Skip to content
This repository was archived by the owner on Aug 27, 2021. It is now read-only.
/ wolfcms Public archive

Commit 2160275

Browse files
committed
Fix #619 and #625
1 parent d9b0620 commit 2160275

File tree

4 files changed

+72
-29
lines changed

4 files changed

+72
-29
lines changed

Diff for: wolf/plugins/file_manager/FileManagerController.php

+42-20
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,7 @@
2727
if (!defined('IN_CMS')) { exit(); }
2828

2929
/**
30-
*
30+
*
3131
*/
3232
class FileManagerController extends PluginController {
3333

@@ -55,6 +55,14 @@ public function index() {
5555
$this->browse();
5656
}
5757

58+
static function htmlContextCleaner($input) {
59+
$bad_chars = array("<", ">");
60+
$safe_chars = array("&lt;", "&gt;");
61+
$output = str_replace($bad_chars, $safe_chars, $input);
62+
63+
return stripslashes($output);
64+
}
65+
5866
public function browse() {
5967
$params = func_get_args();
6068

@@ -94,7 +102,7 @@ public function browse() {
94102
$this->fullpath = preg_replace('/\/\//', '/', $this->fullpath);
95103

96104
$this->display('file_manager/views/index', array(
97-
'dir' => $this->path,
105+
'dir' => htmlContextCleaner($this->path),
98106
//'files' => $this->_getListFiles()
99107
'files' => $this->_listFiles()
100108
));
@@ -133,15 +141,15 @@ public function view() {
133141

134142
// We don't allow leading slashes
135143
$filename = preg_replace('/^\//', '', $filename);
136-
144+
137145
// Check if file had URL_SUFFIX - if so, append it to filename
138146
$filename .= (isset($_GET['has_url_suffix']) && $_GET['has_url_suffix']==='1') ? URL_SUFFIX : '';
139-
147+
140148
$file = FILES_DIR . '/' . $filename;
141149
if (!$this->_isImage($file) && file_exists($file)) {
142150
$content = file_get_contents($file);
143151
}
144-
152+
145153
$this->display('file_manager/views/view', array(
146154
'csrf_token' => SecureToken::generateToken(BASE_URL.'plugin/file_manager/save/'.$filename),
147155
'is_image' => $this->_isImage($file),
@@ -156,7 +164,7 @@ public function save() {
156164
// security (remove all ..)
157165
$data['name'] = str_replace('..', '', $data['name']);
158166
$file = FILES_DIR . DS . $data['name'];
159-
167+
160168
// CSRF checks
161169
if (isset($_POST['csrf_token'])) {
162170
$csrf_token = $_POST['csrf_token'];
@@ -169,7 +177,7 @@ public function save() {
169177
Flash::set('error', __('No CSRF token found!'));
170178
redirect(get_url('plugin/file_manager/view/'.$data['name']));
171179
}
172-
180+
173181
if (file_exists($file)) {
174182
if (file_put_contents($file, $data['content']) !== false) {
175183
Flash::set('success', __('File has been saved with success!'));
@@ -197,7 +205,7 @@ public function create_file() {
197205
Flash::set('error', __('You do not have sufficient permissions to create a file.'));
198206
redirect(get_url('plugin/file_manager/browse/'));
199207
}
200-
208+
201209
// CSRF checks
202210
if (isset($_POST['csrf_token'])) {
203211
$csrf_token = $_POST['csrf_token'];
@@ -231,7 +239,7 @@ public function create_directory() {
231239
Flash::set('error', __('You do not have sufficient permissions to create a directory.'));
232240
redirect(get_url('plugin/file_manager/browse/'));
233241
}
234-
242+
235243
// CSRF checks
236244
if (isset($_POST['csrf_token'])) {
237245
$csrf_token = $_POST['csrf_token'];
@@ -269,7 +277,7 @@ public function delete() {
269277
$paths = func_get_args();
270278

271279
$file = urldecode(join('/', $paths));
272-
280+
273281
// CSRF checks
274282
if (isset($_GET['csrf_token'])) {
275283
$csrf_token = $_GET['csrf_token'];
@@ -304,7 +312,7 @@ public function upload() {
304312
Flash::set('error', __('You do not have sufficient permissions to upload a file.'));
305313
redirect(get_url('plugin/file_manager/browse/'));
306314
}
307-
315+
308316
// CSRF checks
309317
if (isset($_POST['csrf_token'])) {
310318
$csrf_token = $_POST['csrf_token'];
@@ -317,7 +325,7 @@ public function upload() {
317325
Flash::set('error', __('No CSRF token found!'));
318326
redirect(get_url('plugin/file_manager/browse/'));
319327
}
320-
328+
321329
$mask = Plugin::getSetting('umask', 'file_manager');
322330
umask(octdec($mask));
323331

@@ -329,6 +337,12 @@ public function upload() {
329337
$filename = preg_replace('/ /', '_', $_FILES['upload_file']['name']);
330338
$filename = preg_replace('/[^a-z0-9_\-\.]/i', '', $filename);
331339

340+
$ext = strtolower(pathinfo($filename, PATHINFO_EXTENSION));
341+
if (in_array($ext, ['php', 'php3', 'php4', 'inc'])) {
342+
Flash::set('error', __('Not allowed to upload files with extension :ext', $ext));
343+
redirect(get_url('plugin/file_manager/browse/'));
344+
}
345+
332346
if (isset($_FILES)) {
333347
$file = $this->_upload_file($filename, FILES_DIR . '/' . $path . '/', $_FILES['upload_file']['tmp_name'], $overwrite);
334348

@@ -356,7 +370,7 @@ public function chmod() {
356370
Flash::set('error', __('No CSRF token found!'));
357371
redirect(get_url('plugin/file_manager/browse/'));
358372
}
359-
373+
360374
$data = $_POST['file'];
361375
$data['name'] = str_replace('..', '', $data['name']);
362376
$file = FILES_DIR . '/' . $data['name'];
@@ -378,7 +392,7 @@ public function rename() {
378392
Flash::set('error', __('You do not have sufficient permissions to rename this file or directory.'));
379393
redirect(get_url('plugin/file_manager/browse/'));
380394
}
381-
395+
382396
// CSRF checks
383397
if (isset($_POST['csrf_token'])) {
384398
$csrf_token = $_POST['csrf_token'];
@@ -404,6 +418,14 @@ public function rename() {
404418
$path = substr($data['current_name'], 0, strrpos($data['current_name'], '/'));
405419
$file = FILES_DIR . '/' . $data['current_name'];
406420

421+
// Check if trying to rename to php file (.php / .php3 etc)
422+
$ext = strtolower(pathinfo($data['new_name'], PATHINFO_EXTENSION));
423+
424+
if (in_array($ext, ['php', 'php3', 'php4', 'inc'])) {
425+
Flash::set('error', __('Not allowed to rename to :ext', $ext));
426+
redirect(get_url('plugin/file_manager/browse/' . $path));
427+
}
428+
407429
// Check another file doesn't already exist with same name
408430
if (file_exists(FILES_DIR . '/' . $path . '/' . $data['new_name'])) {
409431
Flash::set('error', __('A file or directory with that name already exists!'));
@@ -442,7 +464,7 @@ private function _listFiles() {
442464
$name = $cur->getFilename();
443465
if (Plugin::getSetting('show_hidden', 'file_manager') == '0' && $name[0] === '.')
444466
continue;
445-
467+
446468
if (Plugin::getSetting('show_backups', 'file_manager') == '0' && $name[strlen($name)-1] === '~')
447469
continue;
448470

@@ -453,7 +475,7 @@ private function _listFiles() {
453475
$object->size = convert_size($cur->getSize());
454476
$object->mtime = date('D, j M, Y', $cur->getMTime());
455477
list($object->perms, $object->chmod) = $this->_getPermissions($cur->getPerms());
456-
478+
457479
// Find the file type
458480
$object->type = $this->_getFileType($cur);
459481

@@ -477,13 +499,13 @@ private function _listFiles() {
477499
return strnatcmp($a->name, $b->name);
478500
}
479501
});
480-
502+
481503
return $files;
482504
}
483505

484506
return array();
485507
}
486-
508+
487509
private function _getFileType($file) {
488510
$default = 'unknown';
489511

@@ -659,7 +681,7 @@ public function settings() {
659681
Flash::set('error', __('You do not have permission to access the requested page!'));
660682
redirect(get_url());
661683
}
662-
684+
663685
$settings = Plugin::getAllSettings('file_manager');
664686

665687
if (!$settings) {
@@ -678,7 +700,7 @@ public function settings_save() {
678700
Flash::set('error', __('You do not have permission to access the requested page!'));
679701
redirect(get_url());
680702
}
681-
703+
682704
if (!isset($_POST['settings'])) {
683705
Flash::set('error', 'File Manager - ' . __('form was not posted.'));
684706
redirect(get_url('plugin/file_manager/settings'));

Diff for: wolf/plugins/file_manager/i18n/en-message.php

+3-1
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,8 @@
4141
'Modified' => 'Modified',
4242
'Modify' => 'Modify',
4343
'No' => 'No',
44+
'Not allowed to upload files with extension :ext' => 'Not allowed to upload files with extension :ext',
45+
'Not allowed to rename to :ext' => 'Not allowed to rename to :ext',
4446
'Permission denied!' => 'Permission denied!',
4547
'Permissions' => 'Permissions',
4648
'Provides interface to manage files from the administration.' => 'Provides interface to manage files from the administration.',
@@ -72,4 +74,4 @@
7274
'unable to retrieve plugin settings.' => 'unable to retrieve plugin settings.',
7375
'unable to store plugin settings!' => 'unable to store plugin settings!',
7476
'uninstalled.' => 'uninstalled.'
75-
);
77+
);

Diff for: wolf/plugins/file_manager/views/index.php

+15-6
Original file line numberDiff line numberDiff line change
@@ -23,16 +23,25 @@
2323
/* Security measure */
2424
if (!defined('IN_CMS')) { exit(); }
2525

26+
function htmlContextCleaner($input) {
27+
$bad_chars = array("<", ">");
28+
$safe_chars = array("&lt;", "&gt;");
29+
$output = str_replace($bad_chars, $safe_chars, $input);
30+
31+
return stripslashes($output);
32+
}
33+
2634
$out = '';
2735
$progres_path = '';
28-
$paths = explode('/', $dir);
36+
$paths = explode('/', $dir);
2937
$nb_path = count($paths)-1; // -1 to didn't display current dir as a link
3038
foreach ($paths as $i => $path) {
3139
if ($i+1 == $nb_path) {
3240
$out .= $path;
3341
} else if ($path != '') {
42+
$path = preg_replace('/.*:\/\/[^\/]+\//', '/', $path);
3443
$progres_path .= $path.'/';
35-
$out .= '<a href="'.get_url('plugin/file_manager/browse/'.rtrim($progres_path, '/')).'">'.$path.'</a>/';
44+
$out .= '<a href="'.get_url('plugin/file_manager/browse/'.rtrim($progres_path, '/')).'">'.htmlContextCleaner($path).'</a>/';
3645
}
3746
}
3847
?>
@@ -74,23 +83,23 @@
7483

7584
<div class="popup" id="chmod-popup" style="display:none;">
7685
<h3><?php echo __('Change mode'); ?></h3>
77-
<form action="<?php echo get_url('plugin/file_manager/chmod'); ?>" method="post">
86+
<form action="<?php echo get_url('plugin/file_manager/chmod'); ?>" method="post">
7887
<div>
7988
<input id="csrf_token" name="csrf_token" type="hidden" value="<?php echo SecureToken::generateToken(BASE_URL.'plugin/file_manager/chmod'); ?>" />
8089
<input id="chmod_file_name" name="file[name]" type="hidden" value="" />
81-
<input id="chmod_file_mode" maxlength="4" name="file[mode]" type="text" value="" />
90+
<input id="chmod_file_mode" maxlength="4" name="file[mode]" type="text" value="" />
8291
<input id="chmod_file_button" name="commit" type="submit" value="<?php echo __('Change mode'); ?>" />
8392
</div>
8493
<p><a class="close-link" href="#" onclick="toggle_chmod_popup(); return false;"><?php echo __('Close'); ?></a></p>
8594
</form>
8695
</div>
8796
<div class="popup" id="rename-popup" style="display:none;">
8897
<h3><?php echo __('Rename'); ?></h3>
89-
<form action="<?php echo get_url('plugin/file_manager/rename'); ?>" method="post">
98+
<form action="<?php echo get_url('plugin/file_manager/rename'); ?>" method="post">
9099
<div>
91100
<input id="csrf_token" name="csrf_token" type="hidden" value="<?php echo SecureToken::generateToken(BASE_URL.'plugin/file_manager/rename'); ?>" />
92101
<input id="rename_file_current_name" name="file[current_name]" type="hidden" value="" />
93-
<input id="rename_file_new_name" maxlength="50" name="file[new_name]" type="text" value="" />
102+
<input id="rename_file_new_name" maxlength="50" name="file[new_name]" type="text" value="" />
94103
<input id="rename_file_button" name="commit" type="submit" value="<?php echo __('Rename'); ?>" />
95104
</div>
96105
<p><a class="close-link" href="#" onclick="toggle_rename_popup(); return false;"><?php echo __('Close'); ?></a></p>

Diff for: wolf/plugins/file_manager/views/view.php

+12-2
Original file line numberDiff line numberDiff line change
@@ -23,16 +23,26 @@
2323
/* Security measure */
2424
if (!defined('IN_CMS')) { exit(); }
2525

26+
function htmlContextCleaner($input) {
27+
$bad_chars = array("<", ">");
28+
$safe_chars = array("&lt;", "&gt;");
29+
$output = str_replace($bad_chars, $safe_chars, $input);
30+
31+
return stripslashes($output);
32+
}
33+
34+
2635
$out = '';
2736
$progres_path = '';
28-
$paths = explode('/', $filename);
37+
$paths = explode('/', $filename);
2938
$nb_path = count($paths);
3039
foreach ($paths as $i => $path) {
3140
if ($i+1 == $nb_path) {
3241
$out .= $path;
3342
} else {
43+
$path = preg_replace('/.*:\/\/[^\/]+\//', '/', $path);
3444
$progres_path .= $path.'/';
35-
$out .= '<a href="'.get_url('plugin/file_manager/browse/'.rtrim($progres_path, '/')).'">'.$path.'</a>/';
45+
$out .= '<a href="'.get_url('plugin/file_manager/browse/'.rtrim($progres_path, '/')).'">'.htmlContextCleaner($path).'</a>/';
3646
}
3747
}
3848
?>

0 commit comments

Comments
 (0)