Nemcio/Grav-Admin-Plugin
1
0
Fork 0
mirror of https://github.com/getgrav/grav-plugin-admin.git synced 2025-11-04 20:36:03 +01:00
Code Issues Packages Projects Releases Activity

Check that backup file ends with .zip in case if there are other files in the backup folder

Browse Source
This commit is contained in:
Matias Griese
2020-12-01 09:01:41 +02:00
parent 24e7d154f1
commit 9483b98be8
1 changed files with 10 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
classes/admincontroller.php
View File

@@ -1327,7 +1327,7 @@ class AdminController extends AdminBaseController
if ($download) {
$filename = basename(base64_decode(urldecode($download)));
$file = $this->grav['locator']->findResource("backup://{$filename}", true);
if (!$file) {
if (!$file || !Utils::endsWith($filename, '.zip', false)) {
header('HTTP/1.1 401 Unauthorized');
exit();
}
@@ -1350,8 +1350,6 @@ class AdminController extends AdminBaseController
$url = rtrim($this->grav['uri']->rootUrl(false), '/') . '/' . trim($this->admin->base,
'/') . '/task' . $param_sep . 'backup/download' . $param_sep . $download . '/admin-nonce' . $param_sep . Utils::getNonce('admin-form');
$this->admin->json_response = [
'status' => 'success',
'message' => $this->admin::translate('PLUGIN_ADMIN.YOUR_BACKUP_IS_READY_FOR_DOWNLOAD') . '. <a href="' . $url . '" class="button">' . $this->admin::translate('PLUGIN_ADMIN.DOWNLOAD_BACKUP') . '</a>',
@@ -1382,7 +1380,7 @@ class AdminController extends AdminBaseController
$filename = basename(base64_decode(urldecode($backup)));
$file = $this->grav['locator']->findResource("backup://{$filename}", true);
if ($file) {
if ($file && Utils::endsWith($filename, '.zip', false)) {
unlink($file);
$this->admin->json_response = [
@@ -1392,13 +1390,16 @@ class AdminController extends AdminBaseController
'closeButton' => true
]
];
} else {
$this->admin->json_response = [
'status' => 'error',
'message' => $this->admin::translate('PLUGIN_ADMIN.BACKUP_NOT_FOUND'),
];
return true;
}
}
$this->admin->json_response = [
'status' => 'error',
'message' => $this->admin::translate('PLUGIN_ADMIN.BACKUP_NOT_FOUND'),
];
return true;
}