
+Based on work by Robert Hardy.
+
+Debian Bug#471803
+
+Signed-off-by: Russ Allbery <rra at stanford.edu>
+
+---
+ util.c | 32 ++++++++++++++++++++++++++++++--
+ 1 files changed, 30 insertions(+), 2 deletions(-)
+
+diff --git a/util.c b/util.c
+index e576755..50a63e2 100644
+--- a/util.c
++++ b/util.c
+@@ -56,6 +56,7 @@
+ #ifdef HAVE_LIBGEN_H
+ #include <libgen.h>
+ #endif /* HAVE_LIBGEN_H */
++#include <regex.h>
+
+ /* LOCAL INCLUDES */
+ #include "pathnames.h"
+@@ -187,6 +188,33 @@ bool check_command( char *cl, ShellOptions_t *opts, char *cmd, int cmdflag )
+ }
+
+ /*
++ * check_rsync_e() - take the command line passed to rssh and look for a -e
++ * option. If one is found, make sure --server is provided
++ * and the option contains only the protocol information.
++ * Returns 1 if the command line is safe; 0 otherwise.
++ */
++static int check_rsync_e( char *cl )
++{
++ int status;
++ regex_t re;
++
++ /*
++ * This is more complicated than it looks because we don't want to
++ * trigger on the e in --server, but we do want to catch the common
++ * case of -ltpre.iL (which contains -e.).
++ */
++ static const char pattern[] = "[ \t\v\f]-([^-][^ ]*)?e[^.0-9]";
++
++ if ( strstr(cl, "--server") == NULL ) return 0;
++ if ( regcomp(&re, pattern, REG_EXTENDED | REG_NOSUB) != 0 ){
++ return 0;
++ }
++ status = regexec(&re, cl, 0, NULL, 0);
++ regfree(&re);
++ return (status == 0) ? 0 : 1;
++}
++
++/*
+ * check_command_line() - take the command line passed to rssh, and verify
+ * that the specified command is one the user is
+ * allowed to run. Return the path of the command
+@@ -230,9 +258,9 @@ char *check_command_line( char *cl, ShellOptions_t *opts )
+
+ if ( check_command(cl, opts, PATH_RSYNC, RSSH_ALLOW_RSYNC) ){
+ /* filter -e option */
+- if ( opt_exist(cl, 'e') ){
++ if ( opt_exist(cl, 'e') && !check_rsync_e(cl) ){
+ fprintf(stderr, "\ninsecure -e option not allowed.");
+- log_msg("insecure -e option in rdist command line!");
++ log_msg("insecure -e option in rsync command line!");
+ return NULL;
+ }
+
+--
+tg: (05d6ee0..) fixes/rsync-protocol (depends on: upstream)
================================================================
---- CVS-web:
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/rssh/rssh.spec?r1=1.49&r2=1.50&f=u
More information about the pld-cvs-commit
mailing list