From b23d839e027507c84c7061a52869bfea0191b48d Mon Sep 17 00:00:00 2001
From: Brandon Olivares <b.olivares@inpsyde.com>
Date: Tue, 12 Mar 2024 07:58:20 -0400
Subject: [PATCH] Release 4.0.4

---
 backwpup.php                        |   6 +-
 changelog.txt                       |   5 +
 inc/class-destination-folder.php    |   2 +-
 inc/class-file.php                  | 173 ++++++++++++++++------------
 inc/class-option.php                |   2 +-
 languages/backwpup.pot              |   6 +-
 vendor/autoload.php                 |   2 +-
 vendor/composer/autoload_real.php   |  10 +-
 vendor/composer/autoload_static.php |  12 +-
 vendor/composer/installed.php       |  12 +-
 10 files changed, 133 insertions(+), 97 deletions(-)

diff --git a/backwpup.php b/backwpup.php
index ca763137..73e78858 100755
--- a/backwpup.php
+++ b/backwpup.php
@@ -5,7 +5,7 @@
  * Description: WordPress Backup Plugin
  * Author: WP MEDIA SAS
  * Author URI: https://wp-media.me/
- * Version: 4.0.3
+ * Version: 4.0.4
  * Requires at least: 3.9
  * Requires PHP: 7.2
  * Text Domain: backwpup
@@ -243,14 +243,14 @@ public static function get_plugin_data($name = null)
                         '\\',
                         '/',
                         get_temp_dir()
-                    ) . 'backwpup-' . self::$plugin_data['hash'] . '/';
+                    ) . 'backwpup/' . self::$plugin_data['hash'] . '/';
                 } else {
                     $upload_dir = wp_upload_dir();
                     self::$plugin_data['temp'] = str_replace(
                         '\\',
                         '/',
                         $upload_dir['basedir']
-                    ) . '/backwpup-' . self::$plugin_data['hash'] . '-temp/';
+                    ) . '/backwpup/' . self::$plugin_data['hash'] . '/temp/';
                 }
                 self::$plugin_data['running_file'] = self::$plugin_data['temp'] . 'backwpup-working.php';
                 self::$plugin_data['url'] = plugins_url('', __FILE__);
diff --git a/changelog.txt b/changelog.txt
index e0a4730e..726f389c 100755
--- a/changelog.txt
+++ b/changelog.txt
@@ -1,4 +1,9 @@
 == Changelog ==
+= 4.0.4 =
+Release date: March 12, 2024
+
+* Fixed: Changed directory structure of BackWPup temporary files to prevent unauthorized access of database backup.
+
 = 4.0.3 =
 Release date: February 22, 2024
 
diff --git a/inc/class-destination-folder.php b/inc/class-destination-folder.php
index 61072292..487373fe 100644
--- a/inc/class-destination-folder.php
+++ b/inc/class-destination-folder.php
@@ -298,7 +298,7 @@ private static function getDefaultBackupsDirectory()
                 '/',
                 $upload_dir['basedir']
             )
-        ) . 'backwpup-' . BackWPup::get_plugin_data('hash') . '-backups/';
+        ) . 'backwpup/' . BackWPup::get_plugin_data('hash') . '/backups/';
         $content_path = trailingslashit(BackWPup_Path_Fixer::slashify((string) WP_CONTENT_DIR));
 
         return str_replace($content_path, '', $backups_dir);
diff --git a/inc/class-file.php b/inc/class-file.php
index ed6a11af..2e641510 100644
--- a/inc/class-file.php
+++ b/inc/class-file.php
@@ -47,14 +47,15 @@ public static function is_in_open_basedir($file)
         }
 
         $open_base_dirs = explode(PATH_SEPARATOR, $ini_open_basedir);
-        $file = trailingslashit(strtolower(str_replace('\\', '/', $file)));
+        $file = trailingslashit(strtolower(BackWPup_Path_Fixer::slashify($file)));
 
         foreach ($open_base_dirs as $open_base_dir) {
             if (empty($open_base_dir) || !realpath($open_base_dir)) {
                 continue;
             }
+
             $open_base_dir = realpath($open_base_dir);
-            $open_base_dir = strtolower(str_replace('\\', '/', $open_base_dir));
+            $open_base_dir = strtolower(BackWPup_Path_Fixer::slashify($open_base_dir));
             $part = substr($file, 0, strlen($open_base_dir));
             if ($part === $open_base_dir) {
                 return true;
@@ -100,8 +101,8 @@ public static function get_folder_size($folder)
      */
     public static function get_absolute_path($path = '/')
     {
-        $path = str_replace('\\', '/', $path);
-        $content_path = trailingslashit(str_replace('\\', '/', (string) WP_CONTENT_DIR));
+        $path = BackWPup_Path_Fixer::slashify($path);
+        $content_path = trailingslashit(BackWPup_Path_Fixer::slashify((string) WP_CONTENT_DIR));
 
         //use WP_CONTENT_DIR as root folder
         if (empty($path) || $path === '/') {
@@ -109,7 +110,7 @@ public static function get_absolute_path($path = '/')
         }
 
         //make relative path to absolute
-        if (substr($path, 0, 1) !== '/' && !preg_match('#^[a-zA-Z]:/#', $path)) {
+        if (substr($path, 0, 1) !== '/' && !preg_match('#^[a-zA-Z]+:/#', $path)) {
             $path = $content_path . $path;
         }
 
@@ -125,19 +126,18 @@ public static function get_absolute_path($path = '/')
      *
      * @return string with error message if one
      */
-    public static function check_folder($folder, $donotbackup = false)
+    public static function check_folder(string $folder, bool $donotbackup = false): string
     {
         $folder = self::get_absolute_path($folder);
         $folder = untrailingslashit($folder);
 
         //check that is not home of WP
         $uploads = self::get_upload_dir();
-        if ($folder === untrailingslashit(str_replace('\\', '/', (string) ABSPATH))
-             || $folder === untrailingslashit(str_replace('\\', '/', dirname((string) ABSPATH)))
-             || $folder === untrailingslashit(str_replace('\\', '/', (string) WP_PLUGIN_DIR))
-             || $folder === untrailingslashit(str_replace('\\', '/', (string) WP_CONTENT_DIR))
-             || $folder === untrailingslashit($uploads)
-             || $folder === '/'
+        if ($folder === untrailingslashit(BackWPup_Path_Fixer::slashify(ABSPATH))
+            || $folder === untrailingslashit(BackWPup_Path_Fixer::slashify(dirname(ABSPATH)))
+            || $folder === untrailingslashit(BackWPup_Path_Fixer::slashify(WP_PLUGIN_DIR))
+            || $folder === untrailingslashit(BackWPup_Path_Fixer::slashify(WP_CONTENT_DIR))
+            || $folder === untrailingslashit(BackWPup_Path_Fixer::slashify($uploads))
         ) {
             return sprintf(__('Folder %1$s not allowed, please use another folder.', 'backwpup'), $folder);
         }
@@ -147,54 +147,34 @@ public static function check_folder($folder, $donotbackup = false)
             return sprintf(__('Folder %1$s is not in open basedir, please use another folder.', 'backwpup'), $folder);
         }
 
-        //create folder if it not exists
-        if (!is_dir($folder)) {
-            if (!wp_mkdir_p($folder)) {
-                return sprintf(__('Cannot create folder: %1$s', 'backwpup'), $folder);
-            }
-        }
+        // We always want to at least process `$folder`
+        $foldersToProcess = [$folder];
+        $parentFolder = dirname($folder);
 
-        //check is writable dir
-        if (!is_writable($folder)) {
-            return sprintf(__('Folder "%1$s" is not writable', 'backwpup'), $folder);
+        while (!file_exists($parentFolder)) {
+            array_unshift($foldersToProcess, $parentFolder);
+            $parentFolder = dirname($parentFolder);
         }
 
-        //create files for securing folder
-        if (get_site_option('backwpup_cfg_protectfolders')) {
-            $server_software = strtolower((string) $_SERVER['SERVER_SOFTWARE']);
-            //IIS
-            if (strstr($server_software, 'microsoft-iis')) {
-                if (!file_exists($folder . '/Web.config')) {
-                    file_put_contents(
-                        $folder . '/Web.config',
-                        '<configuration>' . PHP_EOL .
-                        "\t<system.webServer>" . PHP_EOL .
-                        "\t\t<authorization>" . PHP_EOL .
-                        "\t\t\t<deny users=\"*\" />" . PHP_EOL .
-                        "\t\t</authorization>" . PHP_EOL .
-                        "\t</system.webServer>" . PHP_EOL .
-                        '</configuration>'
-                    );
-                }
-            } //Nginx
-            elseif (strstr($server_software, 'nginx')) {
-                if (!file_exists($folder . '/index.php')) {
-                    file_put_contents($folder . '/index.php', '<?php' . PHP_EOL . "header( \$_SERVER['SERVER_PROTOCOL'] . ' 404 Not Found' );" . PHP_EOL . "header( 'Status: 404 Not Found' );" . PHP_EOL);
-                }
-            } //Aapche and other
-            else {
-                if (!file_exists($folder . '/.htaccess')) {
-                    file_put_contents($folder . '/.htaccess', '<Files "*">' . PHP_EOL . '<IfModule mod_access.c>' . PHP_EOL . 'Deny from all' . PHP_EOL . '</IfModule>' . PHP_EOL . '<IfModule !mod_access_compat>' . PHP_EOL . '<IfModule mod_authz_host.c>' . PHP_EOL . 'Deny from all' . PHP_EOL . '</IfModule>' . PHP_EOL . '</IfModule>' . PHP_EOL . '<IfModule mod_access_compat>' . PHP_EOL . 'Deny from all' . PHP_EOL . '</IfModule>' . PHP_EOL . '</Files>');
-                }
-                if (!file_exists($folder . '/index.php')) {
-                    file_put_contents($folder . '/index.php', '<?php' . PHP_EOL . "header( \$_SERVER['SERVER_PROTOCOL'] . ' 404 Not Found' );" . PHP_EOL . "header( 'Status: 404 Not Found' );" . PHP_EOL);
-                }
+        // Process each child folder separately
+        foreach ($foldersToProcess as $childFolder) {
+            if (!is_dir($childFolder) && !wp_mkdir_p($childFolder)) {
+                return sprintf(__('Cannot create folder: %1$s', 'backwpup'), $childFolder);
+            }
+
+            if (!is_writable($childFolder)) {
+                return sprintf(__('Folder "%1$s" is not writable', 'backwpup'), $childFolder);
+            }
+
+            //create files for securing folder
+            if (get_site_option('backwpup_cfg_protectfolders')) {
+                self::protect_folder($childFolder);
             }
-        }
 
-        //Create do not backup file for this folder
-        if ($donotbackup && !file_exists($folder . '/.donotbackup')) {
-            file_put_contents($folder . '/.donotbackup', __('BackWPup will not backup folders and its sub folders when this file is inside.', 'backwpup'));
+            //Create do not backup file for this folder
+            if ($donotbackup) {
+                self::write_do_not_backup_file($childFolder);
+            }
         }
 
         return '';
@@ -202,8 +182,6 @@ public static function check_folder($folder, $donotbackup = false)
 
     /**
      * @throws InvalidArgumentException If path is absolute or attempts to navigate above root
-     *
-     * @return string[]
      */
     public static function normalize_path(string $path): string
     {
@@ -241,25 +219,78 @@ public static function normalize_path(string $path): string
      *
      * @return string The resolved path
      */
-    protected static function resolve_path($path)
+    protected static function resolve_path($path): string
     {
-        $search = explode('/', $path);
-        $append = [];
-        // If last element of $search is blank, this means trailing slash is present.
-        // realpath() will remove trailing slash, so append to $append to preserve.
-        if (empty($search[count($search) - 1])) {
-            array_unshift($append, array_pop($search));
-        }
+        $parts = explode('/', $path);
+        $resolvedParts = [];
 
-        while (realpath(implode('/', $search)) === false) {
-            array_unshift($append, array_pop($search));
+        foreach ($parts as $part) {
+            if ($part === '..') {
+                if (!empty($resolvedParts)) {
+                    array_pop($resolvedParts);
+                }
+            } elseif ($part === '.') {
+                continue;
+            } else {
+                $resolvedParts[] = $part;
+            }
         }
 
-        $path = realpath(implode('/', $search));
-        if (!empty($append)) {
-            $path .= '/' . implode('/', $append);
+        return implode('/', $resolvedParts);
+    }
+
+    private static function protect_folder(string $folder): void
+    {
+        $server_software = strtolower((string) $_SERVER['SERVER_SOFTWARE']);
+
+        if (strstr($server_software, 'microsoft-iis')) {
+            if (!file_exists($folder . '/Web.config')) {
+                file_put_contents(
+                    $folder . '/Web.config',
+                    '<configuration>' . PHP_EOL .
+                    "\t<system.webServer>" . PHP_EOL .
+                    "\t\t<authorization>" . PHP_EOL .
+                    "\t\t\t<deny users=\"*\" />" . PHP_EOL .
+                    "\t\t</authorization>" . PHP_EOL .
+                    "\t</system.webServer>" . PHP_EOL .
+                    '</configuration>'
+                );
+            }
+        } elseif (strstr($server_software, 'nginx')) {
+            if (!file_exists($folder . '/index.php')) {
+                file_put_contents(
+                    $folder . '/index.php',
+                    '<?php' . PHP_EOL . "header( \$_SERVER['SERVER_PROTOCOL'] . ' 404 Not Found' );" . PHP_EOL . "header( 'Status: 404 Not Found' );" . PHP_EOL
+                );
+            }
+        } else {
+            if (!file_exists($folder . '/.htaccess')) {
+                file_put_contents(
+                    $folder . '/.htaccess',
+                    '<Files "*">' . PHP_EOL . '<IfModule mod_access.c>' . PHP_EOL . 'Deny from all' . PHP_EOL . '</IfModule>' . PHP_EOL . '<IfModule !mod_access_compat>' . PHP_EOL . '<IfModule mod_authz_host.c>' . PHP_EOL . 'Deny from all' . PHP_EOL . '</IfModule>' . PHP_EOL . '</IfModule>' . PHP_EOL . '<IfModule mod_access_compat>' . PHP_EOL . 'Deny from all' . PHP_EOL . '</IfModule>' . PHP_EOL . '</Files>'
+                );
+            }
+            if (!file_exists($folder . '/index.php')) {
+                file_put_contents(
+                    $folder . '/index.php',
+                    '<?php' . PHP_EOL . "header( \$_SERVER['SERVER_PROTOCOL'] . ' 404 Not Found' );" . PHP_EOL . "header( 'Status: 404 Not Found' );" . PHP_EOL
+                );
+            }
         }
+    }
 
-        return $path;
+    private static function write_do_not_backup_file(string $folder): void
+    {
+        $doNotBackupFile = "{$folder}/.donotbackup";
+
+        if (!file_exists($doNotBackupFile)) {
+            file_put_contents(
+                $doNotBackupFile,
+                __(
+                    'BackWPup will not backup folders and its sub folders when this file is inside.',
+                    'backwpup'
+                )
+            );
+        }
     }
 }
diff --git a/inc/class-option.php b/inc/class-option.php
index 62aeacf2..43441f4c 100755
--- a/inc/class-option.php
+++ b/inc/class-option.php
@@ -36,7 +36,7 @@ public static function default_site_options()
             '\\',
             '/',
             $upload_dir['basedir']
-        )) . 'backwpup-' . BackWPup::get_plugin_data('hash') . '-logs/';
+        )) . 'backwpup/' . BackWPup::get_plugin_data('hash') . '/logs/';
         $content_path = trailingslashit(str_replace('\\', '/', (string) WP_CONTENT_DIR));
         $logs_dir = str_replace($content_path, '', $logs_dir);
         add_site_option('backwpup_cfg_logfolder', $logs_dir);
diff --git a/languages/backwpup.pot b/languages/backwpup.pot
index 3718bb87..030a547f 100644
--- a/languages/backwpup.pot
+++ b/languages/backwpup.pot
@@ -1317,15 +1317,15 @@ msgstr ""
 msgid "Folder %1$s is not in open basedir, please use another folder."
 msgstr ""
 
-#: inc/class-file.php:153
+#: inc/class-file.php:162
 msgid "Cannot create folder: %1$s"
 msgstr ""
 
-#: inc/class-file.php:159
+#: inc/class-file.php:166
 msgid "Folder \"%1$s\" is not writable"
 msgstr ""
 
-#: inc/class-file.php:197
+#: inc/class-file.php:289
 msgid "BackWPup will not backup folders and its sub folders when this file is inside."
 msgstr ""
 
diff --git a/vendor/autoload.php b/vendor/autoload.php
index b825207d..c8fdbad3 100644
--- a/vendor/autoload.php
+++ b/vendor/autoload.php
@@ -22,4 +22,4 @@
 
 require_once __DIR__ . '/composer/autoload_real.php';
 
-return ComposerAutoloaderInitb81f714672cab81745951e3983f718b7::getLoader();
+return ComposerAutoloaderInit302766cabed9741b63e4470141d39506::getLoader();
diff --git a/vendor/composer/autoload_real.php b/vendor/composer/autoload_real.php
index da9f9308..0d4a6c47 100644
--- a/vendor/composer/autoload_real.php
+++ b/vendor/composer/autoload_real.php
@@ -2,7 +2,7 @@
 
 // autoload_real.php @generated by Composer
 
-class ComposerAutoloaderInitb81f714672cab81745951e3983f718b7
+class ComposerAutoloaderInit302766cabed9741b63e4470141d39506
 {
     private static $loader;
 
@@ -24,20 +24,20 @@ public static function getLoader()
 
         require __DIR__ . '/platform_check.php';
 
-        spl_autoload_register(array('ComposerAutoloaderInitb81f714672cab81745951e3983f718b7', 'loadClassLoader'), true, true);
+        spl_autoload_register(array('ComposerAutoloaderInit302766cabed9741b63e4470141d39506', 'loadClassLoader'), true, true);
         self::$loader = $loader = new \Composer\Autoload\ClassLoader(\dirname(__DIR__));
-        spl_autoload_unregister(array('ComposerAutoloaderInitb81f714672cab81745951e3983f718b7', 'loadClassLoader'));
+        spl_autoload_unregister(array('ComposerAutoloaderInit302766cabed9741b63e4470141d39506', 'loadClassLoader'));
 
         $includePaths = require __DIR__ . '/include_paths.php';
         $includePaths[] = get_include_path();
         set_include_path(implode(PATH_SEPARATOR, $includePaths));
 
         require __DIR__ . '/autoload_static.php';
-        call_user_func(\Composer\Autoload\ComposerStaticInitb81f714672cab81745951e3983f718b7::getInitializer($loader));
+        call_user_func(\Composer\Autoload\ComposerStaticInit302766cabed9741b63e4470141d39506::getInitializer($loader));
 
         $loader->register(true);
 
-        $filesToLoad = \Composer\Autoload\ComposerStaticInitb81f714672cab81745951e3983f718b7::$files;
+        $filesToLoad = \Composer\Autoload\ComposerStaticInit302766cabed9741b63e4470141d39506::$files;
         $requireFile = \Closure::bind(static function ($fileIdentifier, $file) {
             if (empty($GLOBALS['__composer_autoload_files'][$fileIdentifier])) {
                 $GLOBALS['__composer_autoload_files'][$fileIdentifier] = true;
diff --git a/vendor/composer/autoload_static.php b/vendor/composer/autoload_static.php
index d34e31bd..31498e2b 100644
--- a/vendor/composer/autoload_static.php
+++ b/vendor/composer/autoload_static.php
@@ -4,7 +4,7 @@
 
 namespace Composer\Autoload;
 
-class ComposerStaticInitb81f714672cab81745951e3983f718b7
+class ComposerStaticInit302766cabed9741b63e4470141d39506
 {
     public static $files = array (
         '7b11c4dc42b3b3023073cb14e519683c' => __DIR__ . '/..' . '/ralouphie/getallheaders/src/getallheaders.php',
@@ -3217,11 +3217,11 @@ class ComposerStaticInitb81f714672cab81745951e3983f718b7
     public static function getInitializer(ClassLoader $loader)
     {
         return \Closure::bind(function () use ($loader) {
-            $loader->prefixLengthsPsr4 = ComposerStaticInitb81f714672cab81745951e3983f718b7::$prefixLengthsPsr4;
-            $loader->prefixDirsPsr4 = ComposerStaticInitb81f714672cab81745951e3983f718b7::$prefixDirsPsr4;
-            $loader->prefixesPsr0 = ComposerStaticInitb81f714672cab81745951e3983f718b7::$prefixesPsr0;
-            $loader->fallbackDirsPsr0 = ComposerStaticInitb81f714672cab81745951e3983f718b7::$fallbackDirsPsr0;
-            $loader->classMap = ComposerStaticInitb81f714672cab81745951e3983f718b7::$classMap;
+            $loader->prefixLengthsPsr4 = ComposerStaticInit302766cabed9741b63e4470141d39506::$prefixLengthsPsr4;
+            $loader->prefixDirsPsr4 = ComposerStaticInit302766cabed9741b63e4470141d39506::$prefixDirsPsr4;
+            $loader->prefixesPsr0 = ComposerStaticInit302766cabed9741b63e4470141d39506::$prefixesPsr0;
+            $loader->fallbackDirsPsr0 = ComposerStaticInit302766cabed9741b63e4470141d39506::$fallbackDirsPsr0;
+            $loader->classMap = ComposerStaticInit302766cabed9741b63e4470141d39506::$classMap;
 
         }, null, ClassLoader::class);
     }
diff --git a/vendor/composer/installed.php b/vendor/composer/installed.php
index ff58c342..b3ab0c47 100644
--- a/vendor/composer/installed.php
+++ b/vendor/composer/installed.php
@@ -1,9 +1,9 @@
 <?php return array(
     'root' => array(
         'name' => 'inpsyde/backwpup-pro',
-        'pretty_version' => 'dev-master',
-        'version' => 'dev-master',
-        'reference' => '7f26d0781b98a4118ec32a27f37002bbbbaf689b',
+        'pretty_version' => 'dev-develop',
+        'version' => 'dev-develop',
+        'reference' => '8a647b40d31fb5d9ad56677ad361eae5587e2326',
         'type' => 'wordpress-plugin',
         'install_path' => __DIR__ . '/../../',
         'aliases' => array(),
@@ -206,9 +206,9 @@
             'dev_requirement' => false,
         ),
         'inpsyde/backwpup-pro' => array(
-            'pretty_version' => 'dev-master',
-            'version' => 'dev-master',
-            'reference' => '7f26d0781b98a4118ec32a27f37002bbbbaf689b',
+            'pretty_version' => 'dev-develop',
+            'version' => 'dev-develop',
+            'reference' => '8a647b40d31fb5d9ad56677ad361eae5587e2326',
             'type' => 'wordpress-plugin',
             'install_path' => __DIR__ . '/../../',
             'aliases' => array(),