Fixed an RCE vulnerability

Author: brandonkelly

CHANGELOG.md

@@ -4,6 +4,7 @@
 
 - Fixed a bug where asset edit page URLs contained spaces if the asset filename contained spaces. ([#15236](https://github.com/craftcms/cms/issues/15236))
 - Fixed a bug where custom fields were getting included in rendered field layout forms, even if their `getInputHtml()` method returned an empty string.
+- Fixed an RCE vulnerability.
 
 ## 4.13.7 - 2024-12-17
 

src/controllers/UpdaterController.php

@@ -12,6 +12,7 @@
 use Composer\Semver\VersionParser;
 use Craft;
 use craft\errors\InvalidPluginException;
+use craft\helpers\FileHelper;
 use RequirementsChecker;
 use Throwable;
 use yii\web\BadRequestHttpException;
@@ -99,8 +100,13 @@ public function actionBackup(): Response
      */
     public function actionRestoreDb(): Response
     {
+        $backupPath = $this->data['dbBackupPath'];
+        if (!file_exists($backupPath) || !FileHelper::isWithin($backupPath, Craft::$app->getPath()->getDbBackupPath())) {
+            throw new BadRequestHttpException("Invalid backup path: $backupPath");
+        }
+
         try {
-            Craft::$app->getDb()->restore($this->data['dbBackupPath']);
+            Craft::$app->getDb()->restore($backupPath);
         } catch (Throwable $e) {
             Craft::error('Error restoring up the database: ' . $e->getMessage(), __METHOD__);
             return $this->send([