Skip to content

Commit

Permalink
Merge pull request #381 from getformwork/fix/backup-download-path-tra…
Browse files Browse the repository at this point in the history
…versal

Add basename to fix path traversal on backup download
  • Loading branch information
giuscris authored Oct 30, 2022
2 parents 09b0138 + c5b7376 commit dc1d6ca
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion admin/src/Controllers/Backup.php
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ public function make(): void
public function download(RouteParams $params): void
{
$this->ensurePermission('backup.download');
$file = $this->option('backup.path') . base64_decode($params->get('backup'));
$file = $this->option('backup.path') . basename(base64_decode($params->get('backup')));
try {
if (FileSystem::isFile($file, false)) {
HTTPResponse::download($file);
Expand Down

0 comments on commit dc1d6ca

Please sign in to comment.