From 9da5f5595a425d02f89c5b988c70a854441be070 Mon Sep 17 00:00:00 2001
From: Flavio Copes <copesc@gmail.com>
Date: Fri, 8 Apr 2016 10:49:59 +0200
Subject: [PATCH] Return 401 unauthorized and exit if trying to access a file
 outside the backups folder

---
 classes/controller.php | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/classes/controller.php b/classes/controller.php
index 971c111b..0bf902f4 100644
--- a/classes/controller.php
+++ b/classes/controller.php
@@ -622,7 +622,15 @@ class AdminController
         $download = $this->grav['uri']->param('download');
 
         if ($download) {
-            Utils::download(base64_decode(urldecode($download)), true);
+            $file = base64_decode(urldecode($download));
+            $backups_root_dir = $this->grav['locator']->findResource('backup://', true);
+
+            if (substr($file, 0, strlen($backups_root_dir)) !== $backups_root_dir) {
+                header('HTTP/1.1 401 Unauthorized');
+                exit();
+            }
+
+            Utils::download($file, true);
         }
 
         $log = JsonFile::instance($this->grav['locator']->findResource("log://backup.log", true, true));