Nemcio/Grav-Admin-Plugin
1
0
Fork 0
mirror of https://github.com/getgrav/grav-plugin-admin.git synced 2025-11-02 19:36:08 +01:00
Code Issues Packages Projects Releases Activity

Return 401 unauthorized and exit if trying to access a file outside the backups folder

Browse Source
This commit is contained in:
Flavio Copes
2016-04-08 10:49:59 +02:00
parent f81f21e0ae
commit 9da5f5595a
1 changed files with 9 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
classes/controller.php
View File

@@ -622,7 +622,15 @@ class AdminController
$download = $this->grav['uri']->param('download'); $download = $this->grav['uri']->param('download');
if ($download) { if ($download) {
Utils::download(base64_decode(urldecode($download)), true); $file = base64_decode(urldecode($download));
$backups_root_dir = $this->grav['locator']->findResource('backup://', true);
if (substr($file, 0, strlen($backups_root_dir)) !== $backups_root_dir) {
header('HTTP/1.1 401 Unauthorized');
exit();
}
Utils::download($file, true);
} }
$log = JsonFile::instance($this->grav['locator']->findResource("log://backup.log", true, true)); $log = JsonFile::instance($this->grav['locator']->findResource("log://backup.log", true, true));