Release 4.0.2

wp-media · Nov 22, 2023 · d7a1804 · d7a1804
1 parent 3504e93
commit d7a1804
Show file tree

Hide file tree

Showing 10 changed files with 155 additions and 134 deletions.
diff --git a/backwpup.php b/backwpup.php
@@ -3,9 +3,9 @@
  * Plugin Name: BackWPup 
  * Plugin URI: http://backwpup.com
  * Description: WordPress Backup Plugin
- * Author: WP Media
- * Author URI: https://wp-media.me
- * Version: 4.0.1
+ * Author: WP MEDIA SAS
+ * Author URI: https://wp-media.me/
+ * Version: 4.0.2
  * Requires at least: 3.9
  * Requires PHP: 7.2
  * Text Domain: backwpup

diff --git a/changelog.txt b/changelog.txt
@@ -1,4 +1,9 @@
 == Changelog ==
+= 4.0.2 =
+Release date: November 22, 2023
+
+* Fixed: Disallow backups or logs directories from being outside of wp-content directory for security purposes
+
 = 4.0.1 =
 Release date: October 18, 2023
 

diff --git a/inc/class-destination-folder.php b/inc/class-destination-folder.php
@@ -91,7 +91,9 @@ public function edit_form_post_save(int $jobid): void
         $backup_dir = trim(sanitize_text_field($_POST['backupdir']));
 
         try {
-            $backup_dir = trailingslashit(self::normalizePath(BackWPup_Path_Fixer::slashify($backup_dir)));
+            $backup_dir = trailingslashit(
+                BackWPup_File::normalize_path(BackWPup_Path_Fixer::slashify($backup_dir))
+            );
         } catch (\InvalidArgumentException $e) {
             $backup_dir = self::getDefaultBackupsDirectory();
         }
@@ -301,27 +303,4 @@ private static function getDefaultBackupsDirectory()
 
         return str_replace($content_path, '', $backups_dir);
     }
-
-    private static function normalizePath($path)
-    {
-        $parts = explode('/', $path);
-        $normalized = [];
-
-        foreach ($parts as $part) {
-            if ($part === '..') {
-                if (empty($normalized)) {
-                    throw new InvalidArgumentException('Invalid path: Attempting to navigate above the root directory.');
-                }
-                array_pop($normalized);
-            } elseif ($part !== '.' && $part !== '') {
-                $normalized[] = $part;
-            }
-        }
-
-        if (empty($normalized)) {
-            throw new \InvalidArgumentException('The path resolves to an empty path.');
-        }
-
-        return implode('/', $normalized);
-    }
 }
diff --git a/inc/class-file.php b/inc/class-file.php
@@ -200,6 +200,40 @@ public static function check_folder($folder, $donotbackup = false)
         return '';
     }
 
+    /**
+     * @throws InvalidArgumentException If path is absolute or attempts to navigate above root
+     *
+     * @return string[]
+     */
+    public static function normalize_path(string $path): string
+    {
+        if (strpos($path, '/') === 0) {
+            throw new InvalidArgumentException('Absolute paths are not allowed.');
+        }
+
+        $parts = explode('/', $path);
+        $normalized = [];
+
+        foreach ($parts as $part) {
+            if ($part === '..') {
+                if (empty($normalized)) {
+                    throw new InvalidArgumentException(
+                        'Invalid path: Attempting to navigate above the root directory.'
+                    );
+                }
+                array_pop($normalized);
+            } elseif ($part !== '.' && $part !== '') {
+                $normalized[] = $part;
+            }
+        }
+
+        if (empty($normalized)) {
+            throw new InvalidArgumentException('The path resolves to an empty path.');
+        }
+
+        return implode('/', $normalized);
+    }
+
     /**
      * Resolve internal .. within a path.
      *

diff --git a/inc/class-page-settings.php b/inc/class-page-settings.php
@@ -445,16 +445,15 @@ public function save_post_form()
 
         update_site_option('backwpup_cfg_jobrunauthkey', $_POST['jobrunauthkey']);
 
-        $_POST['logfolder'] = trailingslashit(
-            str_replace('\\', '/', trim(stripslashes(sanitize_text_field($_POST['logfolder']))))
-        );
+        try {
+            $_POST['logfolder'] = trailingslashit(
+                BackWPup_File::normalize_path(BackWPup_Path_Fixer::slashify(sanitize_text_field($_POST['logfolder'])))
+            );
 
-        //set def. folders
-        if (empty($_POST['logfolder']) || $_POST['logfolder'] === '/') {
+            update_site_option('backwpup_cfg_logfolder', $_POST['logfolder']);
+        } catch (InvalidArgumentException $e) {
             delete_site_option('backwpup_cfg_logfolder');
             BackWPup_Option::default_site_options();
-        } else {
-            update_site_option('backwpup_cfg_logfolder', $_POST['logfolder']);
         }
 
         $authentication = get_site_option(