mirror of
https://github.com/rclone/rclone.git
synced 2026-07-12 16:55:58 -04:00
A user could reach another user's private repository by sending a path such as /<me>/../<victim>/config. The authorization check compares the first path segment against the authenticated user, while the backend object key was built from the raw, un-cleaned URL path. Reject any non-canonical request path so the authorization segment and the backend object key can no longer disagree. Fixes GHSA-fqj9-69pf-6pjg