Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Add basename to fix path traversal on backup download
  • Loading branch information
giuscris committed Oct 30, 2022
1 parent 09b0138 commit c5b7376
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion admin/src/Controllers/Backup.php
Expand Up @@ -37,7 +37,7 @@ public function make(): void
public function download(RouteParams $params): void
{
$this->ensurePermission('backup.download');
$file = $this->option('backup.path') . base64_decode($params->get('backup'));
$file = $this->option('backup.path') . basename(base64_decode($params->get('backup')));
try {
if (FileSystem::isFile($file, false)) {
HTTPResponse::download($file);
Expand Down

0 comments on commit c5b7376

Please sign in to comment.