mirror of https://github.com/borgbackup/borg.git
security: fix enforcement of --restrict-to-path in args processing
Fixes CVE-2017-15914 (affects releases 1.1.0, 1.1.1, 1.1.2,
but not 1.0.x).
Thanks to Florian Apolloner for discovering/reporting this!
Also: added tests for this.
(cherry picked from commit ea0203bb0d
)
This commit is contained in:
parent
1cf6e1e103
commit
75854c1243
|
@ -3806,6 +3806,7 @@ class Archiver:
|
|||
return forced_result
|
||||
# we only take specific options from the forced "borg serve" command:
|
||||
result.restrict_to_paths = forced_result.restrict_to_paths
|
||||
result.restrict_to_repositories = forced_result.restrict_to_repositories
|
||||
result.append_only = forced_result.append_only
|
||||
return result
|
||||
|
||||
|
|
|
@ -3546,10 +3546,22 @@ def test_get_args():
|
|||
assert args.restrict_to_paths == ['/p1', '/p2']
|
||||
assert args.umask == 0o027
|
||||
assert args.log_level == 'info'
|
||||
# similar, but with --restrict-to-repository
|
||||
args = archiver.get_args(['borg', 'serve', '--restrict-to-repository=/r1', '--restrict-to-repository=/r2', ],
|
||||
'borg serve --info --umask=0027')
|
||||
assert args.restrict_to_repositories == ['/r1', '/r2']
|
||||
# trying to cheat - break out of path restriction
|
||||
args = archiver.get_args(['borg', 'serve', '--restrict-to-path=/p1', '--restrict-to-path=/p2', ],
|
||||
'borg serve --restrict-to-path=/')
|
||||
assert args.restrict_to_paths == ['/p1', '/p2']
|
||||
# trying to cheat - break out of repository restriction
|
||||
args = archiver.get_args(['borg', 'serve', '--restrict-to-repository=/r1', '--restrict-to-repository=/r2', ],
|
||||
'borg serve --restrict-to-repository=/')
|
||||
assert args.restrict_to_repositories == ['/r1', '/r2']
|
||||
# trying to cheat - break below repository restriction
|
||||
args = archiver.get_args(['borg', 'serve', '--restrict-to-repository=/r1', '--restrict-to-repository=/r2', ],
|
||||
'borg serve --restrict-to-repository=/r1/below')
|
||||
assert args.restrict_to_repositories == ['/r1', '/r2']
|
||||
# trying to cheat - try to execute different subcommand
|
||||
args = archiver.get_args(['borg', 'serve', '--restrict-to-path=/p1', '--restrict-to-path=/p2', ],
|
||||
'borg init --encryption=repokey /')
|
||||
|
|
Loading…
Reference in New Issue