SECURITY: Disallow symlinks when restoring uploads.

2025-01-31 15:17:14 +08:00 · 2017-03-17 14:27:01 +08:00 · 2017-03-17 14:27:01 +08:00 · b49bf889f6
commit b49bf889f6
parent 566f367fc3
1 changed files with 1 additions and 1 deletions
--- a/lib/backup_restore/restorer.rb
+++ b/lib/backup_restore/restorer.rb
@ -380,7 +380,7 @@ module BackupRestore
          current_db_name = RailsMultisite::ConnectionManagement.current_db

          execute_command(
-            'rsync', '-avp', "#{tmp_uploads_path}/", "uploads/#{current_db_name}/",
+            'rsync', '-avp', '--safe-links', "#{tmp_uploads_path}/", "uploads/#{current_db_name}/",
            failure_message: "Failed to restore uploads."
          )