From d3ebe1311fcaca3b63f741957b67d72456c27dd4 Mon Sep 17 00:00:00 2001
From: Alexander Neumann <alexander@bumpern.de>
Date: Wed, 13 Dec 2017 19:55:53 +0100
Subject: [PATCH] backup: Reject filenames with paths read from stdin

---
 cmd/restic/cmd_backup.go | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/cmd/restic/cmd_backup.go b/cmd/restic/cmd_backup.go
index 48a607ecb..c4adec1c2 100644
--- a/cmd/restic/cmd_backup.go
+++ b/cmd/restic/cmd_backup.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"path"
 	"path/filepath"
 	"strings"
 	"time"
@@ -236,10 +237,16 @@ func readBackupFromStdin(opts BackupOptions, gopts GlobalOptions, args []string)
 		return errors.Fatal("when reading from stdin, no additional files can be specified")
 	}
 
-	if opts.StdinFilename == "" {
+	fn := opts.StdinFilename
+
+	if fn == "" {
 		return errors.Fatal("filename for backup from stdin must not be empty")
 	}
 
+	if filepath.Base(fn) != fn || path.Base(fn) != fn {
+		return errors.Fatal("filename is invalid (may not contain a directory, slash or backslash)")
+	}
+
 	if gopts.password == "" {
 		return errors.Fatal("unable to read password from stdin when data is to be read from stdin, use --password-file or $RESTIC_PASSWORD")
 	}
@@ -266,7 +273,7 @@ func readBackupFromStdin(opts BackupOptions, gopts GlobalOptions, args []string)
 		Hostname:   opts.Hostname,
 	}
 
-	_, id, err := r.Archive(gopts.ctx, opts.StdinFilename, os.Stdin, newArchiveStdinProgress(gopts))
+	_, id, err := r.Archive(gopts.ctx, fn, os.Stdin, newArchiveStdinProgress(gopts))
 	if err != nil {
 		return err
 	}