From dccd4f0bbaafa783d9f0360c7592b128d5cc3928 Mon Sep 17 00:00:00 2001
From: Akshay Joshi <akshay.joshi@enterprisedb.com>
Date: Fri, 11 Mar 2022 18:20:16 +0530
Subject: [PATCH] Ensure that upload paths are children of the storage
 directory. Fixes #7233

---
 docs/en_US/release_notes_6_7.rst          | 20 ++++++++++++--------
 web/pgadmin/misc/file_manager/__init__.py |  6 +++++-
 2 files changed, 17 insertions(+), 9 deletions(-)

diff --git a/docs/en_US/release_notes_6_7.rst b/docs/en_US/release_notes_6_7.rst
index 68dd11dc2..12ba2718c 100644
--- a/docs/en_US/release_notes_6_7.rst
+++ b/docs/en_US/release_notes_6_7.rst
@@ -2,21 +2,25 @@
 Version 6.7
 ************
 
-Release date: 2022-03-11
+Release date: 2022-03-14
 
 This release contains a number of bug fixes and new features since the release of pgAdmin4 6.6.
 
-New features
-************
+.. note::  **Security Release**
 
+    Please note that this release includes a security update to fix an issue
+    where a user could upload files to directories outside of their storage directory, when using pgAdmin
+    running in server mode.
 
-Housekeeping
-************
+    Users running pgAdmin in server mode, including the standard container based distribution, should upgrade
+    to this release as soon as possible.
 
+    This issue does not affect users running in desktop mode.
 
 Bug fixes
 *********
 
-| `Issue #7220 <https://redmine.postgresql.org/issues/7220>`_ -  Fixed a schema diff issue where difference SQL isn't generated when foreign key values for a table differ.
-| `Issue #7228 <https://redmine.postgresql.org/issues/7228>`_ -  Fixed a schema diff issue where string separator '_$PGADMIN$_' is visible for identical user mappings.
-| `Issue #7230 <https://redmine.postgresql.org/issues/7230>`_ -  Fixed an issue where pgAdmin 4 took ~75 seconds to display the 'Starting pgAdmin' text on the splash screen.
+  | `Issue #7220 <https://redmine.postgresql.org/issues/7220>`_ -  Fixed a schema diff issue where difference SQL isn't generated when foreign key values for a table differ.
+  | `Issue #7228 <https://redmine.postgresql.org/issues/7228>`_ -  Fixed a schema diff issue where string separator '_$PGADMIN$_' is visible for identical user mappings.
+  | `Issue #7230 <https://redmine.postgresql.org/issues/7230>`_ -  Fixed an issue where pgAdmin 4 took ~75 seconds to display the 'Starting pgAdmin' text on the splash screen.
+  | `Issue #7233 <https://redmine.postgresql.org/issues/7233>`_ -  Ensure that upload paths are children of the storage directory.
diff --git a/web/pgadmin/misc/file_manager/__init__.py b/web/pgadmin/misc/file_manager/__init__.py
index d132e46eb..9df8ccc41 100644
--- a/web/pgadmin/misc/file_manager/__init__.py
+++ b/web/pgadmin/misc/file_manager/__init__.py
@@ -985,7 +985,11 @@ class Filemanager(object):
             try:
                 # Check if the new file is inside the users directory
                 if config.SERVER_MODE:
-                    pathlib.Path(new_name).relative_to(the_dir)
+                    pathlib.Path(
+                        os.path.abspath(
+                            os.path.join(the_dir, new_name)
+                        )
+                    ).relative_to(the_dir)
             except ValueError:
                 return self.ERROR_NOT_ALLOWED