On 01.12.2015 22:44, Bernd Dietzel wrote:
> second test :
>
> use the path
>
> /tmp/ --log-file=xxx
>
1. can you provide a proper command line that illustrates a problem? along the lines of 'duplicity /local/path rsync://'
2. this would be a simple bug, but no security issue. actually what you describe is legally possible with duplicity by using the parameter --rsync-options.
if you can come up w/ an attack where the filenames on the backend were maliciously modified in a way that exploits a locally run duplicity, than you'd have me convinced instantly.
On 01.12.2015 22:44, Bernd Dietzel wrote:
> second test :
>
> use the path
>
> /tmp/ --log-file=xxx
>
1. can you provide a proper command line that illustrates a problem? along the lines of 'duplicity /local/path rsync://'
2. this would be a simple bug, but no security issue. actually what you describe is legally possible with duplicity by using the parameter --rsync-options.
if you can come up w/ an attack where the filenames on the backend were maliciously modified in a way that exploits a locally run duplicity, than you'd have me convinced instantly.
..ede/duply.net