N°1933: Security hardening

setup/backup.class.inc.php

@@ -528,14 +528,21 @@ if (class_exists('ZipArchive')) // The setup must be able to start even if the "
 		 */
 		public function DownloadBackup($sFile)
 		{
-			header('Content-Description: File Transfer');
+			if (file_exists($sFile))
-			header('Content-Type: multipart/x-zip');
+			{
-			header('Content-Disposition: inline; filename="'.basename($sFile).'"');
+				header('Content-Description: File Transfer');
-			header('Expires: 0');
+				header('Content-Type: multipart/x-zip');
-			header('Cache-Control: must-revalidate');
+				header('Content-Disposition: inline; filename="'.basename($sFile).'"');
-			header('Pragma: public');
+				header('Expires: 0');
-			header('Content-Length: '.filesize($sFile));
+				header('Cache-Control: must-revalidate');
-			readfile($sFile);
+				header('Pragma: public');
+				header('Content-Length: '.filesize($sFile));
+				readfile($sFile) ;
+			}
+			else
+			{
+				throw new InvalidParameterException('Invalid file path'); 
+			}
 		}
 
 		/**