diff options
author | Thomas Waldmann <tw@waldmann-edv.de> | 2016-08-18 23:05:58 +0200 |
---|---|---|
committer | Thomas Waldmann <tw@waldmann-edv.de> | 2016-08-18 23:22:50 +0200 |
commit | f32c8858ad3f6637fca35ef814f6cd584d1cc658 (patch) | |
tree | 22d64534245cc44bdc231b03a7c9d61752ffbbe6 | |
parent | dde18d6a7660837ce7b4f30d31960bdc74252570 (diff) |
update CHANGES with description of issue #14281.0.7
-rw-r--r-- | docs/changes.rst | 23 |
1 files changed, 20 insertions, 3 deletions
diff --git a/docs/changes.rst b/docs/changes.rst index 8a75e05d5..debf4feb6 100644 --- a/docs/changes.rst +++ b/docs/changes.rst @@ -50,12 +50,29 @@ The best check that everything is ok is to run a dry-run extraction:: borg extract -v --dry-run REPO::ARCHIVE -Version 1.0.7 (not released yet) --------------------------------- +Version 1.0.7 (2016-08-19) +-------------------------- Security fixes: -- fix security issue with remote repository access, #1428 +- borg serve: fix security issue with remote repository access, #1428 + If you used e.g. --restrict-to-path /path/client1/ (with or without trailing + slash does not make a difference), it acted like a path prefix match using + /path/client1 (note the missing trailing slash) - the code then also allowed + working in e.g. /path/client13 or /path/client1000. + + As this could accidentally lead to major security/privacy issues depending on + the pathes you use, the behaviour was changed to be a strict directory match. + That means --restrict-to-path /path/client1 (with or without trailing slash + does not make a difference) now uses /path/client1/ internally (note the + trailing slash here!) for matching and allows precisely that path AND any + path below it. So, /path/client1 is allowed, /path/client1/repo1 is allowed, + but not /path/client13 or /path/client1000. + + If you willingly used the undocumented (dangerous) previous behaviour, you + may need to rearrange your --restrict-to-path pathes now. We are sorry if + that causes work for you, but we did not want a potentially dangerous + behaviour in the software (not even using a for-backwards-compat option). Bug fixes: |