N°2538 check path validity little improvements

* ajax-backup : change code to be more readable
* does a realpath() call on basepath to avoid troubles when havin '/' on Windows

application/utils.inc.php

@@ -2112,12 +2112,14 @@ class utils
 	 */
 	final public static function RealPath($sPath, $sBasePath)
 	{
+		$sRealBasePath = realpath($sBasePath); // avoid problems when having '/' on Windows for example
+
 		$sFileRealPath = realpath($sPath);
 		if ($sFileRealPath === false)
 		{
 			return false;
 		}
-		if (!self::StartsWith($sFileRealPath, $sBasePath))
+		if (!self::StartsWith($sFileRealPath, $sRealBasePath))
 		{
 			return false;
 		}

datamodels/2.x/itop-backup/ajax.backup.php

@@ -179,14 +179,12 @@ EOF
 			$sFile = utils::ReadParam('file', '', false, 'raw_data');
 			$oBackup = new DBBackupScheduled();
 			$sBackupDir = APPROOT.'data/backups/';
-			if ($sBackupFilePath = utils::RealPath($sBackupDir.$sFile, $sBackupDir))
-			{
-				$oBackup->DownloadBackup($sBackupFilePath);
-			}
-			else
+			$sBackupFilePath = utils::RealPath($sBackupDir.$sFile, $sBackupDir);
+			if ($sBackupFilePath === false)
 			{
 				throw new CoreUnexpectedValue('Invalid file path');
 			}
+			$oBackup->DownloadBackup($sBackupFilePath);
 			break;
 	}
 }

test/application/UtilsTest.php

@@ -83,6 +83,11 @@ class UtilsTest extends \Combodo\iTop\Test\UnitTest\ItopTestCase
 				$sItopRootPath.'application',
 				$sItopRootPath.'application'.$sSep.'utils.inc.php',
 			],
+			'basepath containing / and \\' => [
+				$sItopRootPath.'sources/form/form.class.inc.php',
+				$sItopRootPath.'sources/form\\form.class.inc.php',
+				$sItopRootPath.'sources'.$sSep.'form'.$sSep.'form.class.inc.php',
+			],
 		];
 	}
 }