From dde18d6a7660837ce7b4f30d31960bdc74252570 Mon Sep 17 00:00:00 2001
From: Thomas Waldmann <tw@waldmann-edv.de>
Date: Tue, 2 Aug 2016 15:50:21 +0200
Subject: [PATCH] security fix: --restrict-to-path must not accept pathes with
 same name prefix

bug: --restrict-to-path /foo  erroneously allowed  /foobar.
even worse: --restrict-to-path /foo/  erroneously allowed  /foobar.
---
 borg/remote.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/borg/remote.py b/borg/remote.py
index 6a611019c..472d1ac36 100644
--- a/borg/remote.py
+++ b/borg/remote.py
@@ -120,8 +120,13 @@ class RepositoryServer:  # pragma: no cover
             path = path[1:]
         path = os.path.realpath(os.path.expanduser(path))
         if self.restrict_to_paths:
+            # if --restrict-to-path P is given, we make sure that we only operate in/below path P.
+            # for the prefix check, it is important that the compared pathes both have trailing slashes,
+            # so that a path /foobar will NOT be accepted with --restrict-to-path /foo option.
+            path_with_sep = os.path.join(path, '')  # make sure there is a trailing slash (os.sep)
             for restrict_to_path in self.restrict_to_paths:
-                if path.startswith(os.path.realpath(restrict_to_path)):
+                restrict_to_path_with_sep = os.path.join(os.path.realpath(restrict_to_path), '')  # trailing slash
+                if path_with_sep.startswith(restrict_to_path_with_sep):
                     break
             else:
                 raise PathNotAllowed(path)