diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6f8b3de4..f808dcf2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,9 +10,7 @@
* Forward a `sid` to GPM when downloading a premium package
1. [](#bugfix)
* Escape page title in `pages` field
- * Fixed unused task RemoveMedia, it cannot be used directly anymore
- * Tightened checks when removing a media file
- * Removed unused parameter in file field
+ * Fixed backup download URL [GHSA-85r3-mf4x-qp8f](https://github.com/getgrav/grav-plugin-admin/security/advisories/GHSA-85r3-mf4x-qp8f)
# v1.9.17
## 10/07/2020
diff --git a/classes/admincontroller.php b/classes/admincontroller.php
index 980f6e00..82c8ebc1 100644
--- a/classes/admincontroller.php
+++ b/classes/admincontroller.php
@@ -1325,10 +1325,9 @@ class AdminController extends AdminBaseController
try {
if ($download) {
- $file = base64_decode(urldecode($download));
- $backups_root_dir = $this->grav['locator']->findResource('backup://', true);
-
- if (0 !== strpos($file, $backups_root_dir)) {
+ $filename = basename(base64_decode(urldecode($download)));
+ $file = $this->grav['locator']->findResource("backup://{$filename}", true);
+ if (!$file) {
header('HTTP/1.1 401 Unauthorized');
exit();
}
diff --git a/themes/grav/templates/forms/fields/backupshistory/backupshistory.html.twig b/themes/grav/templates/forms/fields/backupshistory/backupshistory.html.twig
index f8b1aa97..fc530226 100644
--- a/themes/grav/templates/forms/fields/backupshistory/backupshistory.html.twig
+++ b/themes/grav/templates/forms/fields/backupshistory/backupshistory.html.twig
@@ -19,7 +19,7 @@
| {{ backup.title }} |
{{ backup.size|nicefilesize }} |
-
+
|