Merge remote-tracking branch 'origin/support/2.5' into release/2.6

2026-05-17 06:18:44 +02:00 · 2019-01-09 17:24:54 +01:00
parent 340cacc691 0bce9c78ea
commit effaba42d0
3 changed files with 17 additions and 1 deletions
--- a/datamodels/2.x/itop-backup/ajax.backup.php
+++ b/datamodels/2.x/itop-backup/ajax.backup.php
@@ -184,7 +184,15 @@ EOF
 			$sFile = utils::ReadParam('file', '', false, 'raw_data');
 			$oBackup = new DBBackupScheduled();
 			$sBackupDir = APPROOT.'data/backups/';
-			$oBackup->DownloadBackup($sBackupDir.$sFile);
+			$sPathNoDotDotPattern = '/^((?!\/\.\.\/).)*$/';
+			if(preg_match($sPathNoDotDotPattern, $sBackupDir.$sFile) == 1)
+			{
+				$oBackup->DownloadBackup($sBackupDir.$sFile);
+			}
+			else
+			{
+				throw new InvalidParameterException('Invalid file path');
+			}
 			break;
 	}
 }
--- a/setup/phpcheck.php
+++ b/setup/phpcheck.php
@@ -0,0 +1,2 @@
+<?php
+echo '<h1>PHP works!</h1>';
--- a/setup/phpinfo.php
+++ b/setup/phpinfo.php
@@ -1,3 +1,9 @@
 <?php
+require_once('../approot.inc.php');
+
+require_once(APPROOT.'/application/startup.inc.php');
+
+require_once(APPROOT.'/application/loginwebpage.class.inc.php');
+LoginWebPage::DoLogin(true); // Check user rights and prompt if needed
 phpinfo();
 ?>