Fix possible remote code execution attack

Author: pbek

service/backupservice.php

@@ -297,6 +297,11 @@ public function doRestoreTable( $timestamp, $table )
             return false;
         }
 
+        if ( preg_match( '/[\.\/]/', $table ) )
+        {
+            throw new Exception( "Invalid table name: $table" );
+        }
+
         // get the table structure file name
         $structureFile = $this->configService->getBackupBaseDirectory() . "/$timestamp/$table/structure.xml";
 

tests/integration/BackupIntegrationTest.php

@@ -91,6 +91,12 @@ public function testRestore() {
         $tableExists = $this->db->tableExists( self::TEST_TABLE_NO_PREFIX );
         $this->assertFalse( $tableExists );
 
+        // restore forged table
+        $timestamp = $timestampList[0];
+        $tableList = ["../../admin/files"];
+        // this should throw an exception
+        $this->backupService->doRestoreTables( $timestamp, $tableList );
+
         // restore table
         $timestamp = $timestampList[0];
         $tableList = [self::TEST_TABLE];