From c32fa412b7a7a0f67a5010e47e8b5e35f3d29705 Mon Sep 17 00:00:00 2001 From: Andy Miller Date: Mon, 30 Nov 2020 16:22:39 -0700 Subject: [PATCH] fixes for GHSA-85r3-mf4x-qp8f --- CHANGELOG.md | 4 +--- classes/admincontroller.php | 7 +++---- .../forms/fields/backupshistory/backupshistory.html.twig | 2 +- 3 files changed, 5 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6f8b3de4..f808dcf2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,9 +10,7 @@ * Forward a `sid` to GPM when downloading a premium package 1. [](#bugfix) * Escape page title in `pages` field - * Fixed unused task RemoveMedia, it cannot be used directly anymore - * Tightened checks when removing a media file - * Removed unused parameter in file field + * Fixed backup download URL [GHSA-85r3-mf4x-qp8f](https://github.com/getgrav/grav-plugin-admin/security/advisories/GHSA-85r3-mf4x-qp8f) # v1.9.17 ## 10/07/2020 diff --git a/classes/admincontroller.php b/classes/admincontroller.php index 980f6e00..82c8ebc1 100644 --- a/classes/admincontroller.php +++ b/classes/admincontroller.php @@ -1325,10 +1325,9 @@ class AdminController extends AdminBaseController try { if ($download) { - $file = base64_decode(urldecode($download)); - $backups_root_dir = $this->grav['locator']->findResource('backup://', true); - - if (0 !== strpos($file, $backups_root_dir)) { + $filename = basename(base64_decode(urldecode($download))); + $file = $this->grav['locator']->findResource("backup://{$filename}", true); + if (!$file) { header('HTTP/1.1 401 Unauthorized'); exit(); } diff --git a/themes/grav/templates/forms/fields/backupshistory/backupshistory.html.twig b/themes/grav/templates/forms/fields/backupshistory/backupshistory.html.twig index f8b1aa97..fc530226 100644 --- a/themes/grav/templates/forms/fields/backupshistory/backupshistory.html.twig +++ b/themes/grav/templates/forms/fields/backupshistory/backupshistory.html.twig @@ -19,7 +19,7 @@ {{ backup.title }} {{ backup.size|nicefilesize }} - +