packages: rssh/rssh.spec, rssh/rssh-rsync-protocol.patch (NEW) - [PATCH] Ha...

psz psz at pld-linux.org
Thu Oct 20 12:06:26 CEST 2011 

Author: psz                          Date: Thu Oct 20 10:06:26 2011 GMT
Module: packages                      Tag: HEAD
---- Log message:
- [PATCH] Handle the rsync v3 -e option for protocol information (from Debian Bug#471803)
- rel 3

---- Files affected:
packages/rssh:
   rssh.spec (1.49 -> 1.50) , rssh-rsync-protocol.patch (NONE -> 1.1)  (NEW)

---- Diffs:

================================================================
Index: packages/rssh/rssh.spec
diff -u packages/rssh/rssh.spec:1.49 packages/rssh/rssh.spec:1.50
--- packages/rssh/rssh.spec:1.49	Tue Oct 26 00:06:05 2010
+++ packages/rssh/rssh.spec	Thu Oct 20 12:06:20 2011
@@ -3,13 +3,14 @@
 Summary(pl.UTF-8):	Okrojona powłoka dająca dostęp tylko do scp i/lub sftp
 Name:		rssh
 Version:	2.3.3
-Release:	2
+Release:	3
 License:	BSD-like
 Group:		Applications/Shells
 Source0:	http://dl.sourceforge.net/rssh/%{name}-%{version}.tar.gz
 # Source0-md5:	b0c147602fcc95737ed50573b92fc468
 Patch0:		%{name}-userbuild.patch
 Patch1:		%{name}-mkchroot.patch
+Patch2:		%{name}-rsync-protocol.patch
 URL:		http://www.pizzashack.org/rssh/
 BuildRequires:	autoconf
 BuildRequires:	automake
@@ -34,6 +35,7 @@
 %setup -q
 %patch0 -p1
 %patch1
+%patch2 -p1
 
 %build
 %{__aclocal}
@@ -112,6 +114,10 @@
 All persons listed below can be reached at <cvs_login>@pld-linux.org
 
 $Log$
+Revision 1.50  2011/10/20 10:06:20  psz
+- [PATCH] Handle the rsync v3 -e option for protocol information (from Debian Bug#471803)
+- rel 3
+
 Revision 1.49  2010/10/25 22:06:05  psz
 - rel 2
 

================================================================
Index: packages/rssh/rssh-rsync-protocol.patch
diff -u /dev/null packages/rssh/rssh-rsync-protocol.patch:1.1
--- /dev/null	Thu Oct 20 12:06:26 2011
+++ packages/rssh/rssh-rsync-protocol.patch	Thu Oct 20 12:06:20 2011
@@ -0,0 +1,78 @@
+From: Russ Allbery <rra at stanford.edu>
+Subject: [PATCH] Handle the rsync v3 -e option for protocol information
+
+As of rsync 3, rsync reused the -e option to pass protocol information
+from the client to the server.  We therefore cannot reject all -e
+options to rsync, only ones not sent with --server or containing
+something other than protocol information as an argument.
+
+Based on work by Robert Hardy.
+
+Debian Bug#471803
+
+Signed-off-by: Russ Allbery <rra at stanford.edu>
+
+---
+ util.c |   32 ++++++++++++++++++++++++++++++--
+ 1 files changed, 30 insertions(+), 2 deletions(-)
+
+diff --git a/util.c b/util.c
+index e576755..50a63e2 100644
+--- a/util.c
++++ b/util.c
+@@ -56,6 +56,7 @@
+ #ifdef HAVE_LIBGEN_H
+ #include <libgen.h>
+ #endif /* HAVE_LIBGEN_H */
++#include <regex.h>
+ 
+ /* LOCAL INCLUDES */
+ #include "pathnames.h"
+@@ -187,6 +188,33 @@ bool check_command( char *cl, ShellOptions_t *opts, char *cmd, int cmdflag )
+ }
+ 
+ /*
++ * check_rsync_e() - take the command line passed to rssh and look for a -e
++ *                   option.  If one is found, make sure --server is provided
++ *                   and the option contains only the protocol information.
++ *                   Returns 1 if the command line is safe; 0 otherwise.
++ */
++static int check_rsync_e( char *cl )
++{
++	int	status;
++	regex_t	re;
++
++	/*
++	 * This is more complicated than it looks because we don't want to
++	 * trigger on the e in --server, but we do want to catch the common
++	 * case of -ltpre.iL (which contains -e.).
++	 */
++	static const char pattern[] = "[ \t\v\f]-([^-][^ ]*)?e[^.0-9]";
++
++	if ( strstr(cl, "--server") == NULL ) return 0;
++	if ( regcomp(&re, pattern, REG_EXTENDED | REG_NOSUB) != 0 ){
++		return 0;
++	}
++	status = regexec(&re, cl, 0, NULL, 0);
++	regfree(&re);
++	return (status == 0) ? 0 : 1;
++}
++
++/*
+  * check_command_line() - take the command line passed to rssh, and verify
+  * 			  that the specified command is one the user is
+  * 			  allowed to run.  Return the path of the command
+@@ -230,9 +258,9 @@ char *check_command_line( char *cl, ShellOptions_t *opts )
+ 
+ 	if ( check_command(cl, opts, PATH_RSYNC, RSSH_ALLOW_RSYNC) ){
+ 		/* filter -e option */
+-		if ( opt_exist(cl, 'e') ){
++		if ( opt_exist(cl, 'e') && !check_rsync_e(cl) ){
+ 			fprintf(stderr, "\ninsecure -e option not allowed.");
+-			log_msg("insecure -e option in rdist command line!");
++			log_msg("insecure -e option in rsync command line!");
+ 			return NULL;
+ 		}
+ 		
+-- 
+tg: (05d6ee0..) fixes/rsync-protocol (depends on: upstream)
================================================================

---- CVS-web:
    http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/rssh/rssh.spec?r1=1.49&r2=1.50&f=u

More information about the pld-cvs-commit mailing list