Author: Ángel González <angel@16bits.net>
Bug: https://github.com/axkibe/lsyncd/issues/220
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767227
Subject: Properly sanitize mv parameters (CVE-2014-8990)
 Sanitize mv arguments:
 .
 1. Fixes crashes on file names containing `, $ or "
 2. Also prevents shell execution of ``, $() … in file names, which can be
    used to gain remote shell access as lsyncd's (target) user.

 This adapted patch is from Sven Schwedas <sven.schwedas@tao.at>
--- a/default-rsyncssh.lua
+++ b/default-rsyncssh.lua
@@ -29,14 +29,21 @@
 		-- makes move local on host
 		-- if fails deletes the source...
 		if event.etype == 'Move' then
+			local path1 = config.targetdir .. event.path
+			local path2 = config.targetdir .. event2.path
+			path1 = "'" .. path1:gsub ('\'', '\'"\'"\'') .. "'"
+			path2 = "'" .. path2:gsub ('\'', '\'"\'"\'') .. "'"
+
 			log('Normal', 'Moving ',event.path,' -> ',event2.path)
+
 			spawn(event, '/usr/bin/ssh',
 				config.host,
 				'mv',
-				'\"' .. config.targetdir .. event.path .. '\"',
-				'\"' .. config.targetdir .. event2.path .. '\"',
+				path1,
+				path2,
 				'||', 'rm', '-rf',
-				'\"' .. config.targetdir .. event.path .. '\"')
+				path1
+			)
 			return
 		end