hestiacp/web/download/backup/index.php

<?php
use function Hestiacp\quoteshellarg\quoteshellarg;

ob_start();
include $_SERVER["DOCUMENT_ROOT"] . "/inc/main.php";

// Check token
verify_csrf($_GET);

$backup = $_GET["backup"];

if (!file_exists("/backup/" . $backup)) {
	$backup = quoteshellarg($_GET["backup"]);
	exec(
		HESTIA_CMD . "v-schedule-user-backup-download " . $user . " " . $backup,
		$output,
		$return_var,
	);
	if ($return_var == 0) {
		$_SESSION["error_msg"] = _("Download of remote backup file has been scheduled.");
	} else {
		$_SESSION["error_msg"] = implode("<br>", $output);
		if (empty($_SESSION["error_msg"])) {
			$_SESSION["error_msg"] = _("Error: Hestia did not return any output.");
		}
	}
	unset($output);
	header("Location: /list/backup/");
	exit();
} else {
	if ($_SESSION["userContext"] === "admin") {
		header("Content-type: application/gzip");
		header("Content-Disposition: attachment; filename=\"" . $backup . "\";");
		header("X-Accel-Redirect: /backup/" . $backup);
	}

	if (!empty($_SESSION["user"]) && $_SESSION["userContext"] != "admin") {
		if (strpos($backup, $_SESSION["user"] . ".") === 0) {
			header("Content-type: application/gzip");
			header("Content-Disposition: attachment; filename=\"" . $backup . "\";");
			header("X-Accel-Redirect: /backup/" . $backup);
		}
	}
}