dest parameter can break gitbucket.

[ktanakaj]

Hi, I found a problem about dest parameter.

This plugin can output specified path by the dest parameter.
However, the plugin can work such as the danger url.
http://example.com/gitbucket/database/backup?dest=./gitbucket.conf

I think it is danger problem because:

• Gitbucket has writable authority .gitbucket directory on default.
• If anonymous access is enable, everyone can call the api.
• Gitbucket path is easily guessable.

I think the plugin need Basic Authentication.

Regards,
Koichi Tanaka

[ktanakaj]

I use these latest versions.

• gitbucket 4.5.0 by "java -jar gitbucket.war" commend.
• gitbucket-h2-backup-plugin 1.3.0
• Raspbian (Debian 8.0)

[McFoggy]

@ktanakaj see 1.4.0 & optional security.
It is a temporary & optional implementation that should answer your need and keep existing behavior for those who do not require this security mechanism.