diff options
author | Thomas Waldmann <tw@waldmann-edv.de> | 2016-08-02 15:50:21 +0200 |
---|---|---|
committer | Thomas Waldmann <tw@waldmann-edv.de> | 2016-08-18 22:40:50 +0200 |
commit | dde18d6a7660837ce7b4f30d31960bdc74252570 (patch) | |
tree | 4991c12a31c61c03a75bf2547d67667e982254de | |
parent | 28cbf24815649b5dcb453498dae64948abbdf411 (diff) |
security fix: --restrict-to-path must not accept pathes with same name prefix
bug: --restrict-to-path /foo erroneously allowed /foobar.
even worse: --restrict-to-path /foo/ erroneously allowed /foobar.
-rw-r--r-- | borg/remote.py | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/borg/remote.py b/borg/remote.py index 6a611019c..472d1ac36 100644 --- a/borg/remote.py +++ b/borg/remote.py @@ -120,8 +120,13 @@ class RepositoryServer: # pragma: no cover path = path[1:] path = os.path.realpath(os.path.expanduser(path)) if self.restrict_to_paths: + # if --restrict-to-path P is given, we make sure that we only operate in/below path P. + # for the prefix check, it is important that the compared pathes both have trailing slashes, + # so that a path /foobar will NOT be accepted with --restrict-to-path /foo option. + path_with_sep = os.path.join(path, '') # make sure there is a trailing slash (os.sep) for restrict_to_path in self.restrict_to_paths: - if path.startswith(os.path.realpath(restrict_to_path)): + restrict_to_path_with_sep = os.path.join(os.path.realpath(restrict_to_path), '') # trailing slash + if path_with_sep.startswith(restrict_to_path_with_sep): break else: raise PathNotAllowed(path) |