mirror of
https://github.com/pgadmin-org/pgadmin4.git
synced 2024-11-28 03:23:52 -06:00
Ensure that upload paths are children of the storage directory. Fixes #7233
This commit is contained in:
parent
99c6b171e4
commit
dccd4f0bba
@ -2,17 +2,20 @@
|
||||
Version 6.7
|
||||
************
|
||||
|
||||
Release date: 2022-03-11
|
||||
Release date: 2022-03-14
|
||||
|
||||
This release contains a number of bug fixes and new features since the release of pgAdmin4 6.6.
|
||||
|
||||
New features
|
||||
************
|
||||
.. note:: **Security Release**
|
||||
|
||||
Please note that this release includes a security update to fix an issue
|
||||
where a user could upload files to directories outside of their storage directory, when using pgAdmin
|
||||
running in server mode.
|
||||
|
||||
Housekeeping
|
||||
************
|
||||
Users running pgAdmin in server mode, including the standard container based distribution, should upgrade
|
||||
to this release as soon as possible.
|
||||
|
||||
This issue does not affect users running in desktop mode.
|
||||
|
||||
Bug fixes
|
||||
*********
|
||||
@ -20,3 +23,4 @@ Bug fixes
|
||||
| `Issue #7220 <https://redmine.postgresql.org/issues/7220>`_ - Fixed a schema diff issue where difference SQL isn't generated when foreign key values for a table differ.
|
||||
| `Issue #7228 <https://redmine.postgresql.org/issues/7228>`_ - Fixed a schema diff issue where string separator '_$PGADMIN$_' is visible for identical user mappings.
|
||||
| `Issue #7230 <https://redmine.postgresql.org/issues/7230>`_ - Fixed an issue where pgAdmin 4 took ~75 seconds to display the 'Starting pgAdmin' text on the splash screen.
|
||||
| `Issue #7233 <https://redmine.postgresql.org/issues/7233>`_ - Ensure that upload paths are children of the storage directory.
|
||||
|
@ -985,7 +985,11 @@ class Filemanager(object):
|
||||
try:
|
||||
# Check if the new file is inside the users directory
|
||||
if config.SERVER_MODE:
|
||||
pathlib.Path(new_name).relative_to(the_dir)
|
||||
pathlib.Path(
|
||||
os.path.abspath(
|
||||
os.path.join(the_dir, new_name)
|
||||
)
|
||||
).relative_to(the_dir)
|
||||
except ValueError:
|
||||
return self.ERROR_NOT_ALLOWED
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user