Address security vulnerabilities allowing certain internal processes to potentiallty escape server data directory

2020-07-18 11:40:38 -07:00
parent 6e1844a8c9
commit 4f1b0c67d6
3 changed files with 54 additions and 7 deletions
--- a/server/archiver.go
+++ b/server/archiver.go
@@ -52,7 +52,12 @@ func (a *Archiver) Archive() error {
 	}

 	for _, file := range fileInfo {
-		files = append(files, filepath.Join(path, file.Name()))
+		f, err := a.Server.Filesystem.SafeJoin(path, file)
+		if err != nil {
+			return err
+		}
+
+		files = append(files, f)
 	}

 	stat, err := a.Stat()