Nemcio/Grav-Admin-Plugin
1
0
Fork 0
mirror of https://github.com/getgrav/grav-plugin-admin.git synced 2025-11-06 13:25:46 +01:00
Code Issues Packages Projects Releases Activity

fixes for GHSA-85r3-mf4x-qp8f

Browse Source
This commit is contained in:
Andy Miller
2020-11-30 16:22:39 -07:00
parent 5eb2e6375f
commit c32fa412b7
3 changed files with 5 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGELOG.md
View File

@@ -10,9 +10,7 @@
* Forward a `sid` to GPM when downloading a premium package * Forward a `sid` to GPM when downloading a premium package
1. [](#bugfix) 1. [](#bugfix)
* Escape page title in `pages` field * Escape page title in `pages` field
* Fixed unused task RemoveMedia, it cannot be used directly anymore * Fixed backup download URL [GHSA-85r3-mf4x-qp8f](https://github.com/getgrav/grav-plugin-admin/security/advisories/GHSA-85r3-mf4x-qp8f)
* Tightened checks when removing a media file
* Removed unused parameter in file field
# v1.9.17 # v1.9.17
## 10/07/2020 ## 10/07/2020

7
classes/admincontroller.php
View File

@@ -1325,10 +1325,9 @@ class AdminController extends AdminBaseController
try { try {
if ($download) { if ($download) {
$file = base64_decode(urldecode($download)); $filename = basename(base64_decode(urldecode($download)));
$backups_root_dir = $this->grav['locator']->findResource('backup://', true); $file = $this->grav['locator']->findResource("backup://{$filename}", true);
if (!$file) {
if (0 !== strpos($file, $backups_root_dir)) {
header('HTTP/1.1 401 Unauthorized'); header('HTTP/1.1 401 Unauthorized');
exit(); exit();
} }

2
themes/grav/templates/forms/fields/backupshistory/backupshistory.html.twig
View File

@@ -19,7 +19,7 @@
<td>{{ backup.title }}</td> <td>{{ backup.title }}</td>
<td class="right pad">{{ backup.size|nicefilesize }}</td> <td class="right pad">{{ backup.size|nicefilesize }}</td>
<td class="right pad nowrap" > <td class="right pad nowrap" >
<a class="button button-small hint--bottom" href="{{ grav.backups.getBackupDownloadUrl(backup.path, admin.base) }}" data-hint="Download"><i class="fa fa-download"></i></a> <a class="button button-small hint--bottom" href="{{ grav.backups.getBackupDownloadUrl(backup.filename, admin.base) }}" data-hint="Download"><i class="fa fa-download"></i></a>
<span class="button button-small danger hint--bottom" data-hint="Delete" data-backup data-ajax="{{ backup_delete }}"><i class="fa fa-close"></i></span> <span class="button button-small danger hint--bottom" data-hint="Delete" data-backup data-ajax="{{ backup_delete }}"><i class="fa fa-close"></i></span>
</td> </td>
</tr> </tr>