2727if (!defined ('IN_CMS ' )) { exit (); }
2828
2929/**
30- *
30+ *
3131 */
3232class FileManagerController extends PluginController {
3333
@@ -55,6 +55,14 @@ public function index() {
5555 $ this ->browse ();
5656 }
5757
58+ static function htmlContextCleaner ($ input ) {
59+ $ bad_chars = array ("< " , "> " );
60+ $ safe_chars = array ("< " , "> " );
61+ $ output = str_replace ($ bad_chars , $ safe_chars , $ input );
62+
63+ return stripslashes ($ output );
64+ }
65+
5866 public function browse () {
5967 $ params = func_get_args ();
6068
@@ -94,7 +102,7 @@ public function browse() {
94102 $ this ->fullpath = preg_replace ('/\/\// ' , '/ ' , $ this ->fullpath );
95103
96104 $ this ->display ('file_manager/views/index ' , array (
97- 'dir ' => $ this ->path ,
105+ 'dir ' => htmlContextCleaner ( $ this ->path ) ,
98106 //'files' => $this->_getListFiles()
99107 'files ' => $ this ->_listFiles ()
100108 ));
@@ -133,15 +141,15 @@ public function view() {
133141
134142 // We don't allow leading slashes
135143 $ filename = preg_replace ('/^\// ' , '' , $ filename );
136-
144+
137145 // Check if file had URL_SUFFIX - if so, append it to filename
138146 $ filename .= (isset ($ _GET ['has_url_suffix ' ]) && $ _GET ['has_url_suffix ' ]==='1 ' ) ? URL_SUFFIX : '' ;
139-
147+
140148 $ file = FILES_DIR . '/ ' . $ filename ;
141149 if (!$ this ->_isImage ($ file ) && file_exists ($ file )) {
142150 $ content = file_get_contents ($ file );
143151 }
144-
152+
145153 $ this ->display ('file_manager/views/view ' , array (
146154 'csrf_token ' => SecureToken::generateToken (BASE_URL .'plugin/file_manager/save/ ' .$ filename ),
147155 'is_image ' => $ this ->_isImage ($ file ),
@@ -156,7 +164,7 @@ public function save() {
156164 // security (remove all ..)
157165 $ data ['name ' ] = str_replace ('.. ' , '' , $ data ['name ' ]);
158166 $ file = FILES_DIR . DS . $ data ['name ' ];
159-
167+
160168 // CSRF checks
161169 if (isset ($ _POST ['csrf_token ' ])) {
162170 $ csrf_token = $ _POST ['csrf_token ' ];
@@ -169,7 +177,7 @@ public function save() {
169177 Flash::set ('error ' , __ ('No CSRF token found! ' ));
170178 redirect (get_url ('plugin/file_manager/view/ ' .$ data ['name ' ]));
171179 }
172-
180+
173181 if (file_exists ($ file )) {
174182 if (file_put_contents ($ file , $ data ['content ' ]) !== false ) {
175183 Flash::set ('success ' , __ ('File has been saved with success! ' ));
@@ -197,7 +205,7 @@ public function create_file() {
197205 Flash::set ('error ' , __ ('You do not have sufficient permissions to create a file. ' ));
198206 redirect (get_url ('plugin/file_manager/browse/ ' ));
199207 }
200-
208+
201209 // CSRF checks
202210 if (isset ($ _POST ['csrf_token ' ])) {
203211 $ csrf_token = $ _POST ['csrf_token ' ];
@@ -231,7 +239,7 @@ public function create_directory() {
231239 Flash::set ('error ' , __ ('You do not have sufficient permissions to create a directory. ' ));
232240 redirect (get_url ('plugin/file_manager/browse/ ' ));
233241 }
234-
242+
235243 // CSRF checks
236244 if (isset ($ _POST ['csrf_token ' ])) {
237245 $ csrf_token = $ _POST ['csrf_token ' ];
@@ -269,7 +277,7 @@ public function delete() {
269277 $ paths = func_get_args ();
270278
271279 $ file = urldecode (join ('/ ' , $ paths ));
272-
280+
273281 // CSRF checks
274282 if (isset ($ _GET ['csrf_token ' ])) {
275283 $ csrf_token = $ _GET ['csrf_token ' ];
@@ -304,7 +312,7 @@ public function upload() {
304312 Flash::set ('error ' , __ ('You do not have sufficient permissions to upload a file. ' ));
305313 redirect (get_url ('plugin/file_manager/browse/ ' ));
306314 }
307-
315+
308316 // CSRF checks
309317 if (isset ($ _POST ['csrf_token ' ])) {
310318 $ csrf_token = $ _POST ['csrf_token ' ];
@@ -317,7 +325,7 @@ public function upload() {
317325 Flash::set ('error ' , __ ('No CSRF token found! ' ));
318326 redirect (get_url ('plugin/file_manager/browse/ ' ));
319327 }
320-
328+
321329 $ mask = Plugin::getSetting ('umask ' , 'file_manager ' );
322330 umask (octdec ($ mask ));
323331
@@ -329,6 +337,12 @@ public function upload() {
329337 $ filename = preg_replace ('/ / ' , '_ ' , $ _FILES ['upload_file ' ]['name ' ]);
330338 $ filename = preg_replace ('/[^a-z0-9_\-\.]/i ' , '' , $ filename );
331339
340+ $ ext = strtolower (pathinfo ($ filename , PATHINFO_EXTENSION ));
341+ if (in_array ($ ext , ['php ' , 'php3 ' , 'php4 ' , 'inc ' ])) {
342+ Flash::set ('error ' , __ ('Not allowed to upload files with extension :ext ' , $ ext ));
343+ redirect (get_url ('plugin/file_manager/browse/ ' ));
344+ }
345+
332346 if (isset ($ _FILES )) {
333347 $ file = $ this ->_upload_file ($ filename , FILES_DIR . '/ ' . $ path . '/ ' , $ _FILES ['upload_file ' ]['tmp_name ' ], $ overwrite );
334348
@@ -356,7 +370,7 @@ public function chmod() {
356370 Flash::set ('error ' , __ ('No CSRF token found! ' ));
357371 redirect (get_url ('plugin/file_manager/browse/ ' ));
358372 }
359-
373+
360374 $ data = $ _POST ['file ' ];
361375 $ data ['name ' ] = str_replace ('.. ' , '' , $ data ['name ' ]);
362376 $ file = FILES_DIR . '/ ' . $ data ['name ' ];
@@ -378,7 +392,7 @@ public function rename() {
378392 Flash::set ('error ' , __ ('You do not have sufficient permissions to rename this file or directory. ' ));
379393 redirect (get_url ('plugin/file_manager/browse/ ' ));
380394 }
381-
395+
382396 // CSRF checks
383397 if (isset ($ _POST ['csrf_token ' ])) {
384398 $ csrf_token = $ _POST ['csrf_token ' ];
@@ -404,6 +418,14 @@ public function rename() {
404418 $ path = substr ($ data ['current_name ' ], 0 , strrpos ($ data ['current_name ' ], '/ ' ));
405419 $ file = FILES_DIR . '/ ' . $ data ['current_name ' ];
406420
421+ // Check if trying to rename to php file (.php / .php3 etc)
422+ $ ext = strtolower (pathinfo ($ data ['new_name ' ], PATHINFO_EXTENSION ));
423+
424+ if (in_array ($ ext , ['php ' , 'php3 ' , 'php4 ' , 'inc ' ])) {
425+ Flash::set ('error ' , __ ('Not allowed to rename to :ext ' , $ ext ));
426+ redirect (get_url ('plugin/file_manager/browse/ ' . $ path ));
427+ }
428+
407429 // Check another file doesn't already exist with same name
408430 if (file_exists (FILES_DIR . '/ ' . $ path . '/ ' . $ data ['new_name ' ])) {
409431 Flash::set ('error ' , __ ('A file or directory with that name already exists! ' ));
@@ -442,7 +464,7 @@ private function _listFiles() {
442464 $ name = $ cur ->getFilename ();
443465 if (Plugin::getSetting ('show_hidden ' , 'file_manager ' ) == '0 ' && $ name [0 ] === '. ' )
444466 continue ;
445-
467+
446468 if (Plugin::getSetting ('show_backups ' , 'file_manager ' ) == '0 ' && $ name [strlen ($ name )-1 ] === '~ ' )
447469 continue ;
448470
@@ -453,7 +475,7 @@ private function _listFiles() {
453475 $ object ->size = convert_size ($ cur ->getSize ());
454476 $ object ->mtime = date ('D, j M, Y ' , $ cur ->getMTime ());
455477 list ($ object ->perms , $ object ->chmod ) = $ this ->_getPermissions ($ cur ->getPerms ());
456-
478+
457479 // Find the file type
458480 $ object ->type = $ this ->_getFileType ($ cur );
459481
@@ -477,13 +499,13 @@ private function _listFiles() {
477499 return strnatcmp ($ a ->name , $ b ->name );
478500 }
479501 });
480-
502+
481503 return $ files ;
482504 }
483505
484506 return array ();
485507 }
486-
508+
487509 private function _getFileType ($ file ) {
488510 $ default = 'unknown ' ;
489511
@@ -659,7 +681,7 @@ public function settings() {
659681 Flash::set ('error ' , __ ('You do not have permission to access the requested page! ' ));
660682 redirect (get_url ());
661683 }
662-
684+
663685 $ settings = Plugin::getAllSettings ('file_manager ' );
664686
665687 if (!$ settings ) {
@@ -678,7 +700,7 @@ public function settings_save() {
678700 Flash::set ('error ' , __ ('You do not have permission to access the requested page! ' ));
679701 redirect (get_url ());
680702 }
681-
703+
682704 if (!isset ($ _POST ['settings ' ])) {
683705 Flash::set ('error ' , 'File Manager - ' . __ ('form was not posted. ' ));
684706 redirect (get_url ('plugin/file_manager/settings ' ));
0 commit comments