From c78e53edb802d04f7e4e070fe8314f2544749e7a Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <andrew@tridgell.net>
Date: Tue, 26 Nov 2024 09:16:31 +1100
Subject: [PATCH 4/4] disallow ../ elements in relpath for secure_relative_open

---
 syscall.c | 7 +++++++
 1 file changed, 7 insertions(+)

Index: rsync-3.1.3/syscall.c
===================================================================
--- rsync-3.1.3.orig/syscall.c
+++ rsync-3.1.3/syscall.c
@@ -587,6 +587,8 @@ int do_open_nofollow(const char *pathnam
   must be a relative path, and the relpath must not contain any
   elements in the path which follow symlinks (ie. like O_NOFOLLOW, but
   applies to all path components, not just the last component)
+
+  The relpath must also not contain any ../ elements in the path
 */
 int secure_relative_open(const char *basedir, const char *relpath, int flags, mode_t mode)
 {
@@ -595,6 +597,11 @@ int secure_relative_open(const char *bas
 		errno = EINVAL;
 		return -1;
 	}
+	if (strncmp(relpath, "../", 3) == 0 || strstr(relpath, "/../")) {
+		// no ../ elements allowed in the relpath
+		errno = EINVAL;
+		return -1;
+	}
 
 #if !defined(O_NOFOLLOW) || !defined(O_DIRECTORY)
 	// really old system, all we can do is live with the risks