Files
rclone/cmd
Nick Craig-Wood dade21c161 serve restic: fix --private-repos isolation bypass CVE-2026-59733
A user could reach another user's private repository by sending a path
such as /<me>/../<victim>/config. The authorization check compares the
first path segment against the authenticated user, while the backend
object key was built from the raw, un-cleaned URL path.

Reject any non-canonical request path so the authorization segment and
the backend object key can no longer disagree.

Fixes GHSA-fqj9-69pf-6pjg
2026-07-08 16:07:11 +01:00
..
2025-11-13 13:47:40 +00:00
2025-11-21 17:02:45 +00:00