Comment 23 for bug 1520691
Revision history for this message
| edso (ed.so) wrote Re: [Duplicity-team] [Bug 1520691] Re: Shell Code Injection in hsi backend | #23 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
On 01.12.2015 22:44, Bernd Dietzel wrote:
> second test :
>
> use the path
>
> /tmp/ --log-file=xxx
>
1. can you provide a proper command line that illustrates a problem? along the lines of 'duplicity /local/path rsync://'
2. this would be a simple bug, but no security issue. actually what you describe is legally possible with duplicity by using the parameter --rsync-options.
if you can come up w/ an attack where the filenames on the backend were maliciously modified in a way that exploits a locally run duplicity, than you'd have me convinced instantly.
..ede/duply.net