restic 0.8.0 released26 Nov 2017
We’ve just released restic 0.8.0. It brings the new awesome metadata cache which will speed up many operations, you may need to run
restic prune once to fully see it in action.
This release also corrects a (low risk) vulnerability. When attackers are able to create files with arbitrary names on a Linux/Unix system in a directory that is saved with restic, it may happen that when the directory is restored on a Windows system to write files outside the target directory for the restore.
It works as follows:
- The attackers create a file called
..\test.txt, which is a valid filename on Linux.
- This is saved with restic, which will just save the file name in verbatim.
- When the file is restored on Linux, it’ll just be called
..\test.txtagain. But if it restored on Windows, it’ll be placed in the parent directory of the target directory (because
..\refers to the parent).
We think this situation will not occur very often, so it is estimated to be of low risk. Nevertheless we’ve made sure that the behavior is changed, and now restic refuses to write files outside the target directory during restore.
We’d like to thank Tyler Spivey for reporting the vulnerability responsibly!