security fix: --restrict-to-path must not accept pathes with same name prefix

bug: --restrict-to-path /foo erroneously allowed /foobar. even worse: --restrict-to-path /foo/ erroneously allowed /foobar.
author: Thomas Waldmann <tw@waldmann-edv.de> 2016-08-02 15:50:21 +0200
committer: Thomas Waldmann <tw@waldmann-edv.de> 2016-08-18 22:40:50 +0200
commit: dde18d6a7660837ce7b4f30d31960bdc74252570 (patch)
tree: 4991c12a31c61c03a75bf2547d67667e982254de
parent: 28cbf24815649b5dcb453498dae64948abbdf411 (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/borg/remote.py b/borg/remote.py
index 6a611019c..472d1ac36 100644
--- a/borg/remote.py
+++ b/borg/remote.py
@@ -120,8 +120,13 @@ class RepositoryServer:  # pragma: no cover
             path = path[1:]
         path = os.path.realpath(os.path.expanduser(path))
         if self.restrict_to_paths:
+            # if --restrict-to-path P is given, we make sure that we only operate in/below path P.
+            # for the prefix check, it is important that the compared pathes both have trailing slashes,
+            # so that a path /foobar will NOT be accepted with --restrict-to-path /foo option.
+            path_with_sep = os.path.join(path, '')  # make sure there is a trailing slash (os.sep)
             for restrict_to_path in self.restrict_to_paths:
-                if path.startswith(os.path.realpath(restrict_to_path)):
+                restrict_to_path_with_sep = os.path.join(os.path.realpath(restrict_to_path), '')  # trailing slash
+                if path_with_sep.startswith(restrict_to_path_with_sep):
                     break
             else:
                 raise PathNotAllowed(path)
author	Thomas Waldmann <tw@waldmann-edv.de>	2016-08-02 15:50:21 +0200
committer	Thomas Waldmann <tw@waldmann-edv.de>	2016-08-18 22:40:50 +0200
commit	dde18d6a7660837ce7b4f30d31960bdc74252570 (patch)
tree	4991c12a31c61c03a75bf2547d67667e982254de
parent	28cbf24815649b5dcb453498dae64948abbdf411 (diff)