Merge pull request hestiacp#506 from Flatta/fix-sec-backup

serghey-rodin · serghey-rodin · commit 4dce22cd773b · 2015-12-11T21:48:23.000+02:00
Fix hestiacp#505: Strict backup filename check.
diff --git a/web/download/backup/index.php b/web/download/backup/index.php
@@ -13,7 +13,7 @@
 }
 
 if ((!empty($_SESSION['user'])) && ($_SESSION['user'] != 'admin')) {
-    if (preg_match("/^".$user."/i", $backup)) {
+    if (strpos($backup, $user.'.') === 0) {
         header('Content-type: application/gzip');
         header("Content-Disposition: attachment; filename=\"".$backup."\";" ); 
         header("X-Accel-Redirect: /backup/" . $backup);

Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,7 @@`
`13`	`13`	`}`
`14`	`14`
`15`	`15`	`if ((!empty($_SESSION['user'])) && ($_SESSION['user'] != 'admin')) {`
`16`		`- if (preg_match("/^".$user."/i", $backup)) {`
	`16`	`+ if (strpos($backup, $user.'.') === 0) {`
`17`	`17`	`header('Content-type: application/gzip');`
`18`	`18`	`header("Content-Disposition: attachment; filename=\"".$backup."\";" );`
`19`	`19`	`header("X-Accel-Redirect: /backup/" . $backup);`