X-Git-Url: http://git.ipfire.org/?p=ipfire-2.x.git;a=blobdiff_plain;f=html%2Fcgi-bin%2Fbackup.cgi;h=cac4146ab94e59e5ab93e3c06ce763b5045435c7;hp=1c54602da991eef22b925c437a7aad67cca9ce3e;hb=9e9b477d7c4fbad483f6307cf63bf475dd79141b;hpb=4ede29562fce127f88c20cec3bcdf9c6ac5bb988

diff --git a/html/cgi-bin/backup.cgi b/html/cgi-bin/backup.cgi
index 1c54602da9..cac4146ab9 100644
--- a/html/cgi-bin/backup.cgi
+++ b/html/cgi-bin/backup.cgi
@@ -24,6 +24,7 @@ use strict;
 #use warnings;
 #use CGI::Carp 'fatalsToBrowser';
 use File::Copy;
+use File::Basename;
 
 require '/var/ipfire/general-functions.pl';
 require "${General::swroot}/lang.pl";
@@ -58,44 +59,25 @@ system("/usr/local/bin/backupctrl makedirs >/dev/null 2>&1 ") unless ( -e '/var/
 ############################################################################################################################
 ############################################## System calls ohne Http Header ###############################################
 
-# Replace slashes from filename
-$cgiparams{'FILE'} =~ s/\///;
-
-if ( $cgiparams{'ACTION'} eq "download" )
-{
-		open(DLFILE, "</var/ipfire/backup/$cgiparams{'FILE'}") or die "Unable to open $cgiparams{'FILE'}: $!";
-		my @fileholder = <DLFILE>;
-		print "Content-Type:application/x-download\n";
-		my @fileinfo = stat("/var/ipfire/backup/$cgiparams{'FILE'}");
-		print "Content-Length:$fileinfo[7]\n";
-		print "Content-Disposition:attachment;filename=$cgiparams{'FILE'}\n\n";
-		print @fileholder;
-		exit (0);
-}
-if ( $cgiparams{'ACTION'} eq "downloadiso" )
-{
-		open(DLFILE, "</var/tmp/backupiso/$cgiparams{'FILE'}") or die "Unable to open $cgiparams{'FILE'}: $!";
-		my @fileholder = <DLFILE>;
-		print "Content-Type:application/x-download\n";
-		my @fileinfo = stat("/var/tmp/backupiso/$cgiparams{'FILE'}");
-		print "Content-Length:$fileinfo[7]\n";
-		print "Content-Disposition:attachment;filename=$cgiparams{'FILE'}\n\n";
-		print @fileholder;
-		exit (0);
-}
-if ( $cgiparams{'ACTION'} eq "downloadaddon" )
-{
-		open(DLFILE, "</var/ipfire/backup/addons/backup/$cgiparams{'FILE'}") or die "Unable to open $cgiparams{'FILE'}: $!";
-		my @fileholder = <DLFILE>;
-		print "Content-Type:application/x-download\n";
-		my @fileinfo = stat("/var/ipfire/backup/addons/backup/$cgiparams{'FILE'}");
-		print "Content-Length:$fileinfo[7]\n";
-		print "Content-Disposition:attachment;filename=$cgiparams{'FILE'}\n\n";
-		print @fileholder;
-		exit (0);
-}
-elsif ( $cgiparams{'ACTION'} eq "restore" )
-{
+if ($cgiparams{'ACTION'} eq "download") {
+		my $file = &sanitise_file($cgiparams{'FILE'});
+		exit(1) unless defined($file);
+
+		&deliver_file($file);
+		exit(0);
+} elsif ($cgiparams{'ACTION'} eq "downloadiso") {
+		my $file = &sanitise_file($cgiparams{'FILE'});
+		exit(1) unless defined($file);
+
+		&deliver_file($file);
+		exit(0);
+} elsif ($cgiparams{'ACTION'} eq "downloadaddon") {
+		my $file = &sanitise_file($cgiparams{'FILE'});
+		exit(1) unless defined($file);
+
+		&deliver_file($file);
+		exit(0);
+} elsif ( $cgiparams{'ACTION'} eq "restore") {
 		my $upload = $a->param("UPLOAD");
 		open UPLOADFILE, ">/tmp/restore.ipf";
 		binmode $upload;
@@ -142,11 +124,20 @@ if ( $cgiparams{'ACTION'} eq "backup" )
 }
 if ( $cgiparams{'ACTION'} eq "addonbackup" )
 {
+	# Exit if there is any dots or slashes in the addon name
+	exit(1) if ($cgiparams{'ADDON'} =~ /(\.|\/)/);
+
+	# Check if the addon exists
+	exit(1) unless (-e "/var/ipfire/backup/addons/includes/$cgiparams{'ADDON'}");
+
 	system("/usr/local/bin/backupctrl addonbackup $cgiparams{'ADDON'} >/dev/null 2>&1");
 }
 elsif ( $cgiparams{'ACTION'} eq "delete" )
 {
-	system("/usr/local/bin/backupctrl $cgiparams{'FILE'} >/dev/null 2>&1");
+	my $file = &sanitise_file($cgiparams{'FILE'});
+	exit(1) unless defined($file);
+
+	system("/usr/local/bin/backupctrl $file >/dev/null 2>&1");
 }
 
 ############################################################################################################################
@@ -166,7 +157,7 @@ if ( -e "/var/tmp/backupiso/" ){
 	@backupisos = `cd /var/tmp/backupiso/ && ls *.iso 2>/dev/null`;
 }
 
-&Header::openbox('100%', 'center', $Lang::tr{'backup'});
+&Header::openbox('100%', 'center', );
 
 print <<END
 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
@@ -273,7 +264,7 @@ print <<END
 	<td align='right' width='5'>
 		<form method='post' action='$ENV{'SCRIPT_NAME'}'>
 		<input type='hidden' name='ACTION' value='delete' />
-		<input type='hidden' name='FILE' value='addons//backup/$_.ipf' />
+		<input type='hidden' name='FILE' value='$_.ipf' />
 		<input type='image' alt='$Lang::tr{'delete'}' title='$Lang::tr{'delete'}' src='/images/user-trash.png' />
 		</form>
 	</td>
@@ -312,7 +303,7 @@ print <<END
 	<td align='right' width='5'>
 		<form method='post' action='$ENV{'SCRIPT_NAME'}'>
 		<input type='hidden' name='ACTION' value='delete' />
-		<input type='hidden' name='FILE' value='addons//backup/$_.ipf' />
+		<input type='hidden' name='FILE' value='$_.ipf' />
 		<input type='image' alt='$Lang::tr{'delete'}' title='$Lang::tr{'delete'}' src='/images/user-trash.png' />
 		</form>
 	</td>
@@ -340,3 +331,41 @@ END
 &Header::closebox();
 &Header::closebigbox();
 &Header::closepage();
+
+sub sanitise_file() {
+	my $file = shift;
+
+	# Filenames cannot contain any slashes
+	return undef if ($file =~ /\//);
+
+	# File must end with .ipf or .iso
+	return undef unless ($file =~ /\.(ipf|iso)$/);
+
+	# Convert to absolute path
+	if (-e "/var/ipfire/backup/$file") {
+		return "/var/ipfire/backup/$file";
+	} elsif (-e "/var/ipfire/backup/addons/backup/$file") {
+		return "/var/ipfire/backup/addons/backup/$file";
+	} elsif (-e "/var/tmp/backupiso/$file") {
+		return "/var/tmp/backupiso/$file";
+	}
+
+	# File does not seem to exist
+	return undef;
+}
+
+sub deliver_file() {
+	my $file = shift;
+	my @stat = stat($file);
+
+	# Print headers
+	print "Content-Disposition: attachment; filename=" . &File::Basename::basename($file) . "\n";
+	print "Content-Type: application/octet-stream\n";
+	print "Content-Length: $stat[7]\n";
+	print "\n";
+
+	# Deliver content
+	open(FILE, "<$file") or die "Unable to open $file: $!";
+	print <FILE>;
+	close(FILE);
+}