Ensure that the authenticated users can't access each other's directories and files by providing relative paths. #5734

2025-02-25 18:55:31 -06:00 · 2023-01-13 12:29:21 +05:30
parent 83b207e7da
commit 8b236e7bc8
6 changed files with 77 additions and 126 deletions
--- a/web/pgadmin/tools/backup/init.py
+++ b/web/pgadmin/tools/backup/init.py
@@ -19,8 +19,9 @@ from flask_babel import gettext as _
 from flask_security import login_required, current_user
 from pgadmin.misc.bgprocess.processes import BatchProcess, IProcessDesc
 from pgadmin.utils import PgAdminModule, get_storage_directory, html, \
-    fs_short_path, document_dir, does_utility_exist, get_server
-from pgadmin.utils.ajax import make_json_response, bad_request
+    fs_short_path, document_dir, does_utility_exist, get_server, \
+    filename_with_file_manager_path
+from pgadmin.utils.ajax import make_json_response, bad_request, unauthorized

 from config import PG_DEFAULT_DRIVER
 from pgadmin.model import Server, SharedServer
@@ -189,40 +190,6 @@ def script():
    )


-def filename_with_file_manager_path(_file, create_file=True):
-    """
-    Args:
-        file: File name returned from client file manager
-        create_file: Set flag to False when file creation doesn't required
-    Returns:
-        Filename to use for backup with full path taken from preference
-    """
-    # Set file manager directory from preference
-    storage_dir = get_storage_directory()
-    if storage_dir:
-        _file = os.path.join(storage_dir, _file.lstrip('/').lstrip('\\'))
-    elif not os.path.isabs(_file):
-        _file = os.path.join(document_dir(), _file)
-
-    def short_filepath():
-        short_path = fs_short_path(_file)
-        # fs_short_path() function may return empty path on Windows
-        # if directory doesn't exists. In that case we strip the last path
-        # component and get the short path.
-        if os.name == 'nt' and short_path == '':
-            base_name = os.path.basename(_file)
-            dir_name = os.path.dirname(_file)
-            short_path = fs_short_path(dir_name) + '\\' + base_name
-        return short_path
-
-    if create_file:
-        # Touch the file to get the short path of the file on windows.
-        with open(_file, 'a'):
-            return short_filepath()
-
-    return short_filepath()
-
-
 def _get_args_params_values(data, conn, backup_obj_type, backup_file, server,
                            manager):
    """
@@ -367,6 +334,8 @@ def create_backup_objects_job(sid):
    try:
        backup_file = filename_with_file_manager_path(
            data['file'], (data.get('format', '') != 'directory'))
+    except PermissionError as e:
+        return unauthorized(errormsg=str(e))
    except Exception as e:
        return bad_request(errormsg=str(e))