Fix #1214 Arbitrary file download vulnerability

2020-06-23 14:22:34 +05:30 · 2020-06-23 14:22:34 +05:30 · 7689aa5fb4
commit 7689aa5fb4
parent e3abd64fe4
1 changed files with 4 additions and 1 deletions
--- a/bl-plugins/backup/plugin.php
+++ b/bl-plugins/backup/plugin.php
@ -94,7 +94,10 @@ class pluginBackup extends Plugin {
 			if (!empty($_GET['file'])) {
 				$login = new Login();
 				if ($login->role() === 'admin') {
-					downloadRestrictedFile(PATH_WORKSPACES.'backup/'.$_GET['file']);
+					$existingBackups = array_map('basename', glob(PATH_WORKSPACES.'backup/*.zip'));
+					if (in_array($_GET['file'], $existingBackups)) {
+						downloadRestrictedFile(PATH_WORKSPACES.'backup/'.$_GET['file']);
+					}
 				} else {
 					Alert::set($L->g('You do not have sufficient permissions'));
 					Redirect::page('dashboard');