Ensure that upload paths are children of the storage directory. Fixes #7233

2025-02-25 18:55:31 -06:00 · 2022-03-11 18:20:16 +05:30
parent 99c6b171e4
commit dccd4f0bba
2 changed files with 17 additions and 9 deletions
--- a/web/pgadmin/misc/file_manager/init.py
+++ b/web/pgadmin/misc/file_manager/init.py
@@ -985,7 +985,11 @@ class Filemanager(object):
            try:
                # Check if the new file is inside the users directory
                if config.SERVER_MODE:
-                    pathlib.Path(new_name).relative_to(the_dir)
+                    pathlib.Path(
+                        os.path.abspath(
+                            os.path.join(the_dir, new_name)
+                        )
+                    ).relative_to(the_dir)
            except ValueError:
                return self.ERROR_NOT_ALLOWED