From 7689aa5fb40aad107fdc6599cd0a04af1545c060 Mon Sep 17 00:00:00 2001
From: Anaggh S <anagghscm@gmail.com>
Date: Tue, 23 Jun 2020 14:22:34 +0530
Subject: [PATCH] Fix #1214 Arbitrary file download vulnerability

---
 bl-plugins/backup/plugin.php | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/bl-plugins/backup/plugin.php b/bl-plugins/backup/plugin.php
index 0d6f7064..de168bb5 100644
--- a/bl-plugins/backup/plugin.php
+++ b/bl-plugins/backup/plugin.php
@@ -94,7 +94,10 @@ class pluginBackup extends Plugin {
 			if (!empty($_GET['file'])) {
 				$login = new Login();
 				if ($login->role() === 'admin') {
-					downloadRestrictedFile(PATH_WORKSPACES.'backup/'.$_GET['file']);
+					$existingBackups = array_map('basename', glob(PATH_WORKSPACES.'backup/*.zip'));
+					if (in_array($_GET['file'], $existingBackups)) {
+						downloadRestrictedFile(PATH_WORKSPACES.'backup/'.$_GET['file']);
+					}
 				} else {
 					Alert::set($L->g('You do not have sufficient permissions'));
 					Redirect::page('dashboard');