On 02.12.2015 17:48, Bernd Dietzel wrote:
> Ok, found why it not works.
> The character "/" ist automatically added at the end, so it results in "--log-file=xxx/" wtich wont work.
> If some valid parameter is at the end witch likes the "/" added, it works.
> In this Demo, i added "--partial-dir=/tmp" witch gets to "--partial-dir=/tmp/" witch i s valid.
> The xxx file was created in my home folder.
>
> duplicity 'rsync://127.0.0.1/bug/ --log-file=xxx --partial-dir=/tmp'
> /home/Downloads/
>
> So, when i use the rsync backend, any parameter witch allows to have a
> "/" at the end will be executed.
>
whilst imperfect, i will not spend time fixing this obvious flaw. as i wrote, the same can be achieved "properly" by using --rsync-options. also using rsync plainly with these arguments would have an identical result.
the only way to fix this is to patch each and every backend and have it shlex/pipes.quote() each and every string we use in the cmd line. but until i see a vulnerability springing from this issue i am not going to invest the effort, speaking only for myself here of course ;)
On 02.12.2015 17:48, Bernd Dietzel wrote: dir=/tmp" witch gets to "--partial- dir=/tmp/ " witch i s valid. //127.0. 0.1/bug/ --log-file=xxx --partial-dir=/tmp'
> Ok, found why it not works.
> The character "/" ist automatically added at the end, so it results in "--log-file=xxx/" wtich wont work.
> If some valid parameter is at the end witch likes the "/" added, it works.
> In this Demo, i added "--partial-
> The xxx file was created in my home folder.
>
> duplicity 'rsync:
> /home/Downloads/
>
> So, when i use the rsync backend, any parameter witch allows to have a
> "/" at the end will be executed.
>
whilst imperfect, i will not spend time fixing this obvious flaw. as i wrote, the same can be achieved "properly" by using --rsync-options. also using rsync plainly with these arguments would have an identical result.
the only way to fix this is to patch each and every backend and have it shlex/pipes.quote() each and every string we use in the cmd line. but until i see a vulnerability springing from this issue i am not going to invest the effort, speaking only for myself here of course ;)
..ede/duply