ExportCsv: no cleanup mechanism + admins can download each other's exports

[mwtcmi]

Tools/ExportCsv.php:62-73 writes CSV exports (including CDR data with caller IDs, timestamps, dispositions) to assets/exports/ under the module directory. Two real concerns:

1. No cleanup mechanism

$filename = "frogman-{$type}-" . date('Ymd-His') . '.csv';
$exportDir = __DIR__ . '/../assets/exports';
if (!is_dir($exportDir)) mkdir($exportDir, 0755, true);
$filepath = $exportDir . '/' . $filename;

Every export accumulates on disk forever. A periodically-scheduled CDR export rapidly grows into gigabytes of PII files that no one is curating.

2. No per-user scoping on download

The download endpoint (Frogman.class.php handleDownload) requires FreePBX admin session ('authenticate' => true, 'allowremote' => false), so non-admins can't fetch. But any admin can download any other admin's export — the filename pattern is timestamp-based and trivially enumerable for a determined admin.

Original review (C6, Critical)

The forum reviewer rated this Critical. Verification during the 2026-05-13 disclosure cycle:

• Authentication concern was overstated — the endpoint IS admin-gated.
• The cleanup-and-scoping concerns ARE real and remain.

Not advisory-grade because non-admin attack surface is zero. Filing as a normal issue for follow-up.

Suggested fix

• TTL cleanup: prune exports older than N days during each export call (cheap), or via a system cron job.
• Per-user scoping: filename embeds the requesting admin's username; download endpoint checks the filename matches the requesting session's user before serving.
• Bonus: optionally make the download a one-shot — server deletes the file after first successful read.