• Sami Hiltunen's avatar
    improved path traversal protection · f89b33ba
    Sami Hiltunen authored
    Currently relative paths are validated against path traversals although
    in an incomplete manner. While relative paths with traversals do not cause
    problems for Gitaly in itself, we need be sure that every path accessed lies
    within the storage directories to ensure RPC callers can't access arbitrary
    paths. This commit replaces the path traversal checks by checking that the
    relative paths refer to paths within the root of the storage or the storage
    root itself.
    f89b33ba
archive.go 3.15 KB