From 75854c1243b29ec5558be6fdefe365cd438abb4c Mon Sep 17 00:00:00 2001
From: Thomas Waldmann <tw@waldmann-edv.de>
Date: Sun, 26 Nov 2017 19:51:10 +0100
Subject: [PATCH] security: fix enforcement of --restrict-to-path in args
 processing

Fixes CVE-2017-15914 (affects releases 1.1.0, 1.1.1, 1.1.2,
but not 1.0.x).

Thanks to Florian Apolloner for discovering/reporting this!

Also: added tests for this.
(cherry picked from commit ea0203bb0de557cd29de5ab0a0efe5f6015ca59d)
---
 src/borg/archiver.py           |  1 +
 src/borg/testsuite/archiver.py | 12 ++++++++++++
 2 files changed, 13 insertions(+)

diff --git a/src/borg/archiver.py b/src/borg/archiver.py
index a14d4af57..887cb7726 100644
--- a/src/borg/archiver.py
+++ b/src/borg/archiver.py
@@ -3806,6 +3806,7 @@ class Archiver:
                 return forced_result
             # we only take specific options from the forced "borg serve" command:
             result.restrict_to_paths = forced_result.restrict_to_paths
+            result.restrict_to_repositories = forced_result.restrict_to_repositories
             result.append_only = forced_result.append_only
         return result
 
diff --git a/src/borg/testsuite/archiver.py b/src/borg/testsuite/archiver.py
index a25cb5de4..910b53729 100644
--- a/src/borg/testsuite/archiver.py
+++ b/src/borg/testsuite/archiver.py
@@ -3546,10 +3546,22 @@ def test_get_args():
     assert args.restrict_to_paths == ['/p1', '/p2']
     assert args.umask == 0o027
     assert args.log_level == 'info'
+    # similar, but with --restrict-to-repository
+    args = archiver.get_args(['borg', 'serve', '--restrict-to-repository=/r1', '--restrict-to-repository=/r2', ],
+                             'borg serve --info --umask=0027')
+    assert args.restrict_to_repositories == ['/r1', '/r2']
     # trying to cheat - break out of path restriction
     args = archiver.get_args(['borg', 'serve', '--restrict-to-path=/p1', '--restrict-to-path=/p2', ],
                              'borg serve --restrict-to-path=/')
     assert args.restrict_to_paths == ['/p1', '/p2']
+    # trying to cheat - break out of repository restriction
+    args = archiver.get_args(['borg', 'serve', '--restrict-to-repository=/r1', '--restrict-to-repository=/r2', ],
+                             'borg serve --restrict-to-repository=/')
+    assert args.restrict_to_repositories == ['/r1', '/r2']
+    # trying to cheat - break below repository restriction
+    args = archiver.get_args(['borg', 'serve', '--restrict-to-repository=/r1', '--restrict-to-repository=/r2', ],
+                             'borg serve --restrict-to-repository=/r1/below')
+    assert args.restrict_to_repositories == ['/r1', '/r2']
     # trying to cheat - try to execute different subcommand
     args = archiver.get_args(['borg', 'serve', '--restrict-to-path=/p1', '--restrict-to-path=/p2', ],
                              'borg init --encryption=repokey /')