Remove rollback should validate it exists in choco install backup directory #387
Comments
ferventcoder
added a commit
that referenced
this issue
Sep 18, 2015
As a further enhancement for GH-341 (270ea94), ensure that package names are not attempting to navigate out of the lib backup directory. A specially crafted package name could cause choco to attempt to delete folders it should not, therefore we need to restrict it to the lib backup folder only. If we find we are no longer in a subdirectory of the backup directory, we should return immediately without attempting to delete anything.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As a further enhancement for #341, we should ensure that package names are not attempting to navigate out of the lib backup directory. A specially crafted package name could cause choco to attempt to delete folders it should not, therefore we need to restrict it to the lib backup folder only and exit with an error if it does not find that it is accessing that folder. We should also look to disable navigating up with relative path for a package name when combining the package name with the backup folder.
The text was updated successfully, but these errors were encountered: