Skip to content

Commit dccd4f0

Browse files
committed
Ensure that upload paths are children of the storage directory. Fixes #7233
1 parent 99c6b17 commit dccd4f0

2 files changed

Lines changed: 17 additions & 9 deletions

File tree

‎docs/en_US/release_notes_6_7.rst‎

Lines changed: 12 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -2,21 +2,25 @@
22
Version 6.7
33
************
44

5-
Release date: 2022-03-11
5+
Release date: 2022-03-14
66

77
This release contains a number of bug fixes and new features since the release of pgAdmin4 6.6.
88

9-
New features
10-
************
9+
.. note:: **Security Release**
1110

11+
Please note that this release includes a security update to fix an issue
12+
where a user could upload files to directories outside of their storage directory, when using pgAdmin
13+
running in server mode.
1214

13-
Housekeeping
14-
************
15+
Users running pgAdmin in server mode, including the standard container based distribution, should upgrade
16+
to this release as soon as possible.
1517

18+
This issue does not affect users running in desktop mode.
1619

1720
Bug fixes
1821
*********
1922

20-
| `Issue #7220 <https://redmine.postgresql.org/issues/7220>`_ - Fixed a schema diff issue where difference SQL isn't generated when foreign key values for a table differ.
21-
| `Issue #7228 <https://redmine.postgresql.org/issues/7228>`_ - Fixed a schema diff issue where string separator '_$PGADMIN$_' is visible for identical user mappings.
22-
| `Issue #7230 <https://redmine.postgresql.org/issues/7230>`_ - Fixed an issue where pgAdmin 4 took ~75 seconds to display the 'Starting pgAdmin' text on the splash screen.
23+
| `Issue #7220 <https://redmine.postgresql.org/issues/7220>`_ - Fixed a schema diff issue where difference SQL isn't generated when foreign key values for a table differ.
24+
| `Issue #7228 <https://redmine.postgresql.org/issues/7228>`_ - Fixed a schema diff issue where string separator '_$PGADMIN$_' is visible for identical user mappings.
25+
| `Issue #7230 <https://redmine.postgresql.org/issues/7230>`_ - Fixed an issue where pgAdmin 4 took ~75 seconds to display the 'Starting pgAdmin' text on the splash screen.
26+
| `Issue #7233 <https://redmine.postgresql.org/issues/7233>`_ - Ensure that upload paths are children of the storage directory.

‎web/pgadmin/misc/file_manager/__init__.py‎

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -985,7 +985,11 @@ def add(self, req=None):
985985
try:
986986
# Check if the new file is inside the users directory
987987
if config.SERVER_MODE:
988-
pathlib.Path(new_name).relative_to(the_dir)
988+
pathlib.Path(
989+
os.path.abspath(
990+
os.path.join(the_dir, new_name)
991+
)
992+
).relative_to(the_dir)
989993
except ValueError:
990994
return self.ERROR_NOT_ALLOWED
991995

0 commit comments

Comments
 (0)