N°2538 generic method to check path validity

This commit is contained in:
Pierre Goiffon
2019-10-15 18:39:15 +02:00
parent d52254bbf0
commit 5e641f2273
2 changed files with 17 additions and 3 deletions

View File

@@ -20,7 +20,6 @@
use ScssPhp\ScssPhp\Compiler;
/**
* Static class utils
*
@@ -2098,4 +2097,20 @@ class utils
final public static function EndsWith($haystack, $needle) {
return substr_compare($haystack, $needle, -strlen($needle)) === 0;
}
/**
* Checks that path does not contains illegal characters, like '../'
*
* @param string $sPath
*
* @return bool true if path is allowed, false otherwise
*
* @since 2.7.0
*/
final public static function IsAllowedPath($sPath)
{
$sPathNoDotDotPattern = "/^((?![\/\\\\]\.\.[\/\\\\]).)*$/";
return preg_match($sPathNoDotDotPattern, $sPath) == 1;
}
}

View File

@@ -179,8 +179,7 @@ EOF
$sFile = utils::ReadParam('file', '', false, 'raw_data');
$oBackup = new DBBackupScheduled();
$sBackupDir = APPROOT.'data/backups/';
$sPathNoDotDotPattern = "/^((?![\/\\\\]\.\.[\/\\\\]).)*$/";
if(preg_match($sPathNoDotDotPattern, $sBackupDir.$sFile) == 1)
if (utils::IsAllowedPath($sBackupDir.$sFile))
{
$oBackup->DownloadBackup($sBackupDir.$sFile);
}