rafaelmaiolla
Temporary local file path interprets all occurrences of ".." in display-name
When opening a file on the server with .. in the file name passed to rmate, this is preserved when generating the path to the local temporary file, causing that file to potentially be produced outside of the designated temp directory.
e.g., when running VSCode on a Windows system, the following commands on the server will generate the local temporary file at the indicated location:
| Command | Location of resulting local file |
|---|---|
rmate foo.txt |
$USERPROFILE/AppData/Local/Temp/(random string)/foo.txt |
rmate ../foo.txt |
$USERPROFILE/AppData/Local/Temp/foo.txt |
rmate ../../foo.txt |
$USERPROFILE/AppData/Local/foo.txt |
rmate ../../../foo.txt |
$USERPROFILE/AppData/foo.txt |
rmate ../../../../foo.txt |
$USERPROFILE/foo.txt |
This will potentially cause temporary files to be strewn all about the user's home directory, overwrite a file in some other app's AppData subdirectory (e.g., rmate ../../miniconda3/.condarc), or in the worst case, try to open a file outside of the home directory.
Confirmed that this is reproducible with both the bash and Python versions of rmate.
Edited to add: If the temporary file was generated using real-path from the rmate request (which will always be an absolute path), rather than display-name (which may be relative), that would also solve the issue.
