Original report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=801263
I looks like the bug hasn't been submitted upstream by the maintainer so I resubmit it here.

In the default-direct.lua file in the event.etype == 'Move' branch
instead of using a direct fork/exec a shell is spawned. Its arguments
aren't quoted so one can inject additional parameters using whitespace
characters.

lsyncd seems to require directory paths to be absolute to work correctly in daemon mode so at least
other branches doing direct exec but not using '--' are probably safe. Still one might consider using dashes as well.

Examples can be tested after entering the source directory.

Example 1:

    $ touch ' '
    $ mv ' ' sthelse

Causes rm -rf on target (the whole directory)

Example 2:

    $ touch -- ' -t tmp'
    $ mv ' -t tmp' ' sthelse'

Moves the target directory and its contents to /tmp. lsyncd's cwd is /.