from URL: Due to it's reliance on vulnerable upstream vendor SDKs & APIs, all current versions of 'rclone' are subject to a variety of attacks. This vulnerability is an instance of a class of security vulnerabilities that affect a wide variety of software. Any API which has clients perform actions on arbitrary URLs chosen by the API server will lead to this class of attack becoming a concern. Current Google Cloud Storage SDKs/APIs, Backblaze B2 APIs, and Yandex Disk APIs are affected. Further details at: https://www.danieldent.com/blog/restless-vulnerability-non-browser-cross-domain-http-request-attacks/ No CVE is presently assigned. Gentoo Security Scout Florian Schuhmacher
In Rclone 1.42, use of "rclone sync" to migrate data between two Google Cloud Storage buckets might allow attackers to trigger the transmission of any URL's content to Google, because there is no validation of a URL field received from the Google Cloud Storage API server, aka a "RESTLESS" issue.
I've dropped everything lower than 1.45
Replacing URL with upstream bug. We're still waiting for a fix.
So, upstream says: @kuraga to exploit this you need to MITM https traffic or compromise a cloud provider Is this really a valid issue? The upstream issue is closed after the reporter was unresponsive.
Let's close due to upstream's concerns about validity.