Preparing for release of 3.2.6

A local_server copy now includes the dev+ino info from the destination
file so that the sender can make sure that it is not going to delete
the destination file.  Fixes mistakes such as:

  rsync -aiv --remove-source-files dir .

INSTALL.md

@@ -26,7 +26,7 @@ build user (after installing python3's pip package):
 
 You can test if you've got it fixed by running (from the rsync checkout):
 
->     ./md2man --test rsync-ssl.1.md
+>     ./md-convert --test rsync-ssl.1.md
 
 Alternately, you can avoid generating the manpages by fetching the very latest
 versions (that match the latest git source) from the [generated-files][6] dir.

NEWS.md

@@ -1,4 +1,55 @@
-# NEWS for rsync 3.2.5 (UNRELEASED)
+# NEWS for rsync 3.2.6 (9 Sep 2022)
+
+## Changes in this version:
+
+### BUG FIXES:
+
+- More path-cleaning improvements in the file-list validation code to avoid
+  rejecting of valid args.
+
+- A file-list validation fix for a [`--files-from`](rsync.1#opt) file that ends
+  without a line-terminating character.
+
+- Added a safety check that prevents the sender from removing destination files
+  when a local copy using [`--remove-source-files`](rsync.1#opt) has some files
+  that are shared between the sending & receiving hierarchies, including the
+  case where the source dir & destination dir are identical.
+
+- Fixed a bug in the internal MD4 checksum code that could cause the digest
+  to be sporadically incorrect (the openssl version was/is fine).
+
+- A minor tweak to rrsync added "copy-devices" to the list of known args, but
+  left it disabled by default.
+
+### ENHANCEMENTS:
+
+- Rename `--protect-args` to [`--secluded-args`](rsync.1#opt) to make it
+  clearer how it differs from the default backslash-escaped arg-protecting
+  behavior of rsync.  The old option names are still accepted.  The
+  environment-variable override did not change its name.
+
+### PACKAGING RELATED:
+
+- The configure option `--with-protected-args` was renamed to
+  `--with-secluded-args`.  This option makes `--secluded-args` the default
+  rsync behavior instead of using backslash escaping for protecting args.
+
+- The mkgitver script now makes sure that a `.git` dir/file is in the top-level
+  source dir before calling `git describe`. It also runs a basic check on the
+  version value. This should avoid using an unrelated git description for
+  rsync's version.
+
+### DEVELOPER RELATED:
+
+- The configure script no longer sets the -pedantic-errors CFLAG (which it
+  used to try to do only for gcc).
+
+- The name_num_obj struct was modified to allow its dynamic name_num_item list
+  to be initialized in a better way.
+
+------------------------------------------------------------------------------
+
+# NEWS for rsync 3.2.5 (14 Aug 2022)
 
 ## Changes in this version:
 
@@ -7,24 +58,43 @@
 - Added some file-list safety checking that helps to ensure that a rogue
   sending rsync can't add unrequested top-level names and/or include recursive
   names that should have been excluded by the sender.  These extra safety
-  checks only require the receiver rsync to be udateed.  When dealing with an
+  checks only require the receiver rsync to be updated.  When dealing with an
   untrusted sending host, it is safest to copy into a dedicated destination
   directory for the remote content (i.e. don't copy into a destination
   directory that contains files that aren't from the remote host unless you
   trust the remote host). Fixes CVE-2022-29154.
 
+ - A fix for CVE-2022-37434 in the bundled zlib (buffer overflow issue).
+
 ### BUG FIXES:
 
+- Fixed the handling of filenames specified with backslash-quoted wildcards
+  when the default remote-arg-escaping is enabled.
+
 - Fixed the configure check for signed char that was causing a host that
   defaults to unsigned characters to generate bogus rolling checksums. This
   made rsync send mostly literal data for a copy instead of finding matching
-  data in the receiver's basis file.
+  data in the receiver's basis file (for a file that contains high-bit
+  characters).
 
-- Lots of manpage improvements, including an attempt to better desdribe how
+- Lots of manpage improvements, including an attempt to better describe how
   include/exclude filters work.
 
+- If rsync is compiled with an xxhash 0.8 library and then moved to a system
+  with a dynamically linked xxhash 0.7 library, we now detect this and disable
+  the XX3 hashes (since these routines didn't stabilize until 0.8).
+
+### ENHANCEMENTS:
+
+- The [`--trust-sender`](rsync.1#opt) option was added as a way to bypass the
+  extra file-list safety checking (should that be required).
+
 ### PACKAGING RELATED:
 
+- A note to those wanting to patch older rsync versions: the changes in this
+  release requires the quoted argument change from 3.2.4. Then, you'll want
+  every single code change from 3.2.5 since there is no fluff in this release.
+
 - The build date that goes into the manpages is now based on the developer's
   release date, not on the build's local-timezone interpretation of the date.
 
@@ -45,7 +115,7 @@
 ### BEHAVIOR CHANGES:
 
  - A new form of arg protection was added that works similarly to the older
-   [`--protect-args`](rsync.1#opt) (`-s`) option but in a way that avoids
+   `--protect-args` ([`-s`](rsync.1#opt)) option but in a way that avoids
    breaking things like rrsync (the restricted rsync script): rsync now uses
    backslash escaping for sending "shell-active" characters to the remote
    shell. This includes spaces, so fetching a remote file via a simple quoted
@@ -149,7 +219,7 @@
 
  - Fixed a potential issue in git-set-file-times when handling commits with
    high-bit characters in the description & when handling a description that
-   might mimick the git raw-commit deliniators.  (See the support dir.)
+   might mimic the git raw-commit deliniators.  (See the support dir.)
 
  - The bundled systemd/rsync.service file now includes `Restart=on-failure`.
 
@@ -4522,7 +4592,8 @@
 
 | RELEASE DATE | VER.   | DATE OF COMMIT\* | PROTOCOL    |
 |--------------|--------|------------------|-------------|
-| ?? Aug 2022  | 3.2.5  |                  | 31          |
+| 09 Sep 2022  | 3.2.6  |                  | 31          |
+| 14 Aug 2022  | 3.2.5  |                  | 31          |
 | 15 Apr 2022  | 3.2.4  |                  | 31          |
 | 06 Aug 2020  | 3.2.3  |                  | 31          |
 | 04 Jul 2020  | 3.2.2  |                  | 31          |

batch.c

@@ -3,7 +3,7 @@
  *
  * Copyright (C) 1999 Weiss
  * Copyright (C) 2004 Chris Shoemaker
- * Copyright (C) 2004-2020 Wayne Davison
+ * Copyright (C) 2004-2022 Wayne Davison
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -194,7 +194,7 @@ static int write_opt(const char *opt, const char *arg)
 {
 	int len = strlen(opt);
 	int err = write(batch_sh_fd, " ", 1) != 1;
-	err = write(batch_sh_fd, opt, len) != len ? 1 : 0; 
+	err = write(batch_sh_fd, opt, len) != len ? 1 : 0;
 	if (arg) {
 		err |= write(batch_sh_fd, "=", 1) != 1;
 		err |= write_arg(arg);

byteorder.h

@@ -2,7 +2,7 @@
  * Simple byteorder handling.
  *
  * Copyright (C) 1992-1995 Andrew Tridgell
- * Copyright (C) 2007-2020 Wayne Davison
+ * Copyright (C) 2007-2022 Wayne Davison
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -129,4 +129,3 @@ SIVAL(char *buf, int pos, uint32 val)
 {
 	SIVALu((uchar*)buf, pos, val);
 }
-

checksum.c

@@ -42,26 +42,30 @@ extern int protocol_version;
 extern int proper_seed_order;
 extern const char *checksum_choice;
 
-struct name_num_obj valid_checksums = {
-	"checksum", NULL, NULL, 0, 0, {
+struct name_num_item valid_checksums_items[] = {
 #ifdef SUPPORT_XXH3
-		{ CSUM_XXH3_128, "xxh128", NULL },
-		{ CSUM_XXH3_64, "xxh3", NULL },
+	{ CSUM_XXH3_128, "xxh128", NULL },
+	{ CSUM_XXH3_64, "xxh3", NULL },
 #endif
 #ifdef SUPPORT_XXHASH
-		{ CSUM_XXH64, "xxh64", NULL },
-		{ CSUM_XXH64, "xxhash", NULL },
+	{ CSUM_XXH64, "xxh64", NULL },
+	{ CSUM_XXH64, "xxhash", NULL },
 #endif
-		{ CSUM_MD5, "md5", NULL },
-		{ CSUM_MD4, "md4", NULL },
-		{ CSUM_NONE, "none", NULL },
-		{ 0, NULL, NULL }
-	}
+	{ CSUM_MD5, "md5", NULL },
+	{ CSUM_MD4, "md4", NULL },
+	{ CSUM_NONE, "none", NULL },
+	{ 0, NULL, NULL }
+};
+
+struct name_num_obj valid_checksums = {
+	"checksum", NULL, NULL, 0, 0, valid_checksums_items
 };
 
 int xfersum_type = 0; /* used for the file transfer checksums */
 int checksum_type = 0; /* used for the pre-transfer (--checksum) checksums */
 
+static int initialized_choices = 0;
+
 int parse_csum_name(const char *name, int len)
 {
 	struct name_num_item *nni;
@@ -79,6 +83,9 @@ int parse_csum_name(const char *name, int len)
 		return CSUM_MD4_ARCHAIC;
 	}
 
+	if (!initialized_choices)
+		init_checksum_choices();
+
 	nni = get_nni_by_name(&valid_checksums, name, len);
 
 	if (!nni) {
@@ -413,8 +420,8 @@ void file_checksum(const char *fname, const STRUCT_STAT *st_p, char *sum)
 
 		mdfour_begin(&m);
 
-		for (i = 0; i + CHUNK_SIZE <= len; i += CHUNK_SIZE)
-			mdfour_update(&m, (uchar *)map_ptr(buf, i, CHUNK_SIZE), CHUNK_SIZE);
+		for (i = 0; i + CSUM_CHUNK <= len; i += CSUM_CHUNK)
+			mdfour_update(&m, (uchar *)map_ptr(buf, i, CSUM_CHUNK), CSUM_CHUNK);
 
 		/* Prior to version 27 an incorrect MD4 checksum was computed
 		 * by failing to call mdfour_tail() for block sizes that
@@ -623,3 +630,31 @@ int sum_end(char *sum)
 
 	return csum_len_for_type(cursum_type, 0);
 }
+
+void init_checksum_choices()
+{
+#ifdef SUPPORT_XXH3
+	char buf[32816];
+	int j;
+	for (j = 0; j < (int)sizeof buf; j++) {
+		buf[j] = ' ' + (j % 96);
+	}
+	sum_init(CSUM_XXH3_64, 0);
+	sum_update(buf, 32816);
+	sum_update(buf, 31152);
+	sum_update(buf, 32474);
+	sum_update(buf, 9322);
+	if (XXH3_64bits_digest(xxh3_state) != 0xadbcf16d4678d1de) {
+		int t, f;
+		struct name_num_item *nni = valid_checksums.list;
+		for (t = f = 0; nni[f].name; f++) {
+			if (nni[f].num == CSUM_XXH3_64 || nni[f].num == CSUM_XXH3_128)
+				continue;
+			if (t != f)
+				nni[t++] = nni[f];
+		}
+		nni[t].name = NULL;
+	}
+#endif
+	initialized_choices = 1;
+}

clientserver.c

@@ -381,7 +381,7 @@ int start_inband_exchange(int f_in, int f_out, const char *user, int argc, char
 
 	if (rl_nulls) {
 		for (i = 0; i < sargc; i++) {
-			if (!sargs[i]) /* stop at --protect-args NULL */
+			if (!sargs[i]) /* stop at --secluded-args NULL */
 				break;
 			write_sbuf(f_out, sargs[i]);
 			write_byte(f_out, 0);

compat.c

@@ -91,19 +91,21 @@ int filesfrom_convert = 0;
 
 #define MAX_NSTR_STRLEN 256
 
-struct name_num_obj valid_compressions = {
-	"compress", NULL, NULL, 0, 0, {
+struct name_num_item valid_compressions_items[] = {
 #ifdef SUPPORT_ZSTD
-		{ CPRES_ZSTD, "zstd", NULL },
+	{ CPRES_ZSTD, "zstd", NULL },
 #endif
 #ifdef SUPPORT_LZ4
-		{ CPRES_LZ4, "lz4", NULL },
+	{ CPRES_LZ4, "lz4", NULL },
 #endif
-		{ CPRES_ZLIBX, "zlibx", NULL },
-		{ CPRES_ZLIB, "zlib", NULL },
-		{ CPRES_NONE, "none", NULL },
-		{ 0, NULL, NULL }
-	}
+	{ CPRES_ZLIBX, "zlibx", NULL },
+	{ CPRES_ZLIB, "zlib", NULL },
+	{ CPRES_NONE, "none", NULL },
+	{ 0, NULL, NULL }
+};
+
+struct name_num_obj valid_compressions = {
+	"compress", NULL, NULL, 0, 0, valid_compressions_items
 };
 
 #define CF_INC_RECURSE	 (1<<0)
@@ -400,7 +402,7 @@ static const char *getenv_nstr(int ntype)
 	const char *env_str = getenv(ntype == NSTR_COMPRESS ? "RSYNC_COMPRESS_LIST" : "RSYNC_CHECKSUM_LIST");
 
 	/* When writing a batch file, we always negotiate an old-style choice. */
-	if (write_batch) 
+	if (write_batch)
 		env_str = ntype == NSTR_COMPRESS ? "zlib" : protocol_version >= 30 ? "md5" : "md4";
 
 	if (am_server && env_str) {
@@ -433,7 +435,7 @@ void validate_choice_vs_env(int ntype, int num1, int num2)
 		nno->saw[CSUM_MD4_ARCHAIC] = nno->saw[CSUM_MD4_BUSTED] = nno->saw[CSUM_MD4_OLD] = nno->saw[CSUM_MD4];
 
 	if (!nno->saw[num1] || (num2 >= 0 && !nno->saw[num2])) {
-		rprintf(FERROR, "Your --%s-choice value (%s) was refused by the server.\n", 
+		rprintf(FERROR, "Your --%s-choice value (%s) was refused by the server.\n",
 			ntype == NSTR_COMPRESS ? "compress" : "checksum",
 			ntype == NSTR_COMPRESS ? compress_choice : checksum_choice);
 		exit_cleanup(RERR_UNSUPPORTED);
@@ -523,6 +525,8 @@ static void negotiate_the_strings(int f_in, int f_out)
 {
 	/* We send all the negotiation strings before we start to read them to help avoid a slow startup. */
 
+	init_checksum_choices();
+
 	if (!checksum_choice)
 		send_negotiate_str(f_out, &valid_checksums, NSTR_CHECKSUM);
 

configure.ac

@@ -153,10 +153,10 @@ AC_ARG_WITH(included-popt,
 AC_ARG_WITH(included-zlib,
         AS_HELP_STRING([--with-included-zlib],[use bundled zlib library, not from system]))
 
-AC_ARG_WITH(protected-args,
-        AS_HELP_STRING([--with-protected-args],[make --protected-args option the default]))
-if test x"$with_protected_args" = x"yes"; then
-	AC_DEFINE_UNQUOTED(RSYNC_USE_PROTECTED_ARGS, 1, [Define to 1 if --protected-args should be the default])
+AC_ARG_WITH(secluded-args,
+        AS_HELP_STRING([--with-secluded-args],[make --secluded-args option the default]))
+if test x"$with_secluded_args" = x"yes"; then
+	AC_DEFINE_UNQUOTED(RSYNC_USE_SECLUDED_ARGS, 1, [Define to 1 if --secluded-args should be the default])
 fi
 
 AC_ARG_WITH(rsync-path,
@@ -1071,21 +1071,6 @@ elif test x"$ac_cv_header_popt_h" != x"yes"; then
     with_included_popt=yes
 fi
 
-if test x"$GCC" = x"yes"; then
-    if test x"$with_included_popt" != x"yes"; then
-	# Turn pedantic warnings into errors to ensure an array-init overflow is an error.
-	CFLAGS="$CFLAGS -pedantic-errors"
-    else
-	# Our internal popt code cannot be compiled with pedantic warnings as errors, so try to
-	# turn off pedantic warnings (which will not lose the error for array-init overflow).
-	# Older gcc versions don't understand -Wno-pedantic, so check if --help=warnings lists
-	# -Wpedantic and use that as a flag.
-	case `$CC --help=warnings 2>/dev/null | grep Wpedantic` in
-	    *-Wpedantic*) CFLAGS="$CFLAGS -pedantic-errors -Wno-pedantic" ;;
-	esac
-    fi
-fi
-
 AC_MSG_CHECKING([whether to use included libpopt])
 if test x"$with_included_popt" = x"yes"; then
     AC_MSG_RESULT($srcdir/popt)

exclude.c

@@ -33,17 +33,15 @@ extern int recurse;
 extern int local_server;
 extern int prune_empty_dirs;
 extern int ignore_perishable;
-extern int old_style_args;
 extern int relative_paths;
 extern int delete_mode;
 extern int delete_excluded;
 extern int cvs_exclude;
 extern int sanitize_paths;
 extern int protocol_version;
-extern int list_only;
+extern int trust_sender_args;
 extern int module_id;
 
-extern char *filesfrom_host;
 extern char curr_dir[MAXPATHLEN];
 extern unsigned int curr_dir_len;
 extern unsigned int module_dirlen;
@@ -54,6 +52,7 @@ filter_rule_list daemon_filter_list = { .debug_type = " [daemon]" };
 filter_rule_list implied_filter_list = { .debug_type = " [implied]" };
 
 int saw_xattr_filter = 0;
+int trust_sender_args = 0;
 int trust_sender_filter = 0;
 
 /* Need room enough for ":MODS " prefix plus some room to grow. */
@@ -301,62 +300,201 @@ static void add_rule(filter_rule_list *listp, const char *pat, unsigned int pat_
 	}
 }
 
-/* Each arg the client sends to the remote sender turns into an implied include
- * that the receiver uses to validate the file list from the sender. */
-void add_implied_include(const char *arg)
+/* If the wildcards failed, the remote shell might give us a file matching the literal
+ * wildcards.  Since "*" & "?" already match themselves, this just needs to deal with
+ * failed "[foo]" idioms.
+ */
+static void maybe_add_literal_brackets_rule(filter_rule const *based_on, int arg_len)
 {
 	filter_rule *rule;
-	int arg_len, saw_wild = 0, backslash_cnt = 0;
-	int slash_cnt = 1; /* We know we're adding a leading slash. */
+	const char *arg = based_on->pattern, *cp;
+	char *p;
+	int cnt = 0;
+
+	if (arg_len < 0)
+		arg_len = strlen(arg);
+
+	for (cp = arg; *cp; cp++) {
+		if (*cp == '\\' && cp[1]) {
+			cp++;
+		} else if (*cp == '[')
+			cnt++;
+	}
+	if (!cnt)
+		return;
+
+	rule = new0(filter_rule);
+	rule->rflags = based_on->rflags;
+	rule->u.slash_cnt = based_on->u.slash_cnt;
+	p = rule->pattern = new_array(char, arg_len + cnt + 1);
+	for (cp = arg; *cp; ) {
+		if (*cp == '\\' && cp[1]) {
+			*p++ = *cp++;
+		} else if (*cp == '[')
+			*p++ = '\\';
+		*p++ = *cp++;
+	}
+	*p++ = '\0';
+
+	rule->next = implied_filter_list.head;
+	implied_filter_list.head = rule;
+	if (DEBUG_GTE(FILTER, 3)) {
+		rprintf(FINFO, "[%s] add_implied_include(%s%s)\n", who_am_i(), rule->pattern,
+			rule->rflags & FILTRULE_DIRECTORY ? "/" : "");
+	}
+}
+
+static char *partial_string_buf = NULL;
+static int partial_string_len = 0;
+void implied_include_partial_string(const char *s_start, const char *s_end)
+{
+	partial_string_len = s_end - s_start;
+	if (partial_string_len <= 0 || partial_string_len >= MAXPATHLEN) { /* too-large should be impossible... */
+		partial_string_len = 0;
+		return;
+	}
+	if (!partial_string_buf)
+		partial_string_buf = new_array(char, MAXPATHLEN);
+	memcpy(partial_string_buf, s_start, partial_string_len);
+}
+
+void free_implied_include_partial_string()
+{
+	if (partial_string_buf) {
+		if (partial_string_len)
+			add_implied_include("", 0);
+		free(partial_string_buf);
+		partial_string_buf = NULL;
+	}
+	partial_string_len = 0; /* paranoia */
+}
+
+/* Each arg the client sends to the remote sender turns into an implied include
+ * that the receiver uses to validate the file list from the sender. */
+void add_implied_include(const char *arg, int skip_daemon_module)
+{
+	int arg_len, saw_wild = 0, saw_live_open_brkt = 0, backslash_cnt = 0;
+	int slash_cnt = 0;
 	const char *cp;
 	char *p;
-	if (am_server || old_style_args || list_only || filesfrom_host != NULL)
+	if (trust_sender_args)
 		return;
+	if (partial_string_len) {
+		arg_len = strlen(arg);
+		if (partial_string_len + arg_len >= MAXPATHLEN) {
+			partial_string_len = 0;
+			return; /* Should be impossible... */
+		}
+		memcpy(partial_string_buf + partial_string_len, arg, arg_len + 1);
+		partial_string_len = 0;
+		arg = partial_string_buf;
+	}
+	if (skip_daemon_module) {
+		if ((cp = strchr(arg, '/')) != NULL)
+			arg = cp + 1;
+		else
+			arg = "";
+	}
 	if (relative_paths) {
 		if ((cp = strstr(arg, "/./")) != NULL)
 			arg = cp + 3;
-	} else if ((cp = strrchr(arg, '/')) != NULL)
+	} else if ((cp = strrchr(arg, '/')) != NULL) {
 		arg = cp + 1;
+	}
+	if (*arg == '.' && arg[1] == '\0')
+		arg++;
 	arg_len = strlen(arg);
 	if (arg_len) {
+		char *new_pat;
 		if (strpbrk(arg, "*[?")) {
 			/* We need to add room to escape backslashes if wildcard chars are present. */
-			cp = arg;
-			while ((cp = strchr(cp, '\\')) != NULL) {
+			for (cp = arg; (cp = strchr(cp, '\\')) != NULL; cp++)
 				arg_len++;
-				cp++;
-			}
 			saw_wild = 1;
 		}
 		arg_len++; /* Leave room for the prefixed slash */
-		rule = new0(filter_rule);
-		if (!implied_filter_list.head)
-			implied_filter_list.head = implied_filter_list.tail = rule;
-		else {
-			rule->next = implied_filter_list.head;
-			implied_filter_list.head = rule;
-		}
-		rule->rflags = FILTRULE_INCLUDE + (saw_wild ? FILTRULE_WILD : 0);
-		p = rule->pattern = new_array(char, arg_len + 1);
+		p = new_pat = new_array(char, arg_len + 1);
 		*p++ = '/';
-		cp = arg;
-		while (*cp) {
+		slash_cnt++;
+		for (cp = arg; *cp; ) {
 			switch (*cp) {
 			  case '\\':
-				backslash_cnt++;
-				if (saw_wild)
-					*p++ = '\\';
+				if (cp[1] == ']') {
+					if (!saw_wild)
+						cp++; /* A \] in a non-wild filter causes a problem, so drop the \ . */
+				} else if (!strchr("*[?", cp[1])) {
+					backslash_cnt++;
+					if (saw_wild)
+						*p++ = '\\';
+				}
 				*p++ = *cp++;
 				break;
 			  case '/':
-				if (p[-1] == '/') /* This is safe because of the initial slash. */
-					break;
-				if (relative_paths) {
-					filter_rule const *ent;
-					int found = 0;
+				if (p[-1] == '/') { /* This is safe because of the initial slash. */
+					if (*++cp == '\0') {
+						slash_cnt--;
+						p--;
+					}
+				} else if (cp[1] == '\0') {
+					cp++;
+				} else {
+					slash_cnt++;
+					*p++ = *cp++;
+				}
+				break;
+			  case '.':
+				if (p[-1] == '/') {
+					if (cp[1] == '/') {
+						cp += 2;
+						if (!*cp) {
+							slash_cnt--;
+							p--;
+						}
+					} else if (cp[1] == '\0') {
+						cp++;
+						slash_cnt--;
+						p--;
+					} else
+						*p++ = *cp++;
+				} else
+					*p++ = *cp++;
+				break;
+			  case '[':
+				saw_live_open_brkt = 1;
+				*p++ = *cp++;
+				break;
+			  default:
+				*p++ = *cp++;
+				break;
+			}
+		}
+		*p = '\0';
+		arg_len = p - new_pat;
+		if (!arg_len)
+			free(new_pat);
+		else {
+			filter_rule *rule = new0(filter_rule);
+			rule->rflags = FILTRULE_INCLUDE + (saw_wild ? FILTRULE_WILD : 0);
+			rule->u.slash_cnt = slash_cnt;
+			arg = rule->pattern = new_pat;
+			if (!implied_filter_list.head)
+				implied_filter_list.head = implied_filter_list.tail = rule;
+			else {
+				rule->next = implied_filter_list.head;
+				implied_filter_list.head = rule;
+			}
+			if (DEBUG_GTE(FILTER, 3))
+				rprintf(FINFO, "[%s] add_implied_include(%s)\n", who_am_i(), arg);
+			if (saw_live_open_brkt)
+				maybe_add_literal_brackets_rule(rule, arg_len);
+			if (relative_paths && slash_cnt) {
+				filter_rule const *ent;
+				int found = 0;
+				slash_cnt = 1;
+				for (p = new_pat + 1; (p = strchr(p, '/')) != NULL; p++) {
 					*p = '\0';
 					for (ent = implied_filter_list.head; ent; ent = ent->next) {
-						if (ent != rule && strcmp(ent->pattern, rule->pattern) == 0) {
+						if (ent != rule && strcmp(ent->pattern, new_pat) == 0) {
 							found = 1;
 							break;
 						}
@@ -367,34 +505,27 @@ void add_implied_include(const char *arg)
 						/* Check if our sub-path has wildcards or escaped backslashes */
 						if (saw_wild && strpbrk(rule->pattern, "*[?\\"))
 							R_rule->rflags |= FILTRULE_WILD;
-						R_rule->pattern = strdup(rule->pattern);
+						R_rule->pattern = strdup(new_pat);
 						R_rule->u.slash_cnt = slash_cnt;
 						R_rule->next = implied_filter_list.head;
 						implied_filter_list.head = R_rule;
 						if (DEBUG_GTE(FILTER, 3)) {
 							rprintf(FINFO, "[%s] add_implied_include(%s/)\n",
-								who_am_i(), rule->pattern);
+								who_am_i(), R_rule->pattern);
 						}
+						if (saw_live_open_brkt)
+							maybe_add_literal_brackets_rule(R_rule, -1);
 					}
+					*p = '/';
+					slash_cnt++;
 				}
-				slash_cnt++;
-				*p++ = *cp++;
-				break;
-			  default:
-				*p++ = *cp++;
-				break;
 			}
 		}
-		*p = '\0';
-		rule->u.slash_cnt = slash_cnt;
-		arg = (const char *)rule->pattern;
-		if (DEBUG_GTE(FILTER, 3))
-			rprintf(FINFO, "[%s] add_implied_include(%s)\n", who_am_i(), rule->pattern);
 	}
 
 	if (recurse || xfer_dirs) {
 		/* Now create a rule with an added "/" & "**" or "*" at the end */
-		rule = new0(filter_rule);
+		filter_rule *rule = new0(filter_rule);
 		rule->rflags = FILTRULE_INCLUDE | FILTRULE_WILD;
 		if (recurse)
 			rule->rflags |= FILTRULE_WILD2;
@@ -402,8 +533,7 @@ void add_implied_include(const char *arg)
 		if (!saw_wild && backslash_cnt) {
 			/* We are appending a wildcard, so now the backslashes need to be escaped. */
 			p = rule->pattern = new_array(char, arg_len + backslash_cnt + 3 + 1);
-			cp = arg;
-			while (*cp) {
+			for (cp = arg; *cp; ) { /* Note that arg_len != 0 because backslash_cnt > 0 */
 				if (*cp == '\\')
 					*p++ = '\\';
 				*p++ = *cp++;
@@ -415,17 +545,21 @@ void add_implied_include(const char *arg)
 				p += arg_len;
 			}
 		}
-		if (p[-1] != '/')
+		if (p[-1] != '/') {
 			*p++ = '/';
+			slash_cnt++;
+		}
 		*p++ = '*';
 		if (recurse)
 			*p++ = '*';
 		*p = '\0';
-		rule->u.slash_cnt = slash_cnt + 1;
+		rule->u.slash_cnt = slash_cnt;
 		rule->next = implied_filter_list.head;
 		implied_filter_list.head = rule;
 		if (DEBUG_GTE(FILTER, 3))
 			rprintf(FINFO, "[%s] add_implied_include(%s)\n", who_am_i(), rule->pattern);
+		if (saw_live_open_brkt)
+			maybe_add_literal_brackets_rule(rule, p - rule->pattern);
 	}
 }
 

generator.c

@@ -1819,7 +1819,7 @@ static void recv_generator(char *fname, struct file_struct *file, int ndx,
 			goto cleanup;
 	  return_with_success:
 		if (!dry_run)
-			send_msg_int(MSG_SUCCESS, ndx);
+			send_msg_success(fname, ndx);
 		goto cleanup;
 	}
 

hlink.c

@@ -4,7 +4,7 @@
  * Copyright (C) 1996 Andrew Tridgell
  * Copyright (C) 1996 Paul Mackerras
  * Copyright (C) 2002 Martin Pool <mbp@samba.org>
- * Copyright (C) 2004-2020 Wayne Davison
+ * Copyright (C) 2004-2022 Wayne Davison
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -446,7 +446,7 @@ int hard_link_check(struct file_struct *file, int ndx, char *fname,
 		return -1;
 
 	if (remove_source_files == 1 && do_xfers)
-		send_msg_int(MSG_SUCCESS, ndx);
+		send_msg_success(fname, ndx);
 
 	return 1;
 }
@@ -519,7 +519,7 @@ void finish_hard_link(struct file_struct *file, const char *fname, int fin_ndx,
 		if (val < 0)
 			continue;
 		if (remove_source_files == 1 && do_xfers)
-			send_msg_int(MSG_SUCCESS, ndx);
+			send_msg_success(fname, ndx);
 	}
 
 	if (inc_recurse) {

io.c

@@ -41,6 +41,7 @@ extern int am_server;
 extern int am_sender;
 extern int am_receiver;
 extern int am_generator;
+extern int local_server;
 extern int msgs2stderr;
 extern int inc_recurse;
 extern int io_error;
@@ -84,6 +85,8 @@ int sock_f_out = -1;
 int64 total_data_read = 0;
 int64 total_data_written = 0;
 
+char num_dev_ino_buf[4 + 8 + 8];
+
 static struct {
 	xbuf in, out, msg;
 	int in_fd;
@@ -376,6 +379,7 @@ static void forward_filesfrom_data(void)
 			free_xbuf(&ff_xb);
 			if (ff_reenable_multiplex >= 0)
 				io_start_multiplex_out(ff_reenable_multiplex);
+			free_implied_include_partial_string();
 		}
 		return;
 	}
@@ -419,7 +423,7 @@ static void forward_filesfrom_data(void)
 		while (s != eob) {
 			if (*s++ == '\0') {
 				ff_xb.len = s - sob - 1;
-				add_implied_include(sob);
+				add_implied_include(sob, 0);
 				if (iconvbufs(ic_send, &ff_xb, &iobuf.out, flags) < 0)
 					exit_cleanup(RERR_PROTOCOL); /* impossible? */
 				write_buf(iobuf.out_fd, s-1, 1); /* Send the '\0'. */
@@ -435,6 +439,7 @@ static void forward_filesfrom_data(void)
 			ff_lastchar = '\0';
 		else {
 			/* Handle a partial string specially, saving any incomplete chars. */
+			implied_include_partial_string(sob, s);
 			flags &= ~ICB_INCLUDE_INCOMPLETE;
 			if (iconvbufs(ic_send, &ff_xb, &iobuf.out, flags) < 0) {
 				if (errno == E2BIG)
@@ -455,12 +460,13 @@ static void forward_filesfrom_data(void)
 		/* Eliminate any multi-'\0' runs. */
 		while (f != eob) {
 			if (!(*t++ = *f++)) {
-				add_implied_include(cur);
+				add_implied_include(cur, 0);
 				cur = t;
 				while (f != eob && *f == '\0')
 					f++;
 			}
 		}
+		implied_include_partial_string(cur, t);
 		ff_lastchar = f[-1];
 		if ((len = t - ff_xb.buf) != 0) {
 			/* This will not circle back to perform_io() because we only get
@@ -1061,6 +1067,24 @@ void send_msg_int(enum msgcode code, int num)
 	send_msg(code, numbuf, 4, -1);
 }
 
+void send_msg_success(const char *fname, int num)
+{
+	if (local_server) {
+		STRUCT_STAT st;
+
+		if (DEBUG_GTE(IO, 1))
+			rprintf(FINFO, "[%s] send_msg_success(%d)\n", who_am_i(), num);
+
+		if (stat(fname, &st) < 0)
+			memset(&st, 0, sizeof (STRUCT_STAT));
+		SIVAL(num_dev_ino_buf, 0, num);
+		SIVAL64(num_dev_ino_buf, 4, st.st_dev);
+		SIVAL64(num_dev_ino_buf, 4+8, st.st_ino);
+		send_msg(MSG_SUCCESS, num_dev_ino_buf, sizeof num_dev_ino_buf, -1);
+	} else
+		send_msg_int(MSG_SUCCESS, num);
+}
+
 static void got_flist_entry_status(enum festatus status, int ndx)
 {
 	struct file_list *flist = flist_for_ndx(ndx, "got_flist_entry_status");
@@ -1075,8 +1099,12 @@ static void got_flist_entry_status(enum festatus status, int ndx)
 
 	switch (status) {
 	case FES_SUCCESS:
-		if (remove_source_files)
-			send_msg_int(MSG_SUCCESS, ndx);
+		if (remove_source_files) {
+			if (local_server)
+				send_msg(MSG_SUCCESS, num_dev_ino_buf, sizeof num_dev_ino_buf, -1);
+			else
+				send_msg_int(MSG_SUCCESS, ndx);
+		}
 		/* FALL THROUGH */
 	case FES_NO_SEND:
 #ifdef SUPPORT_HARD_LINKS
@@ -1571,14 +1599,15 @@ static void read_a_msg(void)
 		}
 		break;
 	case MSG_SUCCESS:
-		if (msg_bytes != 4) {
+		if (msg_bytes != (local_server ? 4+8+8 : 4)) {
 		  invalid_msg:
 			rprintf(FERROR, "invalid multi-message %d:%lu [%s%s]\n",
 				tag, (unsigned long)msg_bytes, who_am_i(),
 				inc_recurse ? "/inc" : "");
 			exit_cleanup(RERR_STREAMIO);
 		}
-		val = raw_read_int();
+		raw_read_buf(num_dev_ino_buf, msg_bytes);
+		val = IVAL(num_dev_ino_buf, 0);
 		iobuf.in_multiplexed = 1;
 		if (am_generator)
 			got_flist_entry_status(FES_SUCCESS, val);

lib/sysacls.c

@@ -2,7 +2,7 @@
  * Unix SMB/CIFS implementation.
  * Based on the Samba ACL support code.
  * Copyright (C) Jeremy Allison 2000.
- * Copyright (C) 2007-2020 Wayne Davison
+ * Copyright (C) 2007-2022 Wayne Davison
  *
  * The permission functions have been changed to get/set all bits via
  * one call.  Some functions that rsync doesn't need were also removed.
@@ -175,7 +175,7 @@ int sys_acl_delete_def_file(const char *name)
 	return acl_delete_def_file(name);
 }
 
-int sys_acl_free_acl(SMB_ACL_T the_acl) 
+int sys_acl_free_acl(SMB_ACL_T the_acl)
 {
 	return acl_free(the_acl);
 }
@@ -185,7 +185,7 @@ int sys_acl_free_acl(SMB_ACL_T the_acl)
  * The interface to DEC/Compaq Tru64 UNIX ACLs
  * is based on Draft 13 of the POSIX spec which is
  * slightly different from the Draft 16 interface.
- * 
+ *
  * Also, some of the permset manipulation functions
  * such as acl_clear_perm() and acl_add_perm() appear
  * to be broken on Tru64 so we have to manipulate
@@ -310,7 +310,7 @@ int sys_acl_delete_def_file(const char *name)
 	return acl_delete_def_file((char *)name);
 }
 
-int sys_acl_free_acl(SMB_ACL_T the_acl) 
+int sys_acl_free_acl(SMB_ACL_T the_acl)
 {
 	return acl_free(the_acl);
 }
@@ -457,7 +457,7 @@ SMB_ACL_T sys_acl_get_file(const char *path_p, SMB_ACL_TYPE_T type)
 			break;
 	}
 	ndefault = count - naccess;
-	
+
 	/*
 	 * if the caller wants the default ACL we have to copy
 	 * the entries down to the start of the acl[] buffer
@@ -517,7 +517,7 @@ SMB_ACL_T sys_acl_get_fd(int fd)
 		if (acl_d->acl[naccess].a_type & ACL_DEFAULT)
 			break;
 	}
-	
+
 	acl_d->count = naccess;
 
 	return acl_d;
@@ -532,7 +532,7 @@ int sys_acl_get_info(SMB_ACL_ENTRY_T entry, SMB_ACL_TAG_T *tag_type_p, uint32 *b
 
 	if (*tag_type_p == SMB_ACL_USER || *tag_type_p == SMB_ACL_GROUP)
 		*u_g_id_p = entry->a_id;
-	
+
 	return 0;
 }
 
@@ -633,7 +633,7 @@ static int acl_sort(SMB_ACL_T acl_d)
 	}
 	return 0;
 }
- 
+
 int sys_acl_valid(SMB_ACL_T acl_d)
 {
 	return acl_sort(acl_d);
@@ -755,11 +755,11 @@ int sys_acl_delete_def_file(const char *path)
 	ret = acl(path, SETACL, acl_d->count, acl_d->acl);
 
 	sys_acl_free_acl(acl_d);
-	
+
 	return ret;
 }
 
-int sys_acl_free_acl(SMB_ACL_T acl_d) 
+int sys_acl_free_acl(SMB_ACL_T acl_d)
 {
 	SAFE_FREE(acl_d);
 	return 0;
@@ -895,10 +895,10 @@ SMB_ACL_T sys_acl_get_file(const char *path_p, SMB_ACL_TYPE_T type)
 	int		ndefault;	/* # of default ACL entries	*/
 
 	if (hpux_acl_call_presence() == False) {
-		/* Looks like we don't have the acl() system call on HPUX. 
+		/* Looks like we don't have the acl() system call on HPUX.
 		 * May be the system doesn't have the latest version of JFS.
 		 */
-		return NULL; 
+		return NULL;
 	}
 
 	if (type != SMB_ACL_TYPE_ACCESS && type != SMB_ACL_TYPE_DEFAULT) {
@@ -949,7 +949,7 @@ SMB_ACL_T sys_acl_get_file(const char *path_p, SMB_ACL_TYPE_T type)
 			break;
 	}
 	ndefault = count - naccess;
-	
+
 	/*
 	 * if the caller wants the default ACL we have to copy
 	 * the entries down to the start of the acl[] buffer
@@ -1109,9 +1109,9 @@ struct hpux_acl_types {
  * aclp           - Array of ACL structures.
  * acl_type_count - Pointer to acl_types structure. Should already be
  *                  allocated.
- * Output: 
+ * Output:
  *
- * acl_type_count - This structure is filled up with counts of various 
+ * acl_type_count - This structure is filled up with counts of various
  *                  acl types.
  */
 
@@ -1123,28 +1123,28 @@ static void hpux_count_obj(int acl_count, struct acl *aclp, struct hpux_acl_type
 
 	for (i = 0; i < acl_count; i++) {
 		switch (aclp[i].a_type) {
-		case USER: 
+		case USER:
 			acl_type_count->n_user++;
 			break;
-		case USER_OBJ: 
+		case USER_OBJ:
 			acl_type_count->n_user_obj++;
 			break;
-		case DEF_USER_OBJ: 
+		case DEF_USER_OBJ:
 			acl_type_count->n_def_user_obj++;
 			break;
-		case GROUP: 
+		case GROUP:
 			acl_type_count->n_group++;
 			break;
-		case GROUP_OBJ: 
+		case GROUP_OBJ:
 			acl_type_count->n_group_obj++;
 			break;
-		case DEF_GROUP_OBJ: 
+		case DEF_GROUP_OBJ:
 			acl_type_count->n_def_group_obj++;
 			break;
-		case OTHER_OBJ: 
+		case OTHER_OBJ:
 			acl_type_count->n_other_obj++;
 			break;
-		case DEF_OTHER_OBJ: 
+		case DEF_OTHER_OBJ:
 			acl_type_count->n_def_other_obj++;
 			break;
 		case CLASS_OBJ:
@@ -1159,14 +1159,14 @@ static void hpux_count_obj(int acl_count, struct acl *aclp, struct hpux_acl_type
 		case DEF_GROUP:
 			acl_type_count->n_def_group++;
 			break;
-		default: 
+		default:
 			acl_type_count->n_illegal_obj++;
 			break;
 		}
 	}
 }
 
-/* swap_acl_entries:  Swaps two ACL entries. 
+/* swap_acl_entries:  Swaps two ACL entries.
  *
  * Inputs: aclp0, aclp1 - ACL entries to be swapped.
  */
@@ -1189,25 +1189,25 @@ static void hpux_swap_acl_entries(struct acl *aclp0, struct acl *aclp1)
 }
 
 /* prohibited_duplicate_type
- * Identifies if given ACL type can have duplicate entries or 
+ * Identifies if given ACL type can have duplicate entries or
  * not.
  *
  * Inputs: acl_type - ACL Type.
  *
- * Outputs: 
+ * Outputs:
  *
- * Return.. 
+ * Return..
  *
  * True - If the ACL type matches any of the prohibited types.
  * False - If the ACL type doesn't match any of the prohibited types.
- */ 
+ */
 
 static BOOL hpux_prohibited_duplicate_type(int acl_type)
 {
 	switch (acl_type) {
 	case USER:
 	case GROUP:
-	case DEF_USER: 
+	case DEF_USER:
 	case DEF_GROUP:
 		return True;
 	default:
@@ -1217,7 +1217,7 @@ static BOOL hpux_prohibited_duplicate_type(int acl_type)
 
 /* get_needed_class_perm
  * Returns the permissions of a ACL structure only if the ACL
- * type matches one of the pre-determined types for computing 
+ * type matches one of the pre-determined types for computing
  * CLASS_OBJ permissions.
  *
  * Inputs: aclp - Pointer to ACL structure.
@@ -1226,17 +1226,17 @@ static BOOL hpux_prohibited_duplicate_type(int acl_type)
 static int hpux_get_needed_class_perm(struct acl *aclp)
 {
 	switch (aclp->a_type) {
-	case USER: 
-	case GROUP_OBJ: 
-	case GROUP: 
-	case DEF_USER_OBJ: 
+	case USER:
+	case GROUP_OBJ:
+	case GROUP:
+	case DEF_USER_OBJ:
 	case DEF_USER:
-	case DEF_GROUP_OBJ: 
+	case DEF_GROUP_OBJ:
 	case DEF_GROUP:
 	case DEF_CLASS_OBJ:
-	case DEF_OTHER_OBJ: 
+	case DEF_OTHER_OBJ:
 		return aclp->a_perm;
-	default: 
+	default:
 		return 0;
 	}
 }
@@ -1267,15 +1267,15 @@ static int hpux_acl_sort(int acl_count, int calclass, struct acl *aclp)
 #if !defined(HAVE_HPUX_ACLSORT)
 	/*
 	 * The aclsort() system call is available on the latest HPUX General
-	 * Patch Bundles. So for HPUX, we developed our version of acl_sort 
-	 * function. Because, we don't want to update to a new 
+	 * Patch Bundles. So for HPUX, we developed our version of acl_sort
+	 * function. Because, we don't want to update to a new
 	 * HPUX GR bundle just for aclsort() call.
 	 */
 
 	struct hpux_acl_types acl_obj_count;
 	int n_class_obj_perm = 0;
 	int i, j;
- 
+
 	if (!acl_count) {
 		DEBUG(10, ("Zero acl count passed. Returning Success\n"));
 		return 0;
@@ -1290,8 +1290,8 @@ static int hpux_acl_sort(int acl_count, int calclass, struct acl *aclp)
 
 	hpux_count_obj(acl_count, aclp, &acl_obj_count);
 
-	/* There should be only one entry each of type USER_OBJ, GROUP_OBJ, 
-	 * CLASS_OBJ and OTHER_OBJ 
+	/* There should be only one entry each of type USER_OBJ, GROUP_OBJ,
+	 * CLASS_OBJ and OTHER_OBJ
 	 */
 
 	if (acl_obj_count.n_user_obj != 1
@@ -1313,15 +1313,15 @@ or DEF_USER_OBJ or DEF_GROUP_OBJ or DEF_OTHER_OBJ\n"));
 		return -1;
 	}
 
-	/* We now have proper number of OBJ and DEF_OBJ entries. Now sort the acl 
-	 * structures.  
+	/* We now have proper number of OBJ and DEF_OBJ entries. Now sort the acl
+	 * structures.
 	 *
 	 * Sorting crieteria - First sort by ACL type. If there are multiple entries of
 	 * same ACL type, sort by ACL id.
 	 *
-	 * I am using the trivial kind of sorting method here because, performance isn't 
+	 * I am using the trivial kind of sorting method here because, performance isn't
 	 * really effected by the ACLs feature. More over there aren't going to be more
-	 * than 17 entries on HPUX. 
+	 * than 17 entries on HPUX.
 	 */
 
 	for (i = 0; i < acl_count; i++) {
@@ -1390,7 +1390,7 @@ static int acl_sort(SMB_ACL_T acl_d)
 	}
 	return 0;
 }
- 
+
 int sys_acl_valid(SMB_ACL_T acl_d)
 {
 	return acl_sort(acl_d);
@@ -1405,11 +1405,11 @@ int sys_acl_set_file(const char *name, SMB_ACL_TYPE_T type, SMB_ACL_T acl_d)
 	int		ret;
 
 	if (hpux_acl_call_presence() == False) {
-		/* Looks like we don't have the acl() system call on HPUX. 
+		/* Looks like we don't have the acl() system call on HPUX.
 		 * May be the system doesn't have the latest version of JFS.
 		 */
 		errno=ENOSYS;
-		return -1; 
+		return -1;
 	}
 
 	if (type != SMB_ACL_TYPE_ACCESS && type != SMB_ACL_TYPE_DEFAULT) {
@@ -1538,11 +1538,11 @@ int sys_acl_delete_def_file(const char *path)
 	ret = acl(path, ACL_SET, acl_d->count, acl_d->acl);
 
 	sys_acl_free_acl(acl_d);
-	
+
 	return ret;
 }
 
-int sys_acl_free_acl(SMB_ACL_T acl_d) 
+int sys_acl_free_acl(SMB_ACL_T acl_d)
 {
 	free(acl_d);
 	return 0;
@@ -1723,7 +1723,7 @@ int sys_acl_delete_def_file(const char *name)
 	return acl_delete_def_file(name);
 }
 
-int sys_acl_free_acl(SMB_ACL_T acl_d) 
+int sys_acl_free_acl(SMB_ACL_T acl_d)
 {
 	if (acl_d->freeaclp) {
 		acl_free(acl_d->aclp);
@@ -1834,12 +1834,12 @@ SMB_ACL_T sys_acl_get_file(const char *path_p, SMB_ACL_TYPE_T type)
 	}
 
 	/* Get the acl using statacl */
- 
+
 	DEBUG(10, ("Entering sys_acl_get_file\n"));
 	DEBUG(10, ("path_p is %s\n", path_p));
 
 	file_acl = (struct acl *)SMB_MALLOC(BUFSIZ);
- 
+
 	if (file_acl == NULL) {
 		errno=ENOMEM;
 		DEBUG(0, ("Error in AIX sys_acl_get_file: %d\n", errno));
@@ -1931,9 +1931,9 @@ SMB_ACL_T sys_acl_get_file(const char *path_p, SMB_ACL_TYPE_T type)
 			 * to be specified but, it's better than leaving it 0 */
 
 			acl_entry_link->entryp->ace_type = acl_entry->ace_type;
- 
+
 			acl_entry_link->entryp->ace_access = acl_entry->ace_access;
- 
+
 			memcpy(acl_entry_link->entryp->ace_id, idp, sizeof (struct ace_id));
 
 			/* The access in the acl entries must be left shifted by *
@@ -1962,7 +1962,7 @@ SMB_ACL_T sys_acl_get_file(const char *path_p, SMB_ACL_TYPE_T type)
 
 			DEBUG(10, ("acl_entry = %d\n", acl_entry));
 			DEBUG(10, ("The ace_type is %d\n", acl_entry->ace_type));
- 
+
 			acl_entry = acl_nxt(acl_entry);
 		}
 	} /* end of if enabled */
@@ -2014,12 +2014,12 @@ SMB_ACL_T sys_acl_get_file(const char *path_p, SMB_ACL_TYPE_T type)
 			new_acl_entry->ace_access = file_acl->o_access << 6;
 			idp->id_type = SMB_ACL_OTHER;
 			break;
- 
+
 		case 1:
 			new_acl_entry->ace_access = file_acl->u_access << 6;
 			idp->id_type = SMB_ACL_USER_OBJ;
 			break;
- 
+
 		default:
 			return NULL;
 
@@ -2048,7 +2048,7 @@ SMB_ACL_T sys_acl_get_fd(int fd)
 	int rc = 0;
 
 	/* Get the acl using fstatacl */
-   
+
 	DEBUG(10, ("Entering sys_acl_get_fd\n"));
 	DEBUG(10, ("fd is %d\n", fd));
 	file_acl = (struct acl *)SMB_MALLOC(BUFSIZ);
@@ -2095,12 +2095,12 @@ SMB_ACL_T sys_acl_get_fd(int fd)
 
 	DEBUG(10, ("acl_entry is %d\n", acl_entry));
 	DEBUG(10, ("acl_last(file_acl) id %d\n", acl_last(file_acl)));
- 
+
 	/* Check if the extended acl bit is on.   *
 	 * If it isn't, do not show the           *
 	 * contents of the acl since AIX intends  *
 	 * the extended info to remain unused     */
- 
+
 	if (file_acl->acl_mode & S_IXACL){
 		/* while we are not pointing to the very end */
 		while (acl_entry < acl_last(file_acl)) {
@@ -2115,7 +2115,7 @@ SMB_ACL_T sys_acl_get_fd(int fd)
 			}
 
 			idp = acl_entry->ace_id;
- 
+
 			/* Check if this is the first entry in the linked list. *
 			 * The first entry needs to keep prevp pointing to NULL *
 			 * and already has entryp allocated.                 */
@@ -2177,7 +2177,7 @@ SMB_ACL_T sys_acl_get_fd(int fd)
 
 			DEBUG(10, ("acl_entry = %d\n", acl_entry));
 			DEBUG(10, ("The ace_type is %d\n", acl_entry->ace_type));
- 
+
 			acl_entry = acl_nxt(acl_entry);
 		}
 	} /* end of if enabled */
@@ -2210,43 +2210,43 @@ SMB_ACL_T sys_acl_get_fd(int fd)
 		}
 
 		acl_entry_link->nextp = NULL;
- 
+
 		new_acl_entry = acl_entry_link->entryp;
 		idp = new_acl_entry->ace_id;
- 
+
 		new_acl_entry->ace_len = sizeof (struct acl_entry);
 		new_acl_entry->ace_type = ACC_PERMIT;
 		idp->id_len = sizeof (struct ace_id);
 		DEBUG(10, ("idp->id_len = %d\n", idp->id_len));
 		memset(idp->id_data, 0, sizeof (uid_t));
- 
+
 		switch (i) {
 		case 2:
 			new_acl_entry->ace_access = file_acl->g_access << 6;
 			idp->id_type = SMB_ACL_GROUP_OBJ;
 			break;
- 
+
 		case 3:
 			new_acl_entry->ace_access = file_acl->o_access << 6;
 			idp->id_type = SMB_ACL_OTHER;
 			break;
- 
+
 		case 1:
 			new_acl_entry->ace_access = file_acl->u_access << 6;
 			idp->id_type = SMB_ACL_USER_OBJ;
 			break;
- 
+
 		default:
 			return NULL;
 		}
- 
+
 		acl_entry_link_head->count++;
 		DEBUG(10, ("new_acl_entry->ace_access = %d\n", new_acl_entry->ace_access));
 	}
 
 	acl_entry_link_head->count = 0;
 	SAFE_FREE(file_acl);
- 
+
 	return acl_entry_link_head;
 }
 #endif
@@ -2274,7 +2274,7 @@ int sys_acl_get_info(SMB_ACL_ENTRY_T entry, SMB_ACL_TAG_T *tag_type_p, uint32 *b
 SMB_ACL_T sys_acl_init(int count)
 {
 	struct acl_entry_link *theacl = NULL;
- 
+
 	if (count < 0) {
 		errno = EINVAL;
 		return NULL;
@@ -2383,9 +2383,9 @@ int sys_acl_valid(SMB_ACL_T theacl)
 	}
 
 	DEBUG(10, ("user_obj=%d, group_obj=%d, other_obj=%d\n", user_obj, group_obj, other_obj));
- 
+
 	if (user_obj != 1 || group_obj != 1 || other_obj != 1)
-		return -1; 
+		return -1;
 
 	return 0;
 }
@@ -2404,7 +2404,7 @@ int sys_acl_set_file(const char *name, SMB_ACL_TYPE_T acltype, SMB_ACL_T theacl)
 
 	DEBUG(10, ("Entering sys_acl_set_file\n"));
 	DEBUG(10, ("File name is %s\n", name));
- 
+
 	/* AIX has no default ACL */
 	if (acltype == SMB_ACL_TYPE_DEFAULT)
 		return 0;
@@ -2449,7 +2449,7 @@ int sys_acl_set_file(const char *name, SMB_ACL_TYPE_T acltype, SMB_ACL_T theacl)
 				errno = ENOMEM;
 				DEBUG(0, ("Error in sys_acl_set_file is %d\n", errno));
 				return -1;
-			}  
+			}
 
 			memcpy(file_acl_temp, file_acl, file_acl->acl_len);
 			SAFE_FREE(file_acl);
@@ -2460,15 +2460,15 @@ int sys_acl_set_file(const char *name, SMB_ACL_TYPE_T acltype, SMB_ACL_T theacl)
 		file_acl->acl_len += sizeof (struct acl_entry);
 		acl_entry->ace_len = acl_entry_link->entryp->ace_len;
 		acl_entry->ace_access = acl_entry_link->entryp->ace_access;
- 
+
 		/* In order to use this, we'll need to wait until we can get denies */
 		/* if (!acl_entry->ace_access && acl_entry->ace_type == ACC_PERMIT)
 			acl_entry->ace_type = ACC_SPECIFY; */
 
 		acl_entry->ace_type = ACC_SPECIFY;
- 
+
 		ace_id = acl_entry->ace_id;
- 
+
 		ace_id->id_type = acl_entry_link->entryp->ace_id->id_type;
 		DEBUG(10, ("The id type is %d\n", ace_id->id_type));
 		ace_id->id_len = acl_entry_link->entryp->ace_id->id_len;
@@ -2496,7 +2496,7 @@ int sys_acl_set_fd(int fd, SMB_ACL_T theacl)
 	uint user_id;
 	uint acl_length;
 	uint rc;
- 
+
 	DEBUG(10, ("Entering sys_acl_set_fd\n"));
 	acl_length = BUFSIZ;
 	file_acl = (struct acl *)SMB_MALLOC(BUFSIZ);
@@ -2508,7 +2508,7 @@ int sys_acl_set_fd(int fd, SMB_ACL_T theacl)
 	}
 
 	memset(file_acl, 0, BUFSIZ);
- 
+
 	file_acl->acl_len = ACL_SIZ;
 	file_acl->acl_mode = S_IXACL;
 
@@ -2550,22 +2550,22 @@ int sys_acl_set_fd(int fd, SMB_ACL_T theacl)
 		file_acl->acl_len += sizeof (struct acl_entry);
 		acl_entry->ace_len = acl_entry_link->entryp->ace_len;
 		acl_entry->ace_access = acl_entry_link->entryp->ace_access;
- 
+
 		/* In order to use this, we'll need to wait until we can get denies */
 		/* if (!acl_entry->ace_access && acl_entry->ace_type == ACC_PERMIT)
 			acl_entry->ace_type = ACC_SPECIFY; */
- 
+
 		acl_entry->ace_type = ACC_SPECIFY;
- 
+
 		ace_id = acl_entry->ace_id;
- 
+
 		ace_id->id_type = acl_entry_link->entryp->ace_id->id_type;
 		DEBUG(10, ("The id type is %d\n", ace_id->id_type));
 		ace_id->id_len = acl_entry_link->entryp->ace_id->id_len;
 		memcpy(&user_id, acl_entry_link->entryp->ace_id->id_data, sizeof (uid_t));
 		memcpy(ace_id->id_data, &user_id, sizeof (uid_t));
 	}
- 
+
 	rc = fchacl(fd, file_acl, file_acl->acl_len);
 	DEBUG(10, ("errno is %d\n", errno));
 	DEBUG(10, ("return code is %d\n", rc));
@@ -2594,7 +2594,7 @@ int sys_acl_free_acl(SMB_ACL_T posix_acl)
 	SAFE_FREE(acl_entry_link->prevp);
 	SAFE_FREE(acl_entry_link->entryp);
 	SAFE_FREE(acl_entry_link);
- 
+
 	return 0;
 }
 

lib/sysacls.h

@@ -3,7 +3,7 @@
  * Version 2.2.x
  * Portable SMB ACL interface
  * Copyright (C) Jeremy Allison 2000
- * Copyright (C) 2007-2020 Wayne Davison
+ * Copyright (C) 2007-2022 Wayne Davison
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -232,7 +232,7 @@ struct new_acl_entry{
 
 #define SMB_ACL_ENTRY_T		struct new_acl_entry*
 #define SMB_ACL_T		struct acl_entry_link*
- 
+
 #define SMB_ACL_TAG_T		unsigned short
 #define SMB_ACL_TYPE_T		int
 

main.c

@@ -89,7 +89,6 @@ extern int backup_dir_len;
 extern int basis_dir_cnt;
 extern int default_af_hint;
 extern int stdout_format_has_i;
-extern int trust_sender_filter;
 extern struct stats stats;
 extern char *stdout_format;
 extern char *logfile_format;
@@ -636,7 +635,6 @@ static pid_t do_cmd(char *cmd, char *machine, char *user, char **remote_argv, in
 #ifdef ICONV_CONST
 		setup_iconv();
 #endif
-		trust_sender_filter = 1;
 	} else if (local_server) {
 		/* If the user didn't request --[no-]whole-file, force
 		 * it on, but only if we're not batch processing. */
@@ -1504,7 +1502,7 @@ static int start_client(int argc, char *argv[])
 		int dummy_port = rsync_port;
 		int i;
 		if (filesfrom_fd < 0)
-			add_implied_include(remote_argv[0]);
+			add_implied_include(remote_argv[0], daemon_connection);
 		/* For remote source, any extra source args must have either
 		 * the same hostname or an empty hostname. */
 		for (i = 1; i < remote_argc; i++) {
@@ -1528,7 +1526,7 @@ static int start_client(int argc, char *argv[])
 			if (!rsync_port && !*arg) /* Turn an empty arg into a dot dir. */
 				arg = ".";
 			remote_argv[i] = arg;
-			add_implied_include(arg);
+			add_implied_include(arg, daemon_connection);
 		}
 	}
 

md-convert

@@ -389,7 +389,7 @@ class TransformHtml(HTMLParser):
                     if val.startswith(('https://', 'http://', 'mailto:', 'ftp:')):
                         pass # nothing to check
                     elif '#' in val:
-                        pg, tgt = val.split('#', 2)
+                        pg, tgt = val.split('#', 1)
                         if pg and pg not in VALID_PAGES or '#' in tgt:
                             st.bad_hashtags.add(val)
                         elif tgt in ('', 'opt', 'dopt'):
@@ -478,7 +478,7 @@ class TransformHtml(HTMLParser):
                 find = 'href="' + st.a_href + '"'
                 for j in range(len(st.html_out)-1, 0, -1):
                     if find in st.html_out[j]:
-                        pg, tgt = st.a_href.split('#', 2)
+                        pg, tgt = st.a_href.split('#', 1)
                         derived = txt2target(atxt, tgt)
                         if pg == '':
                             if derived in st.latest_targets:
@@ -609,12 +609,12 @@ def die(*msg):
 
 
 if __name__ == '__main__':
-    parser = argparse.ArgumentParser(description="Output html and (optionally) nroff for markdown pages.", add_help=False)
+    parser = argparse.ArgumentParser(description="Convert markdown into html and (optionally) nroff. Each input filename must have a .md suffix, which is changed to .html for the output filename. If the input filename ends with .num.md (e.g. foo.1.md) then a nroff file is also output with the input filename's .md suffix removed (e.g. foo.1).", add_help=False)
     parser.add_argument('--test', action='store_true', help="Just test the parsing without outputting any files.")
-    parser.add_argument('--dest', metavar='DIR', help="Put files into DIR instead of the current directory.")
+    parser.add_argument('--dest', metavar='DIR', help="Create files in DIR instead of the current directory.")
     parser.add_argument('--debug', '-D', action='count', default=0, help='Output copious info on the html parsing. Repeat for even more.')
     parser.add_argument("--help", "-h", action="help", help="Output this help message and exit.")
-    parser.add_argument("mdfiles", nargs='+', help="The source .md files to convert.")
+    parser.add_argument("mdfiles", metavar='FILE.md', nargs='+', help="One or more .md files to convert.")
     args = parser.parse_args()
 
     try:

mkgitver

@@ -1,14 +1,14 @@
 #!/bin/sh
 
 srcdir=`dirname $0`
-gitver=`git describe --abbrev=8 2>/dev/null`
 
 if [ ! -f git-version.h ]; then
     touch git-version.h
 fi
 
-case "$gitver" in
-    *.*)
+if [ -e "$srcdir/.git" ]; then
+    gitver=`git describe --abbrev=8 2>/dev/null | sed -n '/^v3\.[0-9][0-9]*\.[0-9][0-9]*\(-\|$\)/p'`
+    if [ -n "$gitver" ]; then
 	echo "#define RSYNC_GITVER \"$gitver\"" >git-version.h.new
 	if ! diff git-version.h.new git-version.h >/dev/null; then
 	    echo "Updating git-version.h"
@@ -16,5 +16,5 @@ case "$gitver" in
 	else
 	    rm git-version.h.new
 	fi
-	;;
-esac
+    fi
+fi

options.c

@@ -27,6 +27,8 @@
 extern int module_id;
 extern int local_server;
 extern int sanitize_paths;
+extern int trust_sender_args;
+extern int trust_sender_filter;
 extern unsigned int module_dirlen;
 extern filter_rule_list filter_list;
 extern filter_rule_list daemon_filter_list;
@@ -64,6 +66,7 @@ int preserve_atimes = 0;
 int preserve_crtimes = 0;
 int omit_dir_times = 0;
 int omit_link_times = 0;
+int trust_sender = 0;
 int update_only = 0;
 int open_noatime = 0;
 int cvs_exclude = 0;
@@ -785,9 +788,12 @@ static struct poptOption long_options[] = {
   {"no-from0",         0,  POPT_ARG_VAL,    &eol_nulls, 0, 0, 0},
   {"old-args",         0,  POPT_ARG_NONE,   0, OPT_OLD_ARGS, 0, 0},
   {"no-old-args",      0,  POPT_ARG_VAL,    &old_style_args, 0, 0, 0},
-  {"protect-args",    's', POPT_ARG_VAL,    &protect_args, 1, 0, 0},
+  {"secluded-args",   's', POPT_ARG_VAL,    &protect_args, 1, 0, 0},
+  {"no-secluded-args", 0,  POPT_ARG_VAL,    &protect_args, 0, 0, 0},
+  {"protect-args",     0,  POPT_ARG_VAL,    &protect_args, 1, 0, 0},
   {"no-protect-args",  0,  POPT_ARG_VAL,    &protect_args, 0, 0, 0},
   {"no-s",             0,  POPT_ARG_VAL,    &protect_args, 0, 0, 0},
+  {"trust-sender",     0,  POPT_ARG_VAL,    &trust_sender, 1, 0, 0},
   {"numeric-ids",      0,  POPT_ARG_VAL,    &numeric_ids, 1, 0, 0 },
   {"no-numeric-ids",   0,  POPT_ARG_VAL,    &numeric_ids, 0, 0, 0 },
   {"usermap",          0,  POPT_ARG_STRING, 0, OPT_USERMAP, 0, 0 },
@@ -946,7 +952,7 @@ static void set_refuse_options(void)
 		if (!am_daemon
 		 || op->shortName == 'e' /* Required for compatibility flags */
 		 || op->shortName == '0' /* --from0 just modifies --files-from, so refuse that instead (or not) */
-		 || op->shortName == 's' /* --protect-args is always OK */
+		 || op->shortName == 's' /* --secluded-args is always OK */
 		 || op->shortName == 'n' /* --dry-run is always OK */
 		 || strcmp("iconv", longName) == 0
 		 || strcmp("no-iconv", longName) == 0
@@ -1945,7 +1951,7 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 	} else if (old_style_args) {
 		if (protect_args > 0) {
 			snprintf(err_buf, sizeof err_buf,
-				 "--protect-args conflicts with --old-args.\n");
+				 "--secluded-args conflicts with --old-args.\n");
 			return 0;
 		}
 		protect_args = 0;
@@ -1957,7 +1963,7 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 		else if ((arg = getenv("RSYNC_PROTECT_ARGS")) != NULL && *arg)
 			protect_args = atoi(arg) ? 1 : 0;
 		else {
-#ifdef RSYNC_USE_PROTECTED_ARGS
+#ifdef RSYNC_USE_SECLUDED_ARGS
 			protect_args = 1;
 #else
 			protect_args = 0;
@@ -2465,6 +2471,11 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 		}
 	}
 
+	if (trust_sender || am_server || read_batch)
+		trust_sender_args = trust_sender_filter = 1;
+	else if (old_style_args || filesfrom_host != NULL)
+		trust_sender_args = 1;
+
 	am_starting_up = 0;
 
 	return 1;
@@ -2492,12 +2503,19 @@ char *safe_arg(const char *opt, const char *arg)
 	BOOL is_filename_arg = !opt;
 	char *escapes = is_filename_arg ? SHELL_CHARS : WILD_CHARS SHELL_CHARS;
 	BOOL escape_leading_dash = is_filename_arg && *arg == '-';
+	BOOL escape_leading_tilde = 0;
 	int len1 = opt && *opt ? strlen(opt) + 1 : 0;
 	int len2 = strlen(arg);
 	int extras = escape_leading_dash ? 2 : 0;
 	char *ret;
 	if (!protect_args && old_style_args < 2 && (!old_style_args || (!is_filename_arg && opt != SPLIT_ARG_WHEN_OLD))) {
 		const char *f;
+		if (!trust_sender_args && *arg == '~'
+		 && ((relative_paths && !strstr(arg, "/./"))
+		  || !strchr(arg, '/'))) {
+			extras++;
+			escape_leading_tilde = 1;
+		}
 		for (f = arg; *f; f++) {
 			if (strchr(escapes, *f))
 				extras++;
@@ -2520,8 +2538,13 @@ char *safe_arg(const char *opt, const char *arg)
 	else {
 		const char *f = arg;
 		char *t = ret + len1;
+		if (escape_leading_tilde)
+			*t++ = '\\';
 		while (*f) {
-			if (strchr(escapes, *f))
+                        if (*f == '\\') {
+				if (!is_filename_arg || !strchr(WILD_CHARS, f[1]))
+					*t++ = '\\';
+			} else if (strchr(escapes, *f))
 				*t++ = '\\';
 			*t++ = *f++;
 		}

packaging/cull-options

@@ -27,6 +27,7 @@ long_opts = { # These include some extra long-args that BackupPC uses:
         'recursive': 0,
         'stderr': 1,
         'times': 0,
+        'copy-devices': -1,
         'write-devices': -1,
         }
 

packaging/lsb/rsync.spec

@@ -1,9 +1,9 @@
 Summary: A fast, versatile, remote (and local) file-copying tool
 Name: rsync
-Version: 3.2.5
-%define fullversion %{version}pre1
-Release: 0.1.pre1
-%define srcdir src-previews
+Version: 3.2.6
+%define fullversion %{version}
+Release: 1
+%define srcdir src
 Group: Applications/Internet
 License: GPL
 Source0: https://rsync.samba.org/ftp/rsync/%{srcdir}/rsync-%{fullversion}.tar.gz
@@ -79,8 +79,8 @@ rm -rf $RPM_BUILD_ROOT
 %dir /etc/rsync-ssl/certs
 
 %changelog
-* Mon Aug 01 2022 Wayne Davison <wayne@opencoder.net>
-Released 3.2.5pre1.
+* Fri Sep 09 2022 Wayne Davison <wayne@opencoder.net>
+Released 3.2.6.
 
 * Fri Mar 21 2008 Wayne Davison <wayne@opencoder.net>
 Added installation of /etc/xinetd.d/rsync file and some commented-out

packaging/pkglib.py

@@ -32,7 +32,7 @@ def _tweak_opts(cmd, opts, **maybe_set_args):
     opts = opts.copy()
     _maybe_set(opts, **maybe_set_args)
 
-    if type(cmd) == str:
+    if isinstance(cmd, str):
         _maybe_set(opts, shell=True)
 
     want_raw = opts.pop('raw', False)

packaging/release-rsync

@@ -232,7 +232,7 @@ About to:
     cmd_chk(['packaging/year-tweak'])
 
     print(dash_line)
-    cmd_run("git diff")
+    cmd_run("git diff".split())
 
     srctar_name = f"{rsync_ver}.tar.gz"
     pattar_name = f"rsync-patches-{version}.tar.gz"
@@ -247,7 +247,7 @@ About to:
 
 About to:
     - git commit all changes
-    - generate the manpages
+    - run a full build, ensuring that the manpages & configure.sh are up-to-date
     - merge the {args.master_branch} branch into the patch/{args.master_branch}/* branches
     - update the files in the "patches" dir and OPTIONALLY (if you type 'y') to
       run patch-update with the --make option (which opens a shell on error)
@@ -258,9 +258,9 @@ About to:
     if s.returncode:
         die('Aborting')
 
-    cmd_chk('make gen')
+    cmd_chk('touch configure.ac && packaging/smart-make && make gen')
 
-    print(f'Creating any missing patch branches.')
+    print('Creating any missing patch branches.')
     s = cmd_run(f'packaging/branch-from-patch --branch={args.master_branch} --add-missing')
     if s.returncode:
         die('Aborting')

receiver.c

@@ -439,9 +439,8 @@ static void handle_delayed_updates(char *local_name)
 					"rename failed for %s (from %s)",
 					full_fname(fname), partialptr);
 			} else {
-				if (remove_source_files
-				 || (preserve_hard_links && F_IS_HLINKED(file)))
-					send_msg_int(MSG_SUCCESS, ndx);
+				if (remove_source_files || (preserve_hard_links && F_IS_HLINKED(file)))
+					send_msg_success(fname, ndx);
 				handle_partial_dir(partialptr, PDIR_DELETE);
 			}
 		}
@@ -698,7 +697,7 @@ int recv_files(int f_in, int f_out, char *local_name)
 			if (!am_server)
 				discard_receive_data(f_in, file);
 			if (inc_recurse)
-				send_msg_int(MSG_SUCCESS, ndx);
+				send_msg_success(fname, ndx);
 			continue;
 		}
 
@@ -926,9 +925,8 @@ int recv_files(int f_in, int f_out, char *local_name)
 		case 2:
 			break;
 		case 1:
-			if (remove_source_files || inc_recurse
-			 || (preserve_hard_links && F_IS_HLINKED(file)))
-				send_msg_int(MSG_SUCCESS, ndx);
+			if (remove_source_files || inc_recurse || (preserve_hard_links && F_IS_HLINKED(file)))
+				send_msg_success(fname, ndx);
 			break;
 		case 0: {
 			enum logcode msgtype = redoing ? FERROR_XFER : FWARNING;

rsync.1.md

@@ -193,6 +193,26 @@ Dedicate a "host1-files" dir to the remote content:
 
 >     rsync -aiv host1:dir1 ~/host1-files
 
+See the [`--trust-sender`](#opt) option for additional details.
+
+CAUTION: it is not particularly safe to use rsync to copy files from a
+case-preserving filesystem to a case-ignoring filesystem.  If you must perform
+such a copy, you should either disable symlinks via `--no-links` or enable the
+munging of symlinks via [`--munge-links`](#opt) (and make sure you use the
+right local or remote option).  This will prevent rsync from doing potentially
+dangerous things if a symlink name overlaps with a file or directory. It does
+not, however, ensure that you get a full copy of all the files (since that may
+not be possible when the names overlap). A potentially better solution is to
+list all the source files and create a safe list of filenames that you pass to
+the [`--files-from`](#opt) option.  Any files that conflict in name would need
+to be copied to different destination directories using more than one copy.
+
+While a copy of a case-ignoring filesystem to a case-ignoring filesystem can
+work out fairly well, if no `--delete-during` or `--delete-before` option is
+active, rsync can potentially update an existing file on the receiveing side
+without noticing that the upper-/lower-case of the filename should be changed
+to match the sender.
+
 ## ADVANCED USAGE
 
 The syntax for requesting multiple files from a remote host is done by
@@ -201,7 +221,12 @@ the hostname omitted.  For instance, all these work:
 
 >     rsync -aiv host:file1 :file2 host:file{3,4} /dest/
 >     rsync -aiv host::modname/file{1,2} host::modname/extra /dest/
->     rsync -aiv host::modname/first ::modname/extra{1,2} /dest/
+>     rsync -aiv host::modname/first ::extra-file{1,2} /dest/
+
+Note that a daemon connection only supports accessing one module per copy
+command, so if the start of a follow-up path doesn't begin with the
+modname of the first path, it is assumed to be a path in the module (such as
+the extra-file1 & extra-file2 that are grabbed above).
 
 Really old versions of rsync (2.6.9 and before) only allowed specifying one
 remote-source arg, so some people have instead relied on the remote-shell
@@ -233,17 +258,19 @@ section below for information on that.)
 Using rsync in this way is the same as using it with a remote shell except
 that:
 
-- you either use a double colon :: instead of a single colon to separate the
-  hostname from the path, or you use an rsync:// URL.
-- the first word of the "path" is actually a module name.
-- the remote daemon may print a message of the day when you connect.
-- if you specify no path name on the remote daemon then the list of accessible
-  paths on the daemon will be shown.
-- if you specify no local destination then a listing of the specified files on
-  the remote daemon is provided.
-- you must not specify the [`--rsh`](#opt) (`-e`) option (since that overrides
-  the daemon connection to use ssh -- see [USING RSYNC-DAEMON FEATURES VIA A
-  REMOTE-SHELL CONNECTION](#) below).
+- Use either double-colon syntax or rsync:// URL syntax instead of the
+  single-colon (remote shell) syntax.
+- The first element of the "path" is actually a module name.
+- Additional remote source args can use an abbreviated syntax that omits the
+  hostname and/or the module name, as discussed in [ADVANCED USAGE](#).
+- The remote daemon may print a "message of the day" when you connect.
+- If you specify only the host (with no module or path) then a list of
+  accessible modules on the daemon is output.
+- If you specify a remote source path but no destination, a listing of the
+  matching files on the remote daemon is output.
+- The [`--rsh`](#opt) (`-e`) option must be omitted to avoid changing the
+  connection style from using a socket connection to [USING RSYNC-DAEMON
+  FEATURES VIA A REMOTE-SHELL CONNECTION](#).
 
 An example that copies all the files in a remote module named "src":
 
@@ -462,7 +489,8 @@ has its own detailed description later in this manpage.
 --files-from=FILE        read list of source-file names from FILE
 --from0, -0              all *-from/filter files are delimited by 0s
 --old-args               disable the modern arg-protection idiom
---protect-args, -s       no space-splitting; wildcard chars only
+--secluded-args, -s      use the protocol to safely send the args
+--trust-sender           trust the remote sender's file list
 --copy-as=USER[:GROUP]   specify user & optional group for the copy
 --address=ADDRESS        bind address for outgoing socket to daemon
 --port=PORT              specify double-colon alternate port number
@@ -536,7 +564,8 @@ option has a short variant).
 The parameter may need to be quoted in some manner for it to survive the
 shell's command-line parsing.  Also keep in mind that a leading tilde (`~`) in
 a pathname is substituted by your shell, so make sure that you separate the
-option name from the pathname using a space if you want the shell to expand it.
+option name from the pathname using a space if you want the local shell to
+expand it.
 
 [comment]: # (Some markup below uses a literal non-breakable space when a backtick string)
 [comment]: # (needs to contain a space since markdown strips spaces from the start/end)
@@ -1804,6 +1833,10 @@ option name from the pathname using a space if you want the shell to expand it.
     Starting with 3.1.0, rsync will skip the sender-side removal (and output an
     error) if the file's size or modify time has not stayed unchanged.
 
+    Starting with 3.2.6, a local rsync copy will ensure that the sender does
+    not remove a file the receiver just verified, such as when the user
+    accidentally makes the source and destination directory the same path.
+
 0.  `--delete`
 
     This tells rsync to delete extraneous files from the receiving side (ones
@@ -1900,16 +1933,16 @@ option name from the pathname using a space if you want the shell to expand it.
 
     By default, an exclude or include has both a server-side effect (to "hide"
     and "show" files when building the server's file list) and a receiver-side
-    effect (to "protect" and "risk" files when deletions are occuring).  Any
+    effect (to "protect" and "risk" files when deletions are occurring).  Any
     rule that has no modifier to specify what sides it is executed on will be
     instead treated as if it were a server-side rule only, avoiding any
     "protect" effects of the rules.
 
     A rule can still apply to both sides even with this option specified if the
-    rule is given both the sender & receiver modifer letters (e.g., `-f'-sr
+    rule is given both the sender & receiver modifier letters (e.g., `-f'-sr
     foo'`).  Receiver-side protect/risk rules can also be explicitly specified
-    to limit the deletions.  This is saves you from having to edit a bunch of
-    `-f'- foo'` rules into `-f'-s foo'` or `-f'H foo'` rules (not to mention
+    to limit the deletions.  This saves you from having to edit a bunch of
+    `-f'- foo'` rules into `-f'-s foo'` (aka `-f'H foo'`) rules (not to mention
     the corresponding includes).
 
     See the [FILTER RULES](#) section for more information.  See
@@ -2326,7 +2359,7 @@ option name from the pathname using a space if you want the shell to expand it.
     This would copy all the files specified in the /path/file-list file that
     was located on the remote "src" host.
 
-    If the [`--iconv`](#opt) and [`--protect-args`](#opt) options are specified
+    If the [`--iconv`](#opt) and [`--secluded-args`](#opt) options are specified
     and the `--files-from` filenames are being sent from one host to another,
     the filenames will be translated from the sending host's charset to the
     receiving host's charset.
@@ -2375,38 +2408,82 @@ option name from the pathname using a space if you want the shell to expand it.
     because we can't know for sure what names to expect when the remote shell
     is interpreting the args.
 
-    This option conflicts with the [`--protect-args`](#opt) option.
+    This option conflicts with the [`--secluded-args`](#opt) option.
 
-0.  `--protect-args`, `-s`
+0.  `--secluded-args`, `-s`
 
-    This option sends all filenames and most options to the remote rsync
-    without allowing the remote shell to interpret them.  Wildcards are
-    expanded on the remote host by rsync instead of the shell doing it.
+    This option sends all filenames and most options to the remote rsync via
+    the protocol (not the remote shell command line) which avoids letting the
+    remote shell modify them.  Wildcards are expanded on the remote host by
+    rsync instead of a shell.
 
-    This is similar to the new-style backslash-escaping of args that was added
-    in 3.2.4, but supports some extra features and doesn't rely on backslash
-    escaping in the remote shell.
+    This is similar to the default backslash-escaping of args that was added
+    in 3.2.4 (see [`--old-args`](#opt)) in that it prevents things like space
+    splitting and unwanted special-character side-effects. However, it has the
+    drawbacks of being incompatible with older rsync versions (prior to 3.0.0)
+    and of being refused by restricted shells that want to be able to inspect
+    all the option values for safety.
 
-    If you use this option with [`--iconv`](#opt), the args related to the
-    remote side will also be translated from the local to the remote
-    character-set.  The translation happens before wild-cards are expanded.
-    See also the [`--files-from`](#opt) option.
+    This option is useful for those times that you need the argument's
+    character set to be converted for the remote host, if the remote shell is
+    incompatible with the default backslash-escpaing method, or there is some
+    other reason that you want the majority of the options and arguments to
+    bypass the command-line of the remote shell.
+
+    If you combine this option with [`--iconv`](#opt), the args related to the
+    remote side will be translated from the local to the remote character-set.
+    The translation happens before wild-cards are expanded.  See also the
+    [`--files-from`](#opt) option.
 
     You may also control this setting via the [`RSYNC_PROTECT_ARGS`](#)
     environment variable.  If it has a non-zero value, this setting will be
     enabled by default, otherwise it will be disabled by default.  Either state
     is overridden by a manually specified positive or negative version of this
-    option (note that `--no-s` and `--no-protect-args` are the negative
+    option (note that `--no-s` and `--no-secluded-args` are the negative
     versions).  This environment variable is also superseded by a non-zero
     [`RSYNC_OLD_ARGS`](#) export.
 
-    You may need to disable this option when interacting with an older rsync
-    (one prior to 3.0.0).
-
     This option conflicts with the [`--old-args`](#opt) option.
 
-    Note that this option is incompatible with the use of the restricted rsync
-    script (`rrsync`) since it hides options from the script's inspection.
+    This option used to be called `--protect-args` (before 3.2.6) and that
+    older name can still be used (though specifying it as `-s` is always the
+    easiest and most compatible choice).
+
+0.  `--trust-sender`
+
+    This option disables two extra validation checks that a local client
+    performs on the file list generated by a remote sender.  This option should
+    only be used if you trust the sender to not put something malicious in the
+    file list (something that could possibly be done via a modified rsync, a
+    modified shell, or some other similar manipulation).
+
+    Normally, the rsync client (as of version 3.2.5) runs two extra validation
+    checks when pulling files from a remote rsync:
+
+    - It verifies that additional arg items didn't get added at the top of the
+      transfer.
+    - It verifies that none of the items in the file list are names that should
+      have been excluded (if filter rules were specified).
+
+    Note that various options can turn off one or both of these checks if the
+    option interferes with the validation.  For instance:
+
+    - Using a per-directory filter file reads filter rules that only the server
+      knows about, so the filter checking is disabled.
+    - Using the [`--old-args`](#opt) option allows the sender to manipulate the
+      requested args, so the arg checking is disabled.
+    - Reading the files-from list from the server side means that the client
+      doesn't know the arg list, so the arg checking is disabled.
+    - Using [`--read-batch`](#opt) disables both checks since the batch file's
+      contents will have been verified when it was created.
+
+    This option may help an under-powered client server if the extra pattern
+    matching is slowing things down on a huge transfer.  It can also be used to
+    work around a currently-unknown bug in the verification logic for a transfer
+    from a trusted sender.
+
+    When using this option it is a good idea to specify a dedicated destination
+    directory, as discussed in the [MULTI-HOST SECURITY](#) section.
 
 0.  `--copy-as=USER[:GROUP]`
 
@@ -2878,9 +2955,8 @@ option name from the pathname using a space if you want the shell to expand it.
     [`--group`](#opt) (`-g`) option (since rsync needs to have those options
     enabled for the mapping options to work).
 
-    An older rsync client may need to use [`--protect-args`](#opt) (`-s`) to
-    avoid a complaint about wildcard characters, but a modern rsync handles
-    this automatically.
+    An older rsync client may need to use [`-s`](#opt) to avoid a complaint
+    about wildcard characters, but a modern rsync handles this automatically.
 
 0.  `--chown=USER:GROUP`
 
@@ -2895,9 +2971,8 @@ option name from the pathname using a space if you want the shell to expand it.
     "`--usermap=*:foo --groupmap=*:bar`", only easier (and with the same
     implied [`--owner`](#opt) and/or [`--group`](#opt) options).
 
-    An older rsync client may need to use [`--protect-args`](#opt) (`-s`) to
-    avoid a complaint about wildcard characters, but a modern rsync handles
-    this automatically.
+    An older rsync client may need to use [`-s`](#opt) to avoid a complaint
+    about wildcard characters, but a modern rsync handles this automatically.
 
 0.  `--timeout=SECONDS`
 
@@ -3444,8 +3519,8 @@ option name from the pathname using a space if you want the shell to expand it.
        include the destination.
 
     CAUTION: keep in mind that a source arg with a wild-card is expanded by the
-    shell into multiple args, so it is never safe to try to list such an arg
-    without using this option. For example:
+    shell into multiple args, so it is never safe to try to specify a single
+    wild-card arg to try to infer this option. A safe example is:
 
     >     rsync -av --list-only foo* dest/
 
@@ -3601,7 +3676,7 @@ option name from the pathname using a space if you want the shell to expand it.
     For a list of what charset names your local iconv library supports, you can
     run "`iconv --list`".
 
-    If you specify the [`--protect-args`](#opt) (`-s`) option, rsync will
+    If you specify the [`--secluded-args`](#opt) (`-s`) option, rsync will
     translate the filenames you specify on the command-line that are being sent
     to the remote host.  See also the [`--files-from`](#opt) option.
 
@@ -3790,7 +3865,7 @@ different ways.
 We will first cover the basics of how include & exclude rules affect what files
 are transferred, ignoring any deletion side-effects.  Filter rules mainly
 affect the contents of directories that rsync is "recursing" into, but they can
-also affect a top-level item in the transfer that were specified as a argument.
+also affect a top-level item in the transfer that was specified as a argument.
 
 The default for any unmatched file/dir is for it to be included in the
 transfer, which puts the file/dir into the sender's file list.  The use of an
@@ -3919,7 +3994,7 @@ You have your choice of using either short or long RULE names, as described
 below.  If you use a short-named rule, the ',' separating the RULE from the
 MODIFIERS is optional.  The PATTERN or FILENAME that follows (when present)
 must come after either a single space or an underscore (\_). Any additional
-spaces and/or undeerscore are considered to be a part of the pattern name.
+spaces and/or underscores are considered to be a part of the pattern name.
 Here are the available rule prefixes:
 
 0.  `exclude, '-'` specifies an exclude pattern that (by default) is both a
@@ -3929,10 +4004,8 @@ Here are the available rule prefixes:
 0.  `merge, '.'` specifies a merge-file on the client side to read for more
     rules.
 0.  `dir-merge, ':'` specifies a per-directory merge-file.  Using this kind of
-    filter rule requires that you trust the sending side's filter checking, and
-    thus it disables the receiver's verification of the file-list names against
-    the filter rules (since only the sender can know for sure if it obeyed all
-    the filter rules when some are per-dir merged from the sender's files).
+    filter rule requires that you trust the sending side's filter checking, so
+    it has the side-effect mentioned under the [`--trust-sender`](#opt) option.
 0.  `hide, 'H'` specifies a pattern for hiding files from the transfer.
     Equivalent to a sender-only exclude, so `-f'H foo'` could also be specified
     as `-f'-s foo'`.
@@ -3969,15 +4042,15 @@ The matching rules for the pattern argument take several forms:
 - If a pattern contains a `/` (not counting a trailing slash) or a "`**`"
   (which can match a slash), then the pattern is matched against the full
   pathname, including any leading directories within the transfer.  If the
-  pattern doesn't contain a `/` or a "`**`", then it is matched only against
-  the final component of the filename or pathname. For example, `foo` means
-  that the final path component must be "foo" while `foo/bar` would match the
-  last 2 elements of the path (as long as both elements are within the
-  transfer).
+  pattern doesn't contain a (non-trailing) `/` or a "`**`", then it is matched
+  only against the final component of the filename or pathname. For example,
+  `foo` means that the final path component must be "foo" while `foo/bar` would
+  match the last 2 elements of the path (as long as both elements are within
+  the transfer).
 - A pattern that ends with a `/` only matches a directory, not a regular file,
   symlink, or device.
 - A pattern that starts with a `/` is anchored to the start of the transfer
-  path instead of the end.  For example, `/foo` or `/foo/bar` match only
+  path instead of the end.  For example, `/foo/**` or `/foo/bar/**` match only
   leading elements in the path.  If the rule is read from a per-directory
   filter file, the transfer path being matched will begin at the level of the
   filter file instead of the top of the transfer.  See the section on
@@ -4010,11 +4083,11 @@ Here are some examples of exclude/include matching:
 - Option `-f'- /foo'` would exclude a file (or directory) named foo in the
   transfer-root directory
 - Option `-f'- foo/'` would exclude any directory named foo
-- Option `-f'- /foo/*/bar'` would exclude any file/dir named bar which is at
-  two levels below a directory named foo, which must be at the root of the
-  transfer
-- Option `-f'- /foo/**/bar'` would exclude any file/dir named bar two or more
-  levels below a directory named foo, which must be at the root of the transfer
+- Option `-f'- foo/*/bar'` would exclude any file/dir named bar which is at two
+  levels below a directory named foo (if foo is in the transfer)
+- Option `-f'- /foo/**/bar'` would exclude any file/dir named bar that was two
+  or more levels below a top-level directory named foo (note that /foo/bar is
+  **not** excluded by this)
 - Options `-f'+ */' -f'+ *.c' -f'- *'` would include all directories and .c
   source files but nothing else
 - Options `-f'+ foo/' -f'+ foo/bar.c' -f'- *'` would include only the foo
@@ -4551,17 +4624,17 @@ file is included or excluded.
     supersedes the [`RSYNC_PROTECT_ARGS`](#) variable.
 
     This variable is ignored if [`--old-args`](#opt), `--no-old-args`, or
-    [`--protect-args`](#opt) is specified on the command line.
+    [`--secluded-args`](#opt) is specified on the command line.
 
     First supported in 3.2.4.
 
 0.  `RSYNC_PROTECT_ARGS`
 
-    Specify a non-zero numeric value if you want the [`--protect-args`](#opt)
+    Specify a non-zero numeric value if you want the [`--secluded-args`](#opt)
     option to be enabled by default, or a zero value to make sure that it is
     disabled by default.
 
-    This variable is ignored if [`--protect-args`](#opt), `--no-protect-args`,
+    This variable is ignored if [`--secluded-args`](#opt), `--no-secluded-args`,
     or [`--old-args`](#opt) is specified on the command line.
 
     First supported in 3.1.0.  Starting in 3.2.4, this variable is ignored if

rsync.c

@@ -642,7 +642,7 @@ int set_file_attrs(const char *fname, struct file_struct *file, stat_x *sxp,
 #ifdef SUPPORT_ACLS
 	/* It's OK to call set_acl() now, even for a dir, as the generator
 	 * will enable owner-writability using chmod, if necessary.
-	 * 
+	 *
 	 * If set_acl() changes permission bits in the process of setting
 	 * an access ACL, it changes sxp->st.st_mode so we know whether we
 	 * need to chmod(). */

rsync.h

@@ -1172,7 +1172,7 @@ struct name_num_obj {
 	uchar *saw;
 	int saw_len;
 	int negotiated_num;
-	struct name_num_item list[10]; /* we'll get a compile error/warning if this is ever too small */
+	struct name_num_item *list;
 };
 
 #ifdef EXTERNAL_ZLIB

rsyncd.conf.5.md

@@ -894,7 +894,7 @@ the values of parameters.  See the GLOBAL PARAMETERS section for more details.
     >     refuse options = * !a !v !compress*
 
     Don't worry that the "`*`" will refuse certain vital options such as
-    `--dry-run`, `--server`, `--no-iconv`, `--protect-args`, etc. These
+    `--dry-run`, `--server`, `--no-iconv`, `--seclude-args`, etc. These
     important options are not matched by wild-card, so they must be overridden
     by their exact name.  For instance, if you're forcing iconv transfers you
     could use something like this:
@@ -948,7 +948,7 @@ the values of parameters.  See the GLOBAL PARAMETERS section for more details.
       `--log-file-format`.
     - `--sender`: Use "[write only](#)" parameter instead of refusing this.
     - `--dry-run`, `-n`: Who would want to disable this?
-    - `--protect-args`, `-s`: This actually makes transfers safer.
+    - `--seclude-args`, `-s`: Is the oldest arg-protection method.
     - `--from0`, `-0`: Makes it easier to accept/refuse `--files-from` without
       affecting this helpful modifier.
     - `--iconv`: This is auto-disabled based on "[charset](#)" parameter.

sender.c

@@ -25,6 +25,7 @@
 extern int do_xfers;
 extern int am_server;
 extern int am_daemon;
+extern int local_server;
 extern int inc_recurse;
 extern int log_before_transfer;
 extern int stdout_format_has_i;
@@ -51,6 +52,7 @@ extern int file_old_total;
 extern BOOL want_progress_now;
 extern struct stats stats;
 extern struct file_list *cur_flist, *first_flist, *dir_flist;
+extern char num_dev_ino_buf[4 + 8 + 8];
 
 BOOL extra_flist_sending_enabled;
 
@@ -144,6 +146,13 @@ void successful_send(int ndx)
 		goto failed;
 	}
 
+	if (local_server
+	 && (int64)st.st_dev == IVAL64(num_dev_ino_buf, 4)
+	 && (int64)st.st_ino == IVAL64(num_dev_ino_buf, 4 + 8)) {
+		rprintf(FERROR_XFER, "ERROR: Skipping sender remove of destination file: %s\n", fname);
+		return;
+	}
+
 	if (st.st_size != F_LENGTH(file) || st.st_mtime != file->modtime
 #ifdef ST_MTIME_NSEC
 	 || (NSEC_BUMP(file) && (uint32)st.ST_MTIME_NSEC != F_MOD_NSEC(file))

support/rrsync

@@ -47,6 +47,7 @@ long_opts = {
   'compress-choice': 1,
   'compress-level': 1,
   'copy-dest': 2,
+  'copy-devices': -1,
   'copy-unsafe-links': 0,
   'daemon': -1,
   'debug': 1,

support/rrsync.1.md

@@ -22,6 +22,10 @@ transfer in one of two easy ways:
 * forcing the running of the rrsync script
 * forcing the running of an rsync daemon-over-ssh command.
 
+Both of these setups use a feature of ssh that allows a command to be forced to
+run instead of an interactive shell.  However, if the user's home shell is bash,
+please see [BASH SECURITY ISSUE](#) for a potential issue.
+
 To use the rrsync script, edit the user's `~/.ssh/authorized_keys` file and add
 a prefix like one of the following (followed by a space) in front of each
 ssh-key line that should be restricted:
@@ -107,6 +111,26 @@ overrides.
 The script (or a copy of it) can be manually edited if you want it to customize
 the option handling.
 
+## BASH SECURITY ISSUE
+
+If your users have bash set as their home shell, bash may try to be overly
+helpful and ensure that the user's login bashrc files are run prior to
+executing the forced command.  This can be a problem if the user can somehow
+update their home bashrc files, perhaps via the restricted copy, a shared home
+directory, or something similar.
+
+One simple way to avoid the issue is to switch the user to a simpler shell,
+such as dash.  When choosing the new home shell, make sure that you're not
+choosing bash in disguise, as it is unclear if it avoids the security issue.
+
+Another potential fix is to ensure that the user's home directory is not a
+shared mount and that they have no means of copying files outside of their
+restricted directories.  This may require you to force the enabling of symlink
+munging on the server side.
+
+A future version of openssh may have a change to the handling of forced
+commands that allows it to avoid using the user's home shell.
+
 ## EXAMPLES
 
 The `~/.ssh/authorized_keys` file might have lines in it like this:

t_stub.c

@@ -29,7 +29,6 @@ int protect_args = 0;
 int module_id = -1;
 int relative_paths = 0;
 int module_dirlen = 0;
-int preserve_mtimes = 0;
 int preserve_xattrs = 0;
 int preserve_perms = 0;
 int preserve_executability = 0;

usage.c

@@ -110,12 +110,12 @@ static void print_info_flags(enum logcode f)
 #endif
 			"xattrs",
 
-#ifdef RSYNC_USE_PROTECTED_ARGS
+#ifdef RSYNC_USE_SECLUDED_ARGS
 		"default "
 #else
 		"optional "
 #endif
-			"protect-args",
+			"secluded-args",
 
 #ifndef ICONV_OPTION
 		"no "
@@ -195,6 +195,8 @@ void print_rsync_version(enum logcode f)
 
 	print_info_flags(f);
 
+	init_checksum_choices();
+
 	rprintf(f, "Checksum list:\n");
 	get_default_nno_list(&valid_checksums, tmpbuf, sizeof tmpbuf, '(');
 	rprintf(f, "    %s\n", tmpbuf);

util1.c

@@ -31,7 +31,6 @@ extern int do_fsync;
 extern int protect_args;
 extern int modify_window;
 extern int relative_paths;
-extern int preserve_mtimes;
 extern int preserve_xattrs;
 extern int omit_link_times;
 extern int preallocate_files;

version.h

@@ -1,2 +1,2 @@
-#define RSYNC_VERSION "3.2.5pre1"
+#define RSYNC_VERSION "3.2.6"
 #define MAINTAINER_TZ_OFFSET -7.0

zlib/inflate.c

@@ -740,8 +740,9 @@ int flush;
                 if (copy > have) copy = have;
                 if (copy) {
                     if (state->head != Z_NULL &&
-                        state->head->extra != Z_NULL) {
-                        len = state->head->extra_len - state->length;
+                        state->head->extra != Z_NULL &&
+                        (len = state->head->extra_len - state->length) <
+                            state->head->extra_max) {
                         zmemcpy(state->head->extra + len, next,
                                 len + copy > state->head->extra_max ?
                                 state->head->extra_max - len : copy);