3 files changed, 33 insertions, 23 deletions

diff --git a/src/machine/machine-dbus.c b/src/machine/machine-dbus.c
index dc42ffdc52..7658d7146d 100644
--- a/src/machine/machine-dbus.c
+++ b/src/machine/machine-dbus.c
@@ -825,13 +825,13 @@ int bus_machine_method_copy(sd_bus_message *message, void *userdata, sd_bus_erro
         if (r < 0)
                 return r;
 
-        if (!path_is_absolute(src) || !path_is_safe(src))
-                return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Source path must be absolute and not contain ../.");
+        if (!path_is_absolute(src))
+                return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Source path must be absolute.");
 
         if (isempty(dest))
                 dest = src;
-        else if (!path_is_absolute(dest) || !path_is_safe(dest))
-                return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Destination path must be absolute and not contain ../.");
+        else if (!path_is_absolute(dest))
+                return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Destination path must be absolute.");
 
         r = bus_verify_polkit_async(
                         message,
diff --git a/src/machine/machine.c b/src/machine/machine.c
index 05fc4f849f..ab26803683 100644
--- a/src/machine/machine.c
+++ b/src/machine/machine.c
@@ -112,13 +112,13 @@ int machine_save(Machine *m) {
 
         r = mkdir_safe_label("/run/systemd/machines", 0755, 0, 0);
         if (r < 0)
-                goto finish;
+                goto fail;
 
         r = fopen_temporary(m->state_file, &f, &temp_path);
         if (r < 0)
-                goto finish;
+                goto fail;
 
-        fchmod(fileno(f), 0644);
+        (void) fchmod(fileno(f), 0644);
 
         fprintf(f,
                 "# This is private data. Do not parse.\n"
@@ -131,7 +131,7 @@ int machine_save(Machine *m) {
                 escaped = cescape(m->unit);
                 if (!escaped) {
                         r = -ENOMEM;
-                        goto finish;
+                        goto fail;
                 }
 
                 fprintf(f, "SCOPE=%s\n", escaped); /* We continue to call this "SCOPE=" because it is internal only, and we want to stay compatible with old files */
@@ -146,7 +146,7 @@ int machine_save(Machine *m) {
                 escaped = cescape(m->service);
                 if (!escaped) {
                         r = -ENOMEM;
-                        goto finish;
+                        goto fail;
                 }
                 fprintf(f, "SERVICE=%s\n", escaped);
         }
@@ -157,7 +157,7 @@ int machine_save(Machine *m) {
                 escaped = cescape(m->root_directory);
                 if (!escaped) {
                         r = -ENOMEM;
-                        goto finish;
+                        goto fail;
                 }
                 fprintf(f, "ROOT=%s\n", escaped);
         }
@@ -195,16 +195,13 @@ int machine_save(Machine *m) {
 
         r = fflush_and_check(f);
         if (r < 0)
-                goto finish;
+                goto fail;
 
         if (rename(temp_path, m->state_file) < 0) {
                 r = -errno;
-                goto finish;
+                goto fail;
         }
 
-        free(temp_path);
-        temp_path = NULL;
-
         if (m->unit) {
                 char *sl;
 
@@ -215,14 +212,15 @@ int machine_save(Machine *m) {
                 (void) symlink(m->name, sl);
         }
 
-finish:
-        if (temp_path)
-                unlink(temp_path);
+        return 0;
 
-        if (r < 0)
-                log_error_errno(r, "Failed to save machine data %s: %m", m->state_file);
+fail:
+        (void) unlink(m->state_file);
 
-        return r;
+        if (temp_path)
+                (void) unlink(temp_path);
+
+        return log_error_errno(r, "Failed to save machine data %s: %m", m->state_file);
 }
 
 static void machine_unlink(Machine *m) {
diff --git a/src/machine/machinectl.c b/src/machine/machinectl.c
index 7cb6ce77ac..66ed41087c 100644
--- a/src/machine/machinectl.c
+++ b/src/machine/machinectl.c
@@ -1073,6 +1073,8 @@ static int terminate_machine(int argc, char *argv[], void *userdata) {
 
 static int copy_files(int argc, char *argv[], void *userdata) {
         _cleanup_bus_error_free_ sd_bus_error error = SD_BUS_ERROR_NULL;
+        _cleanup_free_ char *abs_host_path = NULL;
+        char *dest, *host_path, *container_path;
         sd_bus *bus = userdata;
         bool copy_from;
         int r;
@@ -1082,6 +1084,16 @@ static int copy_files(int argc, char *argv[], void *userdata) {
         polkit_agent_open_if_enabled();
 
         copy_from = streq(argv[0], "copy-from");
+        dest = argv[3] ?: argv[2];
+        host_path = copy_from ? dest : argv[2];
+        container_path = copy_from ? argv[2] : dest;
+
+        if (!path_is_absolute(host_path)) {
+                abs_host_path = path_make_absolute_cwd(host_path);
+                if (!abs_host_path)
+                        return log_oom();
+                host_path = abs_host_path;
+        }
 
         r = sd_bus_call_method(
                         bus,
@@ -1093,8 +1105,8 @@ static int copy_files(int argc, char *argv[], void *userdata) {
                         NULL,
                         "sss",
                         argv[1],
-                        argv[2],
-                        argv[3]);
+                        copy_from ? container_path : host_path,
+                        copy_from ? host_path : container_path);
         if (r < 0) {
                 log_error("Failed to copy: %s", bus_error_message(&error, -r));
                 return r;