2010-07-08 Miguel de Dios <miguel.dedios@artica.es>
* include/functions_filemanager.php: added in source code lines to test hash of directories or files for give more security to filemanager. git-svn-id: https://svn.code.sf.net/p/pandora/code/trunk@2973 c3f86ba8-e40f-0410-aaad-9ba5e7f4b01f
This commit is contained in:
mdtrooper
parent
a1a103534a
commit
b4de8b5276
|
|
@ -1,4 +1,9 @@
|
||||||
2010-07-07 Miguel de Dios <miguel.dedios@artica.es>
|
2010-07-08 Miguel de Dios <miguel.dedios@artica.es>
|
||||||
|
|
||||||
|
* include/functions_filemanager.php: added in source code lines to test
|
||||||
|
hash of directories or files for give more security to filemanager.
|
||||||
|
|
||||||
|
2010-07-08 Miguel de Dios <miguel.dedios@artica.es>
|
||||||
|
|
||||||
* include/functions_filemanager.php: added var global through $config to
|
* include/functions_filemanager.php: added var global through $config to
|
||||||
return status of operation. And clean messages of filemanager.
|
return status of operation. And clean messages of filemanager.
|
||||||
|
|
|
||||||
|
|
@ -145,6 +145,13 @@ if ($upload_file) {
|
||||||
$real_directory = (string) get_parameter('real_directory');
|
$real_directory = (string) get_parameter('real_directory');
|
||||||
$directory = (string) get_parameter ('directory');
|
$directory = (string) get_parameter ('directory');
|
||||||
|
|
||||||
|
$hash = get_parameter('hash', '');
|
||||||
|
$testHash = md5($real_directory . $directory . $config['dbpass']);
|
||||||
|
|
||||||
|
if ($hash != $testHash) {
|
||||||
|
echo "<h3 class=error>".__('Security error.')."</h3>";
|
||||||
|
}
|
||||||
|
else {
|
||||||
// Copy file to directory and change name
|
// Copy file to directory and change name
|
||||||
if ($directory == '') {
|
if ($directory == '') {
|
||||||
$nombre_archivo = $real_directory .'/'. $filename;
|
$nombre_archivo = $real_directory .'/'. $filename;
|
||||||
|
|
@ -160,7 +167,7 @@ if ($upload_file) {
|
||||||
// Delete temporal file
|
// Delete temporal file
|
||||||
unlink ($_FILES['file']['tmp_name']);
|
unlink ($_FILES['file']['tmp_name']);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -188,6 +195,13 @@ if ($create_text_file) {
|
||||||
$real_directory = (string) get_parameter('real_directory');
|
$real_directory = (string) get_parameter('real_directory');
|
||||||
$directory = (string) get_parameter ('directory');
|
$directory = (string) get_parameter ('directory');
|
||||||
|
|
||||||
|
$hash = get_parameter('hash', '');
|
||||||
|
$testHash = md5($real_directory . $directory . $config['dbpass']);
|
||||||
|
|
||||||
|
if ($hash != $testHash) {
|
||||||
|
echo "<h3 class=error>".__('Security error.')."</h3>";
|
||||||
|
}
|
||||||
|
else {
|
||||||
if ($directory == '') {
|
if ($directory == '') {
|
||||||
$nombre_archivo = $real_directory .'/'. $filename;
|
$nombre_archivo = $real_directory .'/'. $filename;
|
||||||
}
|
}
|
||||||
|
|
@ -201,6 +215,7 @@ if ($create_text_file) {
|
||||||
$config['filemanager']['correct_upload_file'] = 1;
|
$config['filemanager']['correct_upload_file'] = 1;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
else {
|
else {
|
||||||
echo "<h3 class=error>".__('Error create file with empty name.')."</h3>";
|
echo "<h3 class=error>".__('Error create file with empty name.')."</h3>";
|
||||||
}
|
}
|
||||||
|
|
@ -228,6 +243,13 @@ if ($upload_zip) {
|
||||||
$real_directory = (string) get_parameter('real_directory');
|
$real_directory = (string) get_parameter('real_directory');
|
||||||
$directory = (string) get_parameter ('directory');
|
$directory = (string) get_parameter ('directory');
|
||||||
|
|
||||||
|
$hash = get_parameter('hash', '');
|
||||||
|
$testHash = md5($real_directory . $directory . $config['dbpass']);
|
||||||
|
|
||||||
|
if ($hash != $testHash) {
|
||||||
|
echo "<h3 class=error>".__('Security error.')."</h3>";
|
||||||
|
}
|
||||||
|
else {
|
||||||
// Copy file to directory and change name
|
// Copy file to directory and change name
|
||||||
if ($directory == '') {
|
if ($directory == '') {
|
||||||
$nombre_archivo = $real_directory .'/'. $filename;
|
$nombre_archivo = $real_directory .'/'. $filename;
|
||||||
|
|
@ -253,7 +275,7 @@ if ($upload_zip) {
|
||||||
|
|
||||||
$config['filemanager']['correct_upload_file'] = 1;
|
$config['filemanager']['correct_upload_file'] = 1;
|
||||||
}
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -267,6 +289,13 @@ if ($create_dir) {
|
||||||
|
|
||||||
$directory = (string) get_parameter ('directory', "/");
|
$directory = (string) get_parameter ('directory', "/");
|
||||||
|
|
||||||
|
$hash = get_parameter('hash', '');
|
||||||
|
$testHash = md5($directory . $config['dbpass']);
|
||||||
|
|
||||||
|
if ($hash != $testHash) {
|
||||||
|
echo "<h3 class=error>".__('Security error.')."</h3>";
|
||||||
|
}
|
||||||
|
else {
|
||||||
$dirname = (string) get_parameter ('dirname');
|
$dirname = (string) get_parameter ('dirname');
|
||||||
if ($dirname != '') {
|
if ($dirname != '') {
|
||||||
@mkdir ($directory.'/'.$dirname);
|
@mkdir ($directory.'/'.$dirname);
|
||||||
|
|
@ -277,6 +306,7 @@ if ($create_dir) {
|
||||||
else {
|
else {
|
||||||
echo "<h3 class=error>".__('Error create file with empty name.')."</h3>";
|
echo "<h3 class=error>".__('Error create file with empty name.')."</h3>";
|
||||||
}
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
//DELETE FILE OR DIR
|
//DELETE FILE OR DIR
|
||||||
|
|
@ -288,6 +318,14 @@ if ($delete_file) {
|
||||||
$config['filemanager']['delete'] = 0;
|
$config['filemanager']['delete'] = 0;
|
||||||
|
|
||||||
$filename = (string) get_parameter ('filename');
|
$filename = (string) get_parameter ('filename');
|
||||||
|
|
||||||
|
$hash = get_parameter('hash', '');
|
||||||
|
$testHash = md5($filename . $config['dbpass']);
|
||||||
|
|
||||||
|
if ($hash != $testHash) {
|
||||||
|
echo "<h3 class=error>".__('Security error.')."</h3>";
|
||||||
|
}
|
||||||
|
else {
|
||||||
echo "<h3>".__('Deleting')." ".$filename."</h3>";
|
echo "<h3>".__('Deleting')." ".$filename."</h3>";
|
||||||
if (is_dir ($filename)) {
|
if (is_dir ($filename)) {
|
||||||
rmdir ($filename);
|
rmdir ($filename);
|
||||||
|
|
@ -296,6 +334,7 @@ if ($delete_file) {
|
||||||
unlink ($filename);
|
unlink ($filename);
|
||||||
$config['filemanager']['delete'] = 1;
|
$config['filemanager']['delete'] = 1;
|
||||||
}
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
@ -338,6 +377,8 @@ function delete_directory($dir)
|
||||||
* @param boolean $editor The flag to set the edition of text files.
|
* @param boolean $editor The flag to set the edition of text files.
|
||||||
*/
|
*/
|
||||||
function file_explorer($real_directory, $relative_directory, $url, $father = '', $editor = false) {
|
function file_explorer($real_directory, $relative_directory, $url, $father = '', $editor = false) {
|
||||||
|
global $config;
|
||||||
|
|
||||||
?>
|
?>
|
||||||
<script type="text/javascript">
|
<script type="text/javascript">
|
||||||
function show_form_create_folder() {
|
function show_form_create_folder() {
|
||||||
|
|
@ -399,7 +440,7 @@ function file_explorer($real_directory, $relative_directory, $url, $father = '',
|
||||||
|
|
||||||
if (($prev_dir_str != '') && ($father != $relative_directory)) {
|
if (($prev_dir_str != '') && ($father != $relative_directory)) {
|
||||||
$table->data[0][0] = print_image ('images/go_previous.png', true);
|
$table->data[0][0] = print_image ('images/go_previous.png', true);
|
||||||
$table->data[0][1] = '<a href="' . $url . '&directory='.$prev_dir_str.'">';
|
$table->data[0][1] = '<a href="' . $url . '&directory='.$prev_dir_str.'&hash=' . md5($prev_dir_str.$config['dbpass']) . '">';
|
||||||
$table->data[0][1] .= __('Parent directory');
|
$table->data[0][1] .= __('Parent directory');
|
||||||
$table->data[0][1] .='</a>';
|
$table->data[0][1] .='</a>';
|
||||||
|
|
||||||
|
|
@ -421,6 +462,7 @@ function file_explorer($real_directory, $relative_directory, $url, $father = '',
|
||||||
$table->data[1][1] .= print_submit_button (__('Create'), 'crt', false, 'class="sub next"', true);
|
$table->data[1][1] .= print_submit_button (__('Create'), 'crt', false, 'class="sub next"', true);
|
||||||
$table->data[1][1] .= print_input_hidden ('directory', $relative_directory, true);
|
$table->data[1][1] .= print_input_hidden ('directory', $relative_directory, true);
|
||||||
$table->data[1][1] .= print_input_hidden ('create_dir', 1, true);
|
$table->data[1][1] .= print_input_hidden ('create_dir', 1, true);
|
||||||
|
$table->data[1][1] .= print_input_hidden('hash', md5($relative_directory . $config['dbpass']), true);
|
||||||
$table->data[1][1] .= '</form>';
|
$table->data[1][1] .= '</form>';
|
||||||
$table->data[1][1] .= '</div>';
|
$table->data[1][1] .= '</div>';
|
||||||
|
|
||||||
|
|
@ -435,6 +477,7 @@ function file_explorer($real_directory, $relative_directory, $url, $father = '',
|
||||||
$table->data[1][1] .= print_submit_button (__('Go'), 'go', false, 'class="sub next"', true);
|
$table->data[1][1] .= print_submit_button (__('Go'), 'go', false, 'class="sub next"', true);
|
||||||
$table->data[1][1] .= print_input_hidden ('real_directory', $real_directory, true);
|
$table->data[1][1] .= print_input_hidden ('real_directory', $real_directory, true);
|
||||||
$table->data[1][1] .= print_input_hidden ('directory', $relative_directory, true);
|
$table->data[1][1] .= print_input_hidden ('directory', $relative_directory, true);
|
||||||
|
$table->data[1][1] .= print_input_hidden('hash', md5($real_directory . $relative_directory . $config['dbpass']), true);
|
||||||
$table->data[1][1] .= print_input_hidden ('upload_file_or_zip', 1, true);
|
$table->data[1][1] .= print_input_hidden ('upload_file_or_zip', 1, true);
|
||||||
$table->data[1][1] .= '</form>';
|
$table->data[1][1] .= '</form>';
|
||||||
$table->data[1][1] .= '</div>';
|
$table->data[1][1] .= '</div>';
|
||||||
|
|
@ -446,6 +489,7 @@ function file_explorer($real_directory, $relative_directory, $url, $father = '',
|
||||||
$table->data[1][1] .= print_submit_button (__('Create'), 'create', false, 'class="sub"', true);
|
$table->data[1][1] .= print_submit_button (__('Create'), 'create', false, 'class="sub"', true);
|
||||||
$table->data[1][1] .= print_input_hidden ('real_directory', $real_directory, true);
|
$table->data[1][1] .= print_input_hidden ('real_directory', $real_directory, true);
|
||||||
$table->data[1][1] .= print_input_hidden ('directory', $relative_directory, true);
|
$table->data[1][1] .= print_input_hidden ('directory', $relative_directory, true);
|
||||||
|
$table->data[1][1] .= print_input_hidden('hash', md5($real_directory . $relative_directory . $config['dbpass']), true);
|
||||||
$table->data[1][1] .= print_input_hidden ('create_text_file', 1, true);
|
$table->data[1][1] .= print_input_hidden ('create_text_file', 1, true);
|
||||||
$table->data[1][1] .= '</form>';
|
$table->data[1][1] .= '</form>';
|
||||||
$table->data[1][1] .= '</div>';
|
$table->data[1][1] .= '</div>';
|
||||||
|
|
@ -475,7 +519,7 @@ function file_explorer($real_directory, $relative_directory, $url, $father = '',
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($fileinfo['is_dir']) {
|
if ($fileinfo['is_dir']) {
|
||||||
$data[1] = '<a href="' . $url . '&directory='.$relative_directory.'/'.$fileinfo['name'].'">'.$fileinfo['name'].'</a>';
|
$data[1] = '<a href="' . $url . '&directory='.$relative_directory.'/'.$fileinfo['name'].'&hash=' . md5($relative_directory.'/'.$fileinfo['name'].$config['dbpass']) . '">'.$fileinfo['name'].'</a>';
|
||||||
} else {
|
} else {
|
||||||
$data[1] = '<a href="'.$fileinfo['url'].'">'.$fileinfo['name'].'</a>';
|
$data[1] = '<a href="'.$fileinfo['url'].'">'.$fileinfo['name'].'</a>';
|
||||||
}
|
}
|
||||||
|
|
@ -492,15 +536,16 @@ function file_explorer($real_directory, $relative_directory, $url, $father = '',
|
||||||
$data[4] = '';
|
$data[4] = '';
|
||||||
if (is_writable ($fileinfo['realpath']) &&
|
if (is_writable ($fileinfo['realpath']) &&
|
||||||
(! is_dir ($fileinfo['realpath']) || count (scandir ($fileinfo['realpath'])) < 3)) {
|
(! is_dir ($fileinfo['realpath']) || count (scandir ($fileinfo['realpath'])) < 3)) {
|
||||||
$data[4] = '<form method="post" action="" style="float: left;">';
|
$data[4] = '<form method="post" action="' . $url . '" style="float: left;">';
|
||||||
$data[4] .= '<input type="image" src="images/cross.png" onClick="if (!confirm(\' '.__('Are you sure?').'\')) return false;">';
|
$data[4] .= '<input type="image" src="images/cross.png" onClick="if (!confirm(\' '.__('Are you sure?').'\')) return false;">';
|
||||||
$data[4] .= print_input_hidden ('filename', $fileinfo['realpath'], true);
|
$data[4] .= print_input_hidden ('filename', $fileinfo['realpath'], true);
|
||||||
|
$data[4] .= print_input_hidden('hash', md5($fileinfo['realpath'] . $config['dbpass']), true);
|
||||||
$data[4] .= print_input_hidden ('delete_file', 1, true);
|
$data[4] .= print_input_hidden ('delete_file', 1, true);
|
||||||
$data[4] .= '</form>';
|
$data[4] .= '</form>';
|
||||||
|
|
||||||
if ($editor) {
|
if ($editor) {
|
||||||
if ($fileinfo['mime'] == MIME_TEXT) {
|
if ($fileinfo['mime'] == MIME_TEXT) {
|
||||||
$data[4] .= "<a href='$url&edit_file=1&location_file=" . $fileinfo['realpath'] . "' style='float: left;'><img src='images/edit.png' style='margin-top: 2px;' /></a>";
|
$data[4] .= "<a href='$url&edit_file=1&location_file=" . $fileinfo['realpath'] . "&hash=" . md5($fileinfo['realpath'] . $config['dbpass']) . "' style='float: left;'><img src='images/edit.png' style='margin-top: 2px;' /></a>";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -518,6 +563,8 @@ function file_explorer($real_directory, $relative_directory, $url, $father = '',
|
||||||
* @param string $url The url to set in the forms and some links in the explorer.
|
* @param string $url The url to set in the forms and some links in the explorer.
|
||||||
*/
|
*/
|
||||||
function box_upload_file_complex($real_directory, $relative_directory, $url = '') {
|
function box_upload_file_complex($real_directory, $relative_directory, $url = '') {
|
||||||
|
global $config;
|
||||||
|
|
||||||
$table->width = '100%';
|
$table->width = '100%';
|
||||||
|
|
||||||
$table->data = array ();
|
$table->data = array ();
|
||||||
|
|
@ -536,6 +583,7 @@ function box_upload_file_complex($real_directory, $relative_directory, $url = ''
|
||||||
'class="sub next"', true);
|
'class="sub next"', true);
|
||||||
$table->data[1][4] .= print_input_hidden ('real_directory', $real_directory, true);
|
$table->data[1][4] .= print_input_hidden ('real_directory', $real_directory, true);
|
||||||
$table->data[1][4] .= print_input_hidden ('directory', $relative_directory, true);
|
$table->data[1][4] .= print_input_hidden ('directory', $relative_directory, true);
|
||||||
|
$table->data[1][4] .= print_input_hidden('hash', md5($real_directory . $relative_directory . $config['dbpass']), true);
|
||||||
$table->data[1][4] .= print_input_hidden ('upload_file_or_zip', 1, true);
|
$table->data[1][4] .= print_input_hidden ('upload_file_or_zip', 1, true);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -552,6 +600,8 @@ function box_upload_file_complex($real_directory, $relative_directory, $url = ''
|
||||||
* @param string $url The url to set in the forms and some links in the explorer.
|
* @param string $url The url to set in the forms and some links in the explorer.
|
||||||
*/
|
*/
|
||||||
function box_upload_file_explorer($real_directory, $relative_directory, $url = '') {
|
function box_upload_file_explorer($real_directory, $relative_directory, $url = '') {
|
||||||
|
global $config;
|
||||||
|
|
||||||
$table->width = '50%';
|
$table->width = '50%';
|
||||||
|
|
||||||
$table->data = array ();
|
$table->data = array ();
|
||||||
|
|
@ -568,6 +618,7 @@ function box_upload_file_explorer($real_directory, $relative_directory, $url = '
|
||||||
'class="sub next"', true);
|
'class="sub next"', true);
|
||||||
$table->data[1][2] .= print_input_hidden ('real_directory', $real_directory, true);
|
$table->data[1][2] .= print_input_hidden ('real_directory', $real_directory, true);
|
||||||
$table->data[1][2] .= print_input_hidden ('directory', $relative_directory, true);
|
$table->data[1][2] .= print_input_hidden ('directory', $relative_directory, true);
|
||||||
|
$table->data[1][2] .= print_input_hidden('hash', md5($real_directory . $relative_directory . $config['dbpass']), true);
|
||||||
$table->data[1][2] .= print_input_hidden ('upload_file', 1, true);
|
$table->data[1][2] .= print_input_hidden ('upload_file', 1, true);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -584,6 +635,8 @@ function box_upload_file_explorer($real_directory, $relative_directory, $url = '
|
||||||
* @param string $url The url to set in the forms and some links in the explorer.
|
* @param string $url The url to set in the forms and some links in the explorer.
|
||||||
*/
|
*/
|
||||||
function box_upload_zip_explorer($real_directory, $relative_directory, $url = '') {
|
function box_upload_zip_explorer($real_directory, $relative_directory, $url = '') {
|
||||||
|
global $config;
|
||||||
|
|
||||||
$table->width = '60%';
|
$table->width = '60%';
|
||||||
|
|
||||||
$table->data = array ();
|
$table->data = array ();
|
||||||
|
|
@ -600,6 +653,7 @@ function box_upload_zip_explorer($real_directory, $relative_directory, $url = ''
|
||||||
'class="sub next"', true);
|
'class="sub next"', true);
|
||||||
$table->data[1][2] .= print_input_hidden ('real_directory', $real_directory, true);
|
$table->data[1][2] .= print_input_hidden ('real_directory', $real_directory, true);
|
||||||
$table->data[1][2] .= print_input_hidden ('directory', $relative_directory, true);
|
$table->data[1][2] .= print_input_hidden ('directory', $relative_directory, true);
|
||||||
|
$table->data[1][2] .= print_input_hidden('hash', md5($real_directory . $relative_directory . $config['dbpass']), true);
|
||||||
$table->data[1][2] .= print_input_hidden ('upload_zip', 1, true);
|
$table->data[1][2] .= print_input_hidden ('upload_zip', 1, true);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -616,6 +670,8 @@ function box_upload_zip_explorer($real_directory, $relative_directory, $url = ''
|
||||||
* @param string $url The url to set in the forms and some links in the explorer.
|
* @param string $url The url to set in the forms and some links in the explorer.
|
||||||
*/
|
*/
|
||||||
function box_create_text_explorer($real_directory, $relative_directory, $url = '') {
|
function box_create_text_explorer($real_directory, $relative_directory, $url = '') {
|
||||||
|
global $config;
|
||||||
|
|
||||||
$table->width = '60%';
|
$table->width = '60%';
|
||||||
|
|
||||||
$table->data = array ();
|
$table->data = array ();
|
||||||
|
|
@ -632,6 +688,7 @@ function box_create_text_explorer($real_directory, $relative_directory, $url = '
|
||||||
'class="sub"', true);
|
'class="sub"', true);
|
||||||
$table->data[1][2] .= print_input_hidden ('real_directory', $real_directory, true);
|
$table->data[1][2] .= print_input_hidden ('real_directory', $real_directory, true);
|
||||||
$table->data[1][2] .= print_input_hidden ('directory', $relative_directory, true);
|
$table->data[1][2] .= print_input_hidden ('directory', $relative_directory, true);
|
||||||
|
$table->data[1][2] .= print_input_hidden('hash', md5($real_directory . $relative_directory . $config['dbpass']), true);
|
||||||
$table->data[1][2] .= print_input_hidden ('create_text_file', 1, true);
|
$table->data[1][2] .= print_input_hidden ('create_text_file', 1, true);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue