mirror of
https://gh.wpcy.net/https://github.com/discourse/discourse.git
synced 2026-05-25 07:58:07 +08:00
b348c0d0ce
Harden backup download/delete/restore path handling to prevent path traversal across site backup directories in multisite setups using local backup storage. Tighten backup route matching, validate backup IDs in admin backup member actions, and enforce canonical-path containment in LocalBackupStore so filenames cannot escape the current site’s backup directory. Add regression specs for route matching, controller rejection of traversal IDs, and local store traversal protection. CVE: https://github.com/discourse/discourse/security/advisories/GHSA-5j6v-4x6g-9pg5
11 lines
168 B
Ruby
Vendored
11 lines
168 B
Ruby
Vendored
# frozen_string_literal: true
|
|
|
|
module RouteFormat
|
|
def self.username
|
|
/[%\w.\-]+?/
|
|
end
|
|
|
|
def self.backup
|
|
/[a-zA-Z0-9._-]+\.(sql\.gz|tar\.gz|tgz)/i
|
|
end
|
|
end
|
