From 2daed010704c95a44dccbd4e47331118c2edd0ce Mon Sep 17 00:00:00 2001 From: Guo Xiang Tan Date: Fri, 17 Mar 2017 14:27:01 +0800 Subject: [PATCH] SECURITY: Disallow symlinks when restoring uploads. --- lib/backup_restore/restorer.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/backup_restore/restorer.rb b/lib/backup_restore/restorer.rb index 13a36ee60c6..f7606e871e1 100644 --- a/lib/backup_restore/restorer.rb +++ b/lib/backup_restore/restorer.rb @@ -380,7 +380,7 @@ module BackupRestore current_db_name = RailsMultisite::ConnectionManagement.current_db execute_command( - 'rsync', '-avp', "#{tmp_uploads_path}/", "uploads/#{current_db_name}/", + 'rsync', '-avp', '--safe-links', "#{tmp_uploads_path}/", "uploads/#{current_db_name}/", failure_message: "Failed to restore uploads." )