File check-if-new-file-inside-users-directory.patch of Package pgadmin4.16330
From: Aditya Toshniwal <aditya.toshniwal@enterprisedb.com>
Date: Fri, 11 Sep 2020 19:55:19 +0530
Adapted-by: Antonio Larrosa <alarrosa@suse.com>
This is part of
https://github.com/postgres/pgadmin4/commit/b82e6dbdb8646de0bd35c7297f81a32dee5d1891
so the next patches can apply correctly.
Index: pgadmin4-4.1/web/pgadmin/misc/file_manager/__init__.py
===================================================================
--- pgadmin4-4.1.orig/web/pgadmin/misc/file_manager/__init__.py
+++ pgadmin4-4.1/web/pgadmin/misc/file_manager/__init__.py
@@ -964,6 +964,12 @@ class Filemanager(object):
             orig_path = u"{0}{1}".format(dir, path)
             newName = u"{0}{1}".format(orig_path, file_name)
 
+            try:
+                # Check if the new file is inside the users directory
+                pathlib.Path(new_name).relative_to(the_dir)
+            except ValueError as _:
+                return self.ERROR_NOT_ALLOWED 
+
             with open(newName, 'wb') as f:
                 while True:
                     # 4MB chunk (4 * 1024 * 1024 Bytes)