From fdc6e191c270146c9e035f3687fae8506857f214 Mon Sep 17 00:00:00 2001
From: myvesta <38690722+myvesta@users.noreply.github.com>
Date: Sun, 14 Mar 2021 19:09:10 +0100
Subject: [PATCH] Restrict v-make-tmp-file to tmp folder

Thanks to @hestiacp and @jaapmarcus
---
 web/api/index.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/web/api/index.php b/web/api/index.php
index 08f51fc9..949ac689 100644
--- a/web/api/index.php
+++ b/web/api/index.php
@@ -116,7 +116,7 @@ if (isset($_POST['user']) || isset($_POST['hash'])) {
     // Check command
     if ($cmd == "'v-make-tmp-file'") {
         // Used in DNS Cluster
-        $fp = fopen($_POST['arg2'], 'w');
+        $fp = fopen('/tmp/'.basename($_POST['arg2']), 'w');
         fwrite($fp, $_POST['arg1']."\n");
         fclose($fp);
         $return_var = 0;