From 24e7d154f1b2cbbdfb8de77595d75c4ca31c7a14 Mon Sep 17 00:00:00 2001
From: Andy Miller <rhuk@mac.com>
Date: Mon, 30 Nov 2020 16:36:30 -0700
Subject: [PATCH] fixes GHSA-85r3-mf4x-qp8f

---
 CHANGELOG.md                |  1 +
 classes/admincontroller.php | 11 ++++-------
 2 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 52f52787..65d54d03 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,6 +14,7 @@
     * Tightened checks when removing a media file [GHSA-945r-cjfm-642c](https://github.com/getgrav/grav-plugin-admin/security/advisories/GHSA-945r-cjfm-642c)
     * Removed unused parameter in file field [GHSA-945r-cjfm-642c](https://github.com/getgrav/grav-plugin-admin/security/advisories/GHSA-945r-cjfm-642c)
     * Fixed backup download URL [GHSA-vrvq-2pxg-rw5r](https://github.com/getgrav/grav-plugin-admin/security/advisories/GHSA-vrvq-2pxg-rw5r)
+    * Fixed deleting backup [GHSA-85r3-mf4x-qp8f](https://github.com/getgrav/grav-plugin-admin/security/advisories/GHSA-85r3-mf4x-qp8f)
 
 # v1.9.17
 ## 10/07/2020
diff --git a/classes/admincontroller.php b/classes/admincontroller.php
index 82c8ebc1..84544dbb 100644
--- a/classes/admincontroller.php
+++ b/classes/admincontroller.php
@@ -1372,7 +1372,6 @@ class AdminController extends AdminBaseController
      */
     protected function taskBackupDelete()
     {
-        $param_sep = $this->grav['config']->get('system.param_sep', ':');
         if (!$this->authorizeTask('backup', ['admin.maintenance', 'admin.super'])) {
             return false;
         }
@@ -1380,13 +1379,11 @@ class AdminController extends AdminBaseController
         $backup = $this->grav['uri']->param('backup', null);
 
         if (null !== $backup) {
-            $file             = base64_decode(urldecode($backup));
-            $backups_root_dir = $this->grav['locator']->findResource('backup://', true);
+            $filename = basename(base64_decode(urldecode($backup)));
+            $file = $this->grav['locator']->findResource("backup://{$filename}", true);
 
-            $backup_path = $backups_root_dir . '/' . $file;
-
-            if (file_exists($backup_path)) {
-                unlink($backup_path);
+            if ($file) {
+                unlink($file);
 
                 $this->admin->json_response = [
                     'status'  => 'success',