octoleo/restic
2
2
Fork 0
mirror of https://github.com/octoleo/restic.git synced 2024-12-22 10:58:55 +00:00
Code Issues Releases Wiki Activity

backup: Reject filenames with paths read from stdin

Browse Source
This commit is contained in:
Alexander Neumann 2017-12-13 19:55:53 +01:00
parent 42a8c19aae
commit d3ebe1311f
1 changed files with 9 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
cmd/restic/cmd_backup.go
View File

@ -5,6 +5,7 @@ import (
"fmt" "fmt"
"io" "io"
"os" "os"
"path"
"path/filepath" "path/filepath"
"strings" "strings"
"time" "time"
@ -236,10 +237,16 @@ func readBackupFromStdin(opts BackupOptions, gopts GlobalOptions, args []string)
return errors.Fatal("when reading from stdin, no additional files can be specified") return errors.Fatal("when reading from stdin, no additional files can be specified")
} }
if opts.StdinFilename == "" { fn := opts.StdinFilename
if fn == "" {
return errors.Fatal("filename for backup from stdin must not be empty") return errors.Fatal("filename for backup from stdin must not be empty")
} }
if filepath.Base(fn) != fn || path.Base(fn) != fn {
return errors.Fatal("filename is invalid (may not contain a directory, slash or backslash)")
}
if gopts.password == "" { if gopts.password == "" {
return errors.Fatal("unable to read password from stdin when data is to be read from stdin, use --password-file or $RESTIC_PASSWORD") return errors.Fatal("unable to read password from stdin when data is to be read from stdin, use --password-file or $RESTIC_PASSWORD")
} }
@ -266,7 +273,7 @@ func readBackupFromStdin(opts BackupOptions, gopts GlobalOptions, args []string)
Hostname: opts.Hostname, Hostname: opts.Hostname,
} }
_, id, err := r.Archive(gopts.ctx, opts.StdinFilename, os.Stdin, newArchiveStdinProgress(gopts)) _, id, err := r.Archive(gopts.ctx, fn, os.Stdin, newArchiveStdinProgress(gopts))
if err != nil { if err != nil {
return err return err
} }