Avoid directory traversal on restorefullbackup

author: Renato Botelho <garga@FreeBSD.org> 2014-06-17 13:46:01 -0300
committer: Renato Botelho <garga@FreeBSD.org> 2014-06-17 13:47:29 -0300
commit: 5de32d520bc7eee5ef400951130eef8a5cec9a2f (patch)
tree: b01dc59204c38b034a9993190aa7cc0ab4d7b1df /usr/local/www/system_firmware_restorefullbackup.php
parent: b67cdd05abde74b43a2fa67b0d7ecb4769ae5ce3 (diff)
download: pfsense-5de32d520bc7eee5ef400951130eef8a5cec9a2f.zip
pfsense-5de32d520bc7eee5ef400951130eef8a5cec9a2f.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/usr/local/www/system_firmware_restorefullbackup.php b/usr/local/www/system_firmware_restorefullbackup.php
index 2cc57a0..7d635bf 100644
--- a/usr/local/www/system_firmware_restorefullbackup.php
+++ b/usr/local/www/system_firmware_restorefullbackup.php
@@ -59,9 +59,9 @@ if($_GET['backupnow'])
 	mwexec_bg("/etc/rc.create_full_backup");
 
 if($_GET['downloadbackup']) {
-	$filename = $_GET['downloadbackup'];
+	$filename = basename($_GET['downloadbackup']);
 	$path = "/root/{$filename}";
-	if(file_exists("/root/{$filename}")) {
+	if(file_exists($path)) {
 		session_write_close();
 		ob_end_clean();
 		session_cache_limiter('public');
author	Renato Botelho <garga@FreeBSD.org>	2014-06-17 13:46:01 -0300
committer	Renato Botelho <garga@FreeBSD.org>	2014-06-17 13:47:29 -0300
commit	5de32d520bc7eee5ef400951130eef8a5cec9a2f (patch)
tree	b01dc59204c38b034a9993190aa7cc0ab4d7b1df /usr/local/www/system_firmware_restorefullbackup.php
parent	b67cdd05abde74b43a2fa67b0d7ecb4769ae5ce3 (diff)
download	pfsense-5de32d520bc7eee5ef400951130eef8a5cec9a2f.zip pfsense-5de32d520bc7eee5ef400951130eef8a5cec9a2f.tar.gz