Nemcio/Grav-Admin-Plugin
1
0
Fork 0
mirror of https://github.com/getgrav/grav-plugin-admin.git synced 2025-11-07 05:45:53 +01:00
Code Issues Packages Projects Releases Activity

fixes for GHSA-85r3-mf4x-qp8f

Browse Source
This commit is contained in:
Andy Miller
2020-11-30 16:22:39 -07:00
parent 5eb2e6375f
commit c32fa412b7
3 changed files with 5 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
classes/admincontroller.php
View File

@@ -1325,10 +1325,9 @@ class AdminController extends AdminBaseController
try {
if ($download) {
$file = base64_decode(urldecode($download));
$backups_root_dir = $this->grav['locator']->findResource('backup://', true);
if (0 !== strpos($file, $backups_root_dir)) {
$filename = basename(base64_decode(urldecode($download)));
$file = $this->grav['locator']->findResource("backup://{$filename}", true);
if (!$file) {
header('HTTP/1.1 401 Unauthorized');
exit();
}