diff options
author | Renato Botelho <garga@FreeBSD.org> | 2014-06-17 13:46:01 -0300 |
---|---|---|
committer | Renato Botelho <garga@FreeBSD.org> | 2014-06-17 13:47:46 -0300 |
commit | 62480a449efcbce74a48fbe7064193acd0290650 (patch) | |
tree | a15931bbb34f5d923c32c6ffaeb789c678517c2e | |
parent | 7be297a2cea1957f969e0bf95df93e993958016f (diff) | |
download | pfsense-62480a449efcbce74a48fbe7064193acd0290650.zip pfsense-62480a449efcbce74a48fbe7064193acd0290650.tar.gz |
Avoid directory traversal on restorefullbackup
-rwxr-xr-x | usr/local/www/system_firmware_restorefullbackup.php | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/usr/local/www/system_firmware_restorefullbackup.php b/usr/local/www/system_firmware_restorefullbackup.php index d671fc2..6fa7041 100755 --- a/usr/local/www/system_firmware_restorefullbackup.php +++ b/usr/local/www/system_firmware_restorefullbackup.php @@ -59,9 +59,9 @@ if($_GET['backupnow']) mwexec_bg("/etc/rc.create_full_backup"); if($_GET['downloadbackup']) { - $filename = $_GET['downloadbackup']; + $filename = basename($_GET['downloadbackup']); $path = "/root/{$filename}"; - if(file_exists("/root/{$filename}")) { + if(file_exists($path)) { session_write_close(); ob_end_clean(); session_cache_limiter('public'); |