github/myvesta
1
0
Fork 0
mirror of https://github.com/myvesta/vesta synced 2025-08-14 02:28:05 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Strict backup filename check.

Browse source
This commit is contained in:
Flat 2015-11-23 23:37:01 +09:00
commit dac0b5c686
1 changed files with 1 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
web/download/backup/index.php
View file

@ -13,7 +13,7 @@ if ($_SESSION['user'] == 'admin') {
}
if ((!empty($_SESSION['user'])) && ($_SESSION['user'] != 'admin')) {
if (preg_match("/^".$user."/i", $backup)) {
if (strpos($backup, $user.'.') === 0) {
header('Content-type: application/gzip');
header("Content-Disposition: attachment; filename=\"".$backup."\";" );
header("X-Accel-Redirect: /backup/" . $backup);