Comment 26 for bug 1520691
Revision history for this message
| edso (ed.so) wrote Re: [Duplicity-team] [Bug 1520691] Re: Shell Code Injection in hsi backend | #26 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
On 02.12.2015 17:48, Bernd Dietzel wrote:
> Ok, found why it not works.
> The character "/" ist automatically added at the end, so it results in "--log-file=xxx/" wtich wont work.
> If some valid parameter is at the end witch likes the "/" added, it works.
> In this Demo, i added "--partial-
> The xxx file was created in my home folder.
>
> duplicity 'rsync:
> /home/Downloads/
>
> So, when i use the rsync backend, any parameter witch allows to have a
> "/" at the end will be executed.
>
whilst imperfect, i will not spend time fixing this obvious flaw. as i wrote, the same can be achieved "properly" by using --rsync-options. also using rsync plainly with these arguments would have an identical result.
the only way to fix this is to patch each and every backend and have it shlex/pipes.quote() each and every string we use in the cmd line. but until i see a vulnerability springing from this issue i am not going to invest the effort, speaking only for myself here of course ;)
..ede/duply