From e4070117c32da48af08482812392245d1d597678 Mon Sep 17 00:00:00 2001 From: ryan Date: Mon, 25 Sep 2006 01:48:48 +0000 Subject: [PATCH] Validate backup and fragment files. Don't allow traversal. git-svn-id: http://svn.automattic.com/wordpress/branches/2.0@4226 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-content/plugins/wp-db-backup.php | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/wp-content/plugins/wp-db-backup.php b/wp-content/plugins/wp-db-backup.php index 4c92a7f608..e578a4518f 100644 --- a/wp-content/plugins/wp-db-backup.php +++ b/wp-content/plugins/wp-db-backup.php @@ -69,7 +69,8 @@ class wpdbBackup { $via = isset($_GET['via']) ? $_GET['via'] : 'http'; $this->backup_file = $_GET['backup']; - + $this->validate_file($this->backup_file); + switch($via) { case 'smtp': case 'email': @@ -95,6 +96,7 @@ class wpdbBackup { } if (isset($_GET['fragment'] )) { list($table, $segment, $filename) = explode(':', $_GET['fragment']); + $this->validate_file($filename); $this->backup_fragment($table, $segment, $filename); } @@ -881,6 +883,18 @@ class wpdbBackup { return; } // wp_cron_db_backup + + function validate_file($file) { + if (false !== strpos($file, '..')) + die(__("Cheatin' uh ?")); + + if (false !== strpos($file, './')) + die(__("Cheatin' uh ?")); + + if (':' == substr($file, 1, 1)) + die(__("Cheatin' uh ?")); + } + } function wpdbBackup_init() {