Merge pull request #506 from Flatta/fix-sec-backup

Fix #505: Strict backup filename check.

web/download/backup/index.php

@@ -13,7 +13,7 @@ if ($_SESSION['user'] == 'admin') {
 }
 
 if ((!empty($_SESSION['user'])) && ($_SESSION['user'] != 'admin')) {
-    if (preg_match("/^".$user."/i", $backup)) {
+    if (strpos($backup, $user.'.') === 0) {
         header('Content-type: application/gzip');
         header("Content-Disposition: attachment; filename=\"".$backup."\";" ); 
         header("X-Accel-Redirect: /backup/" . $backup);