Overview

File 0002-Ensure-that-upload-paths-are-children-of-the-storage-directory.patch of Package pgadmin4

From dccd4f0bbaafa783d9f0360c7592b128d5cc3928 Mon Sep 17 00:00:00 2001
From: Akshay Joshi <akshay.joshi@enterprisedb.com>
Date: Fri, 11 Mar 2022 18:20:16 +0530
Subject: [PATCH] Ensure that upload paths are children of the storage
 directory. Fixes #7233

---
 docs/en_US/release_notes_6_7.rst          | 20 ++++++++++++--------
 web/pgadmin/misc/file_manager/__init__.py |  6 +++++-
 2 files changed, 17 insertions(+), 9 deletions(-)

#diff --git a/docs/en_US/release_notes_6_7.rst b/docs/en_US/release_notes_6_7.rst
#index 68dd11dc2..12ba2718c 100644
#--- a/docs/en_US/release_notes_6_7.rst
#+++ b/docs/en_US/release_notes_6_7.rst
#@@ -2,21 +2,25 @@
# Version 6.7
# ************
# 
#-Release date: 2022-03-11
#+Release date: 2022-03-14
# 
# This release contains a number of bug fixes and new features since the release of pgAdmin4 6.6.
# 
#-New features
#-************
#+.. note::  **Security Release**
# 
#+    Please note that this release includes a security update to fix an issue
#+    where a user could upload files to directories outside of their storage directory, when using pgAdmin
#+    running in server mode.
# 
#-Housekeeping
#-************
#+    Users running pgAdmin in server mode, including the standard container based distribution, should upgrade
#+    to this release as soon as possible.
# 
#+    This issue does not affect users running in desktop mode.
# 
# Bug fixes
# *********
# 
#-| `Issue #7220 <https://redmine.postgresql.org/issues/7220>`_ -  Fixed a schema diff issue where difference SQL isn't generated when foreign key values for a table differ.
#-| `Issue #7228 <https://redmine.postgresql.org/issues/7228>`_ -  Fixed a schema diff issue where string separator '_$PGADMIN$_' is visible for identical user mappings.
#-| `Issue #7230 <https://redmine.postgresql.org/issues/7230>`_ -  Fixed an issue where pgAdmin 4 took ~75 seconds to display the 'Starting pgAdmin' text on the splash screen.
#+  | `Issue #7220 <https://redmine.postgresql.org/issues/7220>`_ -  Fixed a schema diff issue where difference SQL isn't generated when foreign key values for a table differ.
#+  | `Issue #7228 <https://redmine.postgresql.org/issues/7228>`_ -  Fixed a schema diff issue where string separator '_$PGADMIN$_' is visible for identical user mappings.
#+  | `Issue #7230 <https://redmine.postgresql.org/issues/7230>`_ -  Fixed an issue where pgAdmin 4 took ~75 seconds to display the 'Starting pgAdmin' text on the splash screen.
#+  | `Issue #7233 <https://redmine.postgresql.org/issues/7233>`_ -  Ensure that upload paths are children of the storage directory.
diff --git a/web/pgadmin/misc/file_manager/__init__.py b/web/pgadmin/misc/file_manager/__init__.py
index d132e46eb..9df8ccc41 100644
--- a/web/pgadmin/misc/file_manager/__init__.py
+++ b/web/pgadmin/misc/file_manager/__init__.py
@@ -985,7 +985,11 @@ def add(self, req=None):
             try:
                 # Check if the new file is inside the users directory
                 if config.SERVER_MODE:
-                    pathlib.Path(new_name).relative_to(the_dir)
+                    pathlib.Path(
+                        os.path.abspath(
+                            os.path.join(the_dir, new_name)
+                        )
+                    ).relative_to(the_dir)
             except ValueError as _:
                 return self.ERROR_NOT_ALLOWED
openSUSE Build Service is sponsored by
Places