we are d'accord that there is a possibility that the parameter might contain an unwanted parameter. but as duplicity command lines are create by the user and _not_ an attacker it is in the user's purview to make sure the target url is proper.
there is no ui to my knowledge for duplicity that's browses a backend and let's the user pick a possibly malicious path.
having written all that - please come up with an attack based on the backends file naming
or
please accept that this is going to stand as long as nobody finds time to tackle it
or
ideally just fix it yourself and provide patches or a branch!
wrt. to your video. /youtu. be/A5ol7bO_ scQ
https:/
we are d'accord that there is a possibility that the parameter might contain an unwanted parameter. but as duplicity command lines are create by the user and _not_ an attacker it is in the user's purview to make sure the target url is proper.
there is no ui to my knowledge for duplicity that's browses a backend and let's the user pick a possibly malicious path.
having written all that - please come up with an attack based on the backends file naming
or
please accept that this is going to stand as long as nobody finds time to tackle it
or
ideally just fix it yourself and provide patches or a branch!
so long.. ede/duply.net