Ensure that upload paths are children of the storage directory. Fixes #7233

2024-11-24 09:40:21 -06:00 · 2022-03-11 18:20:16 +05:30 · 2022-03-11 18:20:16 +05:30 · dccd4f0bba
commit dccd4f0bba
parent 99c6b171e4
2 changed files with 17 additions and 9 deletions
--- a/docs/en_US/release_notes_6_7.rst
+++ b/docs/en_US/release_notes_6_7.rst
@ -2,21 +2,25 @@
 Version 6.7
 ************

-Release date: 2022-03-11
+Release date: 2022-03-14

 This release contains a number of bug fixes and new features since the release of pgAdmin4 6.6.

-New features
-************
+.. note::  **Security Release**

+    Please note that this release includes a security update to fix an issue
+    where a user could upload files to directories outside of their storage directory, when using pgAdmin
+    running in server mode.

-Housekeeping
-************
+    Users running pgAdmin in server mode, including the standard container based distribution, should upgrade
+    to this release as soon as possible.

+    This issue does not affect users running in desktop mode.

 Bug fixes
 *********

-| `Issue #7220 <https://redmine.postgresql.org/issues/7220>`_ -  Fixed a schema diff issue where difference SQL isn't generated when foreign key values for a table differ.
-| `Issue #7228 <https://redmine.postgresql.org/issues/7228>`_ -  Fixed a schema diff issue where string separator '_$PGADMIN$_' is visible for identical user mappings.
-| `Issue #7230 <https://redmine.postgresql.org/issues/7230>`_ -  Fixed an issue where pgAdmin 4 took ~75 seconds to display the 'Starting pgAdmin' text on the splash screen.
+  | `Issue #7220 <https://redmine.postgresql.org/issues/7220>`_ -  Fixed a schema diff issue where difference SQL isn't generated when foreign key values for a table differ.
+  | `Issue #7228 <https://redmine.postgresql.org/issues/7228>`_ -  Fixed a schema diff issue where string separator '_$PGADMIN$_' is visible for identical user mappings.
+  | `Issue #7230 <https://redmine.postgresql.org/issues/7230>`_ -  Fixed an issue where pgAdmin 4 took ~75 seconds to display the 'Starting pgAdmin' text on the splash screen.
+  | `Issue #7233 <https://redmine.postgresql.org/issues/7233>`_ -  Ensure that upload paths are children of the storage directory.
--- a/web/pgadmin/misc/file_manager/init.py
+++ b/web/pgadmin/misc/file_manager/init.py
@ -985,7 +985,11 @@ class Filemanager(object):
            try:
                # Check if the new file is inside the users directory
                if config.SERVER_MODE:
-                    pathlib.Path(new_name).relative_to(the_dir)
+                    pathlib.Path(
+                        os.path.abspath(
+                            os.path.join(the_dir, new_name)
+                        )
+                    ).relative_to(the_dir)
            except ValueError:
                return self.ERROR_NOT_ALLOWED