From 67ade2fccd3981ed4f14a106638173a0df847bb9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Gonz=C3=A1lez?= Date: Mon, 6 Jun 2022 16:35:02 +0200 Subject: [PATCH 1/5] Improved error message --- .../godmode/setup/file_manager.php | 23 ++++++- .../include/functions_filemanager.php | 16 +++++ pandora_console/include/get_file.php | 60 ++++++++++++++----- 3 files changed, 80 insertions(+), 19 deletions(-) diff --git a/pandora_console/godmode/setup/file_manager.php b/pandora_console/godmode/setup/file_manager.php index 201eb2507c..6f54f2f0a8 100644 --- a/pandora_console/godmode/setup/file_manager.php +++ b/pandora_console/godmode/setup/file_manager.php @@ -31,7 +31,7 @@ global $config; check_login(); -if (! check_acl($config['id_user'], 0, 'PM')) { +if ((bool) check_acl($config['id_user'], 0, 'PM') === false) { db_pandora_audit( AUDIT_LOG_ACL_VIOLATION, 'Trying to access File manager' @@ -43,7 +43,24 @@ if (! check_acl($config['id_user'], 0, 'PM')) { require_once 'include/functions_filemanager.php'; // Header. -ui_print_page_header(__('File manager'), '', false, '', true); +ui_print_standard_header( + __('File manager'), + '', + false, + '', + true, + [], + [ + [ + 'link' => '', + 'label' => __('Admin tools'), + ], + [ + 'link' => '', + 'label' => __('File manager'), + ], + ] +); if (isset($config['filemanager']['message']) === true) { echo $config['filemanager']['message']; @@ -66,7 +83,7 @@ $real_directory = realpath($config['homedir'].'/'.$directory); echo '

'.__('Index of %s', io_safe_input($directory)).'

'; $upload_file = (bool) get_parameter('upload_file'); -$create_text_file = (bool) get_parameter('create_text_file'); +$create_text_file = (bool) get_parameter('create_text_file'); $default_real_directory = realpath($config['homedir'].'/'); diff --git a/pandora_console/include/functions_filemanager.php b/pandora_console/include/functions_filemanager.php index b4b648b210..6e0289d896 100644 --- a/pandora_console/include/functions_filemanager.php +++ b/pandora_console/include/functions_filemanager.php @@ -476,6 +476,12 @@ function filemanager_file_explorer( $options=[] ) { global $config; + // Requirements for message dialog. + ui_require_css_file('dialog'); + ui_require_jquery_file('jquery-ui.min'); + ui_require_jquery_file('jquery-ui_custom'); + // Check for errors. + $errorOutput = (string) get_parameter('errorOutput'); // Windows compatibility. $real_directory = str_replace('\\', '/', $real_directory); @@ -492,7 +498,17 @@ function filemanager_file_explorer( $hack_metaconsole = (is_metaconsole() === true) ? '../../' : ''; ?> +
+ Date: Tue, 7 Jun 2022 10:51:37 +0200 Subject: [PATCH 2/5] Improve security message --- pandora_console/include/get_file.php | 48 ++++++++++++++-------------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/pandora_console/include/get_file.php b/pandora_console/include/get_file.php index 99217e5ba1..7c48c02d94 100644 --- a/pandora_console/include/get_file.php +++ b/pandora_console/include/get_file.php @@ -26,9 +26,10 @@ * ============================================================================ */ -// Get global data. +// Begin. require_once 'config.php'; require_once 'functions.php'; +require_once 'functions_ui.php'; require_once 'functions_filemanager.php'; global $config; @@ -41,17 +42,13 @@ if ($auth_method !== 'ad' && $auth_method !== 'ldap') { include_once 'auth/'.$auth_method.'.php'; } - -$styleError = 'background:url("../images/err.png") no-repeat scroll 0 0 transparent; padding:4px 1px 6px 30px; color:#CC0000;'; - -$file_raw = get_parameter('file', null); +$hash = get_parameter('hash'); +$file_raw = get_parameter('file'); $file = base64_decode(urldecode($file_raw)); -$hash = get_parameter('hash', null); - -if ($file === '' || $hash === '' || $hash !== md5($file_raw.$config['server_unique_identifier']) || !isset($_SERVER['HTTP_REFERER'])) { - echo "

".__('Security error. Please contact the administrator.').'

'; +if (empty($file) === true || empty($hash) === true || $hash !== md5($file_raw.$config['server_unique_identifier']) || isset($_SERVER['HTTP_REFERER']) === false) { + $errorMessage = __('Security error. Please contact the administrator.'); } else { $downloadable_file = ''; $parse_all_queries = explode('&', parse_url($_SERVER['HTTP_REFERER'], PHP_URL_QUERY)); @@ -79,28 +76,16 @@ if ($file === '' || $hash === '' || $hash !== md5($file_raw.$config['server_uniq break; default: + // Wrong action. $downloadable_file = ''; - // Do nothing break; } } if (empty($downloadable_file) === true || file_exists($downloadable_file) === false) { - ?> -
- - + + From 9d071982f5ed85c4237676c38b1ccf9fe79a18f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Gonz=C3=A1lez?= Date: Tue, 7 Jun 2022 13:39:58 +0200 Subject: [PATCH 3/5] Improve code --- .../include/functions_filemanager.php | 23 ++++--------------- pandora_console/include/get_file.php | 12 +++++++--- 2 files changed, 13 insertions(+), 22 deletions(-) diff --git a/pandora_console/include/functions_filemanager.php b/pandora_console/include/functions_filemanager.php index 6e0289d896..94e16e822b 100644 --- a/pandora_console/include/functions_filemanager.php +++ b/pandora_console/include/functions_filemanager.php @@ -476,12 +476,6 @@ function filemanager_file_explorer( $options=[] ) { global $config; - // Requirements for message dialog. - ui_require_css_file('dialog'); - ui_require_jquery_file('jquery-ui.min'); - ui_require_jquery_file('jquery-ui_custom'); - // Check for errors. - $errorOutput = (string) get_parameter('errorOutput'); // Windows compatibility. $real_directory = str_replace('\\', '/', $real_directory); @@ -498,17 +492,7 @@ function filemanager_file_explorer( $hack_metaconsole = (is_metaconsole() === true) ? '../../' : ''; ?> -