From a4b496d135d5525e006204a6e0605906a45a9238 Mon Sep 17 00:00:00 2001
From: Eric Callahan <arksine.code@gmail.com>
Date: Sun, 8 Jan 2023 07:17:43 -0500
Subject: [PATCH] file_manager: fix internal access check

Include the reserved file check in the `can_access_path()` method.  This
fixes a potential vulnerability in the notifier where it may be possible
to attach a reserved file to a notification.

Signed-off-by:  Eric Callahan <arksine.code@gmail.com>
---
 moonraker/components/file_manager/file_manager.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/moonraker/components/file_manager/file_manager.py b/moonraker/components/file_manager/file_manager.py
index bf8aa56..b1f6fda 100644
--- a/moonraker/components/file_manager/file_manager.py
+++ b/moonraker/components/file_manager/file_manager.py
@@ -334,7 +334,7 @@ class FileManager:
         for registered in self.file_paths.values():
             reg_root_path = pathlib.Path(registered).resolve()
             if reg_root_path in path.parents:
-                return True
+                return not self.check_reserved_path(path, False, False)
         return False
 
     def upload_queue_enabled(self) -> bool: