Home Explore Help
Sign In
mirrors
/
borg
mirror of https://github.com/borgbackup/borg
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

security: fix enforcement of --restrict-to-path in args processing

Fixes CVE-2017-15914 (affects releases 1.1.0, 1.1.1, 1.1.2,
but not 1.0.x).

Thanks to Florian Apolloner for discovering/reporting this!

Also: added tests for this.
(cherry picked from commit ea0203bb0de557cd29de5ab0a0efe5f6015ca59d)
Thomas Waldmann 7 years ago
parent
1cf6e1e103
commit
75854c1243
2 changed files with 13 additions and 0 deletions
Split View Show Diff Stats
  1. 1 0
      src/borg/archiver.py
  2. 12 0
      src/borg/testsuite/archiver.py

+ 1 - 0
src/borg/archiver.py
View File 

@@ -3806,6 +3806,7 @@ class Archiver:
 
                 return forced_result
 
             # we only take specific options from the forced "borg serve" command:
 
             result.restrict_to_paths = forced_result.restrict_to_paths
 
+            result.restrict_to_repositories = forced_result.restrict_to_repositories
 
             result.append_only = forced_result.append_only
 
         return result

+ 12 - 0
src/borg/testsuite/archiver.py
View File 

@@ -3546,10 +3546,22 @@ def test_get_args():
 
     assert args.restrict_to_paths == ['/p1', '/p2']
 
     assert args.umask == 0o027
 
     assert args.log_level == 'info'
 
+    # similar, but with --restrict-to-repository
 
+    args = archiver.get_args(['borg', 'serve', '--restrict-to-repository=/r1', '--restrict-to-repository=/r2', ],
 
+                             'borg serve --info --umask=0027')
 
+    assert args.restrict_to_repositories == ['/r1', '/r2']
 
     # trying to cheat - break out of path restriction
 
     args = archiver.get_args(['borg', 'serve', '--restrict-to-path=/p1', '--restrict-to-path=/p2', ],
 
                              'borg serve --restrict-to-path=/')
 
     assert args.restrict_to_paths == ['/p1', '/p2']
 
+    # trying to cheat - break out of repository restriction
 
+    args = archiver.get_args(['borg', 'serve', '--restrict-to-repository=/r1', '--restrict-to-repository=/r2', ],
 
+                             'borg serve --restrict-to-repository=/')
 
+    assert args.restrict_to_repositories == ['/r1', '/r2']
 
+    # trying to cheat - break below repository restriction
 
+    args = archiver.get_args(['borg', 'serve', '--restrict-to-repository=/r1', '--restrict-to-repository=/r2', ],
 
+                             'borg serve --restrict-to-repository=/r1/below')
 
+    assert args.restrict_to_repositories == ['/r1', '/r2']
 
     # trying to cheat - try to execute different subcommand
 
     args = archiver.get_args(['borg', 'serve', '--restrict-to-path=/p1', '--restrict-to-path=/p2', ],
 
                              'borg init --encryption=repokey /')