diff options
author | Renato Botelho <garga@FreeBSD.org> | 2014-06-17 13:46:01 -0300 |
---|---|---|
committer | Renato Botelho <garga@FreeBSD.org> | 2014-06-17 13:47:29 -0300 |
commit | 5de32d520bc7eee5ef400951130eef8a5cec9a2f (patch) | |
tree | b01dc59204c38b034a9993190aa7cc0ab4d7b1df /usr | |
parent | b67cdd05abde74b43a2fa67b0d7ecb4769ae5ce3 (diff) | |
download | pfsense-5de32d520bc7eee5ef400951130eef8a5cec9a2f.zip pfsense-5de32d520bc7eee5ef400951130eef8a5cec9a2f.tar.gz |
Avoid directory traversal on restorefullbackup
Diffstat (limited to 'usr')
-rw-r--r-- | usr/local/www/system_firmware_restorefullbackup.php | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/usr/local/www/system_firmware_restorefullbackup.php b/usr/local/www/system_firmware_restorefullbackup.php index 2cc57a0..7d635bf 100644 --- a/usr/local/www/system_firmware_restorefullbackup.php +++ b/usr/local/www/system_firmware_restorefullbackup.php @@ -59,9 +59,9 @@ if($_GET['backupnow']) mwexec_bg("/etc/rc.create_full_backup"); if($_GET['downloadbackup']) { - $filename = $_GET['downloadbackup']; + $filename = basename($_GET['downloadbackup']); $path = "/root/{$filename}"; - if(file_exists("/root/{$filename}")) { + if(file_exists($path)) { session_write_close(); ob_end_clean(); session_cache_limiter('public'); |