Ensure that upload paths are children of the storage directory. Fixes #…

…7233
pgadmin-org · Mar 11, 2022 · dccd4f0 · dccd4f0
1 parent 99c6b17
commit dccd4f0
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 9 deletions.
diff --git a/docs/en_US/release_notes_6_7.rst b/docs/en_US/release_notes_6_7.rst
@@ -2,21 +2,25 @@
 Version 6.7
 ************
 
-Release date: 2022-03-11
+Release date: 2022-03-14
 
 This release contains a number of bug fixes and new features since the release of pgAdmin4 6.6.
 
-New features
-************
+.. note::  **Security Release**
 
+    Please note that this release includes a security update to fix an issue
+    where a user could upload files to directories outside of their storage directory, when using pgAdmin
+    running in server mode.
 
-Housekeeping
-************
+    Users running pgAdmin in server mode, including the standard container based distribution, should upgrade
+    to this release as soon as possible.
 
+    This issue does not affect users running in desktop mode.
 
 Bug fixes
 *********
 
-| `Issue #7220 <https://redmine.postgresql.org/issues/7220>`_ -  Fixed a schema diff issue where difference SQL isn't generated when foreign key values for a table differ.
-| `Issue #7228 <https://redmine.postgresql.org/issues/7228>`_ -  Fixed a schema diff issue where string separator '_$PGADMIN$_' is visible for identical user mappings.
-| `Issue #7230 <https://redmine.postgresql.org/issues/7230>`_ -  Fixed an issue where pgAdmin 4 took ~75 seconds to display the 'Starting pgAdmin' text on the splash screen.
+  | `Issue #7220 <https://redmine.postgresql.org/issues/7220>`_ -  Fixed a schema diff issue where difference SQL isn't generated when foreign key values for a table differ.
+  | `Issue #7228 <https://redmine.postgresql.org/issues/7228>`_ -  Fixed a schema diff issue where string separator '_$PGADMIN$_' is visible for identical user mappings.
+  | `Issue #7230 <https://redmine.postgresql.org/issues/7230>`_ -  Fixed an issue where pgAdmin 4 took ~75 seconds to display the 'Starting pgAdmin' text on the splash screen.
+  | `Issue #7233 <https://redmine.postgresql.org/issues/7233>`_ -  Ensure that upload paths are children of the storage directory.
diff --git a/web/pgadmin/misc/file_manager/__init__.py b/web/pgadmin/misc/file_manager/__init__.py
@@ -985,7 +985,11 @@ def add(self, req=None):
             try:
                 # Check if the new file is inside the users directory
                 if config.SERVER_MODE:
-                    pathlib.Path(new_name).relative_to(the_dir)
+                    pathlib.Path(
+                        os.path.abspath(
+                            os.path.join(the_dir, new_name)
+                        )
+                    ).relative_to(the_dir)
             except ValueError:
                 return self.ERROR_NOT_ALLOWED