SECURITY: Disallow symlinks when restoring uploads.

2024-12-15 21:33:49 +08:00 · 2017-03-17 14:27:01 +08:00 · 2017-03-17 14:27:01 +08:00 · 2daed01070
commit 2daed01070
parent c14d98354b
1 changed files with 1 additions and 1 deletions
--- a/lib/backup_restore/restorer.rb
+++ b/lib/backup_restore/restorer.rb
@ -380,7 +380,7 @@ module BackupRestore
          current_db_name = RailsMultisite::ConnectionManagement.current_db

          execute_command(
-            'rsync', '-avp', "#{tmp_uploads_path}/", "uploads/#{current_db_name}/",
+            'rsync', '-avp', '--safe-links', "#{tmp_uploads_path}/", "uploads/#{current_db_name}/",
            failure_message: "Failed to restore uploads."
          )