From 62480a449efcbce74a48fbe7064193acd0290650 Mon Sep 17 00:00:00 2001
From: Renato Botelho <garga@FreeBSD.org>
Date: Tue, 17 Jun 2014 13:46:01 -0300
Subject: Avoid directory traversal on restorefullbackup

---
 usr/local/www/system_firmware_restorefullbackup.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'usr/local')

diff --git a/usr/local/www/system_firmware_restorefullbackup.php b/usr/local/www/system_firmware_restorefullbackup.php
index d671fc2..6fa7041 100755
--- a/usr/local/www/system_firmware_restorefullbackup.php
+++ b/usr/local/www/system_firmware_restorefullbackup.php
@@ -59,9 +59,9 @@ if($_GET['backupnow'])
 	mwexec_bg("/etc/rc.create_full_backup");
 
 if($_GET['downloadbackup']) {
-	$filename = $_GET['downloadbackup'];
+	$filename = basename($_GET['downloadbackup']);
 	$path = "/root/{$filename}";
-	if(file_exists("/root/{$filename}")) {
+	if(file_exists($path)) {
 		session_write_close();
 		ob_end_clean();
 		session_cache_limiter('public');
-- 
cgit v1.1