Item7831: Allow action=debug only if Debug flag set; parameter sanity checks

TWiki:Main/PeterThoeny

Fixes:

Index: lib/TWiki/Plugins/BackupRestorePlugin/Core.pm
===================================================================
--- lib/TWiki/Plugins/BackupRestorePlugin/Core.pm   (revision 30410)
+++ lib/TWiki/Plugins/BackupRestorePlugin/Core.pm   (working copy)
@@ -1,6 +1,6 @@
 # Plugin for TWiki Enterprise Collaboration Platform, http://TWiki.org/
 #
-# Copyright (C) 2011-2016 Peter Thoeny, peter[at]thoeny.org
+# Copyright (C) 2011-2018 Peter Thoeny, peter[at]thoeny.org
 # and TWiki Contributors. All Rights Reserved. TWiki Contributors
 # are listed in the AUTHORS file in the root of this distribution.
 # NOTE: Please extend that file, not this notice.
@@ -117,7 +117,6 @@
     my( $this, $params ) = @_;
 
     my $action = $params->{action} || '';
-    $this->{Debug} = 1 if( $action eq 'debug' );
     $this->_clearError();
     # script calling this script might pass an error message to display
     $this->_setError( $params->{std_err} ) if( $params->{std_err} );
@@ -176,7 +175,6 @@
     my( $this, $params ) = @_;
 
     my $action = $params->{action} || 'usage';
-    $this->{Debug} = 1 if( $action eq 'debug' );
 
     $this->_writeDebug( "backuprestore, action=$action" );
     my $text = '';
@@ -210,7 +208,7 @@
     my $text = '';
     $text .= "<pre>\n" if( $this->{ScriptType} eq 'cgi' );
     $text .= "Backup and restore utility of TWiki's BackupRestorePlugin.\n";
-    $text .= "Copyright 2011-2016 Peter[at]Thoeny.org and TWiki Contributors.\n";
+    $text .= "Copyright 2011-2018 Peter[at]Thoeny.org and TWiki Contributors.\n";
     $text .= "Plugin home and documentation:\n";
     $text .= "  http://twiki.org/cgi-bin/view/Plugins/BackupRestorePlugin\n";
     $text .= "Usage:\n";
@@ -303,7 +301,7 @@
 sub _showBackupDetail {
     my( $this, $params ) = @_;
 
-    my $fileName = $params->{file} || '';
+    my $fileName = _sanitizeFileName( $params->{file} );
     $this->_writeDebug( "_showBackupDetail file=$fileName" );
     my $buDate = $fileName;
     $buDate = '' unless( $buDate =~ s/[^0-9]*(.*?)-([0-9]+)-([0-9]+)\.zip/$1 $2:$3/ );
@@ -400,8 +398,12 @@
 sub _debugBackup {
     my( $this, $params ) = @_;
 
-    my $text = "Debug BACKUPRESTORE, base web $this->{BaseWeb}";
-    $text .= "<br /> " . $this->_testZipMethods();
+    my $text = "Debug BACKUPRESTORE";
+    if($this->{Debug}) {
+        $text .= "<br /> " . $this->_testZipMethods();
+    } else {
+        $text .= ": Sorry, {Plugins}{BackupRestorePlugin}{Debug} must be enabled in configure.\n";
+    }
     return $text;
 }
 
@@ -527,7 +529,7 @@
 sub _startRestore {
     my( $this, $params ) = @_;
 
-    my $fileName = $params->{file} || '';
+    my $fileName = _sanitizeFileName( $params->{file} );
     $this->_writeDebug( "_startRestore file=$fileName" );
     $this->_makeDir( $this->{DaemonDir} ) unless( -e $this->{DaemonDir} );
 
@@ -543,7 +545,6 @@
     } elsif( $daemonType > 1 ) {
         $this->_setError( 'ERROR: Restore from backup is already in progress.' );
     } else {
-        my $fileName = $params->{file};
         my $text = "file_name: " . $fileName . "\n"
                  . "type: 2-restore\n";
         for my $key ( sort keys %$params ) {
@@ -613,8 +614,7 @@
 sub _createBackup {
     my( $this, $params ) = @_;
 
-    my $name = $params->{file} || '';
-    $name =~ s/[^0-9a-zA-Z_\-\.]//g;
+    my $name = _sanitizeFileName( $params->{file} );
     $name = $this->_buildFileName() unless( $name );
     $name = _untaintChecked( $name );
     $this->_writeDebug( "_createBackup( $name )" ) if $this->{Debug};
@@ -678,8 +678,7 @@
 sub _restoreFromBackup {
     my( $this, $params ) = @_;
 
-    my $name = $params->{file} || '';
-    $name =~ s/[^0-9a-zA-Z_\-\.]//g;
+    my $name = _sanitizeFileName( $params->{file} );
     $name = _untaintChecked( $name );
     $this->_writeDebug( "_restoreFromBackup( $name )" ) if $this->{Debug};
 
@@ -858,8 +857,7 @@
     my( $this, $params ) = @_;
 
     my $text = '';
-    my $name = $params->{file} || '';
-    $name =~ s/[^0-9a-zA-Z_\-\.]//g;
+    my $name = _sanitizeFileName( $params->{file} );
     $name = _untaintChecked( $name );
     unless( $name ) {
         print "Content-type: text/html\n\n" if( $this->{ScriptType} eq 'cgi' );
@@ -867,7 +865,7 @@
         return $text;
     }
 
-    my $magic = $params->{magic};
+    my $magic = _sanitizeFileName( $params->{magic}, 1 );
     if( $this->{ScriptType} eq 'cgi' && ! $this->_checkMagic( $magic ) ) {
         print "Content-type: text/html\n\n";
         $this->_setError( "NOTE: Only TWiki administrators can download backups" );
@@ -907,8 +905,7 @@
 sub _deleteBackup {
     my( $this, $params ) = @_;
 
-    my $name = $params->{file} || '';
-    $name =~ s/[^0-9a-zA-Z_\-\.]//g;
+    my $name = _sanitizeFileName( $params->{file} );
     return $this->_deleteZip( _untaintChecked( $name ) );
 }
 
@@ -1083,7 +1080,7 @@
            . join( "\n", $this->_listAllBackups() )
            . "\n</pre>Error return: $this->{error} <p />\n";
 
-    my $zip = 'twiki-backup-2016-01-18-19-33.zip';
+    my $zip = 'twiki-backup-2018-01-18-19-33.zip';
     $this->{error} = '';
     $text .= "<br />===== Test _createBackup( { file => $zip } )<pre>\n" 
            . $this->_createBackup( undef, { file => $zip } ) 
@@ -1096,19 +1093,19 @@
 
     chdir( $this->{BackupDir} );
     $this->{error} = '';
-    $text .= "<br />===== Test _unZip( $zip )<pre>\n"
-           . $this->_unZip( $zip )
-           . "\n</pre>Error return: $this->{error}\n";
+    $text .= "<br />===== Test _unZip( $zip )\n";
+    $this->_unZip( $zip );
+    $text .= "<br />Error return: $this->{error}\n";
 
 #    $this->{error} = '';
-#    $text .= "<br />===== Test _deleteZip( $zip )<pre>\n"
-#           . join( "\n", $this->_deleteZip( "$zip" ) )
-#           . "\n</pre>Error return: $this->{error}\n";
+#    $text .= "<br />===== Test _deleteZip( $zip )\n";
+#    $this->_deleteZip( "$zip" );
+#    $text .= "<br />Error return: $this->{error}\n";
 
     $this->{error} = '';
-    $text .= "<br />===== Test _deleteZip( not-exist-$zip )<pre>\n"
-           . join( "\n", $this->_deleteZip( "not-exist-$zip" ) )
-           . "\n</pre>Error return: $this->{error}\n";
+    $text .= "<br />===== Test _deleteZip( not-exist-$zip )\n";
+    $this->_deleteZip( "not-exist-$zip" );
+    $text .= "<br />Error return: $this->{error}\n";
 
     return $text;
 }
@@ -1343,6 +1340,16 @@
 }
 
 #==================================================================
+sub _sanitizeFileName {
+    my( $name, $escapeDot ) = @_;
+
+    $name ||= '';
+    $name =~ s/[^0-9a-zA-Z_\-\.]//go;
+    $name =~ s/\./\\\./go if( $escapeDot );
+    return $name;
+}
+
+#==================================================================
 sub _getDirContent {
     my( $dir ) = @_;
 
Index: lib/TWiki/Plugins/BackupRestorePlugin.pm
===================================================================
--- lib/TWiki/Plugins/BackupRestorePlugin.pm   (revision 30410)
+++ lib/TWiki/Plugins/BackupRestorePlugin.pm   (working copy)
@@ -1,6 +1,6 @@
 # Plugin for TWiki Enterprise Collaboration Platform, http://TWiki.org/
 #
-# Copyright (C) 2011-2016 Peter Thoeny, peter[at]thoeny.org
+# Copyright (C) 2011-2018 Peter Thoeny, peter[at]thoeny.org
 # and TWiki Contributors. All Rights Reserved. TWiki Contributors
 # are listed in the AUTHORS file in the root of this distribution.
 # NOTE: Please extend that file, not this notice.
@@ -26,7 +26,7 @@
 
 #==================================================================
 our $VERSION = '$Rev$';
-our $RELEASE = '2016-01-08';
+our $RELEASE = '2017-12-31';
 our $SHORTDESCRIPTION = 'Administrator utility to backup, restore and upgrade a TWiki site';
 our $NO_PREFS_IN_TOPIC = 1;
 

-- TWiki:Main.PeterThoeny - 2017-12-31