From 6ba1e4dd565125488b395cf57e0c49f1e85b4f5a Mon Sep 17 00:00:00 2001
From: ryan <ryan@1a063a9b-81f0-0310-95a4-ce76da25c4cd>
Date: Tue, 15 Aug 2006 01:07:51 +0000
Subject: [PATCH] Validate backup and fragment files. Don't allow traversal.

git-svn-id: http://svn.automattic.com/wordpress/trunk@4095 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-content/plugins/wp-db-backup.php | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/wp-content/plugins/wp-db-backup.php b/wp-content/plugins/wp-db-backup.php
index 9ba640672..ec5da7774 100644
--- a/wp-content/plugins/wp-db-backup.php
+++ b/wp-content/plugins/wp-db-backup.php
@@ -71,6 +71,7 @@ class wpdbBackup {
 			$via = isset($_GET['via']) ? $_GET['via'] : 'http';
 
 			$this->backup_file = $_GET['backup'];
+			$this->validate_file($this->backup_file);
 
 			switch($via) {
 			case 'smtp':
@@ -97,6 +98,7 @@ class wpdbBackup {
 		}
 		if (isset($_GET['fragment'] )) {
 			list($table, $segment, $filename) = explode(':', $_GET['fragment']);
+			$this->validate_file($filename);
 			$this->backup_fragment($table, $segment, $filename);
 		}
 
@@ -880,6 +882,18 @@ class wpdbBackup {
 
 		return;
 	} // wp_cron_db_backup
+
+	function validate_file($file) {
+		if (false !== strpos($file, '..'))
+			die(__("Cheatin' uh ?"));
+
+		if (false !== strpos($file, './'))
+			die(__("Cheatin' uh ?"));
+
+		if (':' == substr($file, 1, 1))
+			die(__("Cheatin' uh ?"));
+	}
+
 }
 
 function wpdbBackup_init() {