+
-
@@ -388,7 +392,7 @@ defined('FM_FILE_EXTENSION') || define('FM_FILE_EXTENSION', $allowed_file_extens
defined('FM_UPLOAD_EXTENSION') || define('FM_UPLOAD_EXTENSION', $allowed_upload_extensions);
defined('FM_EXCLUDE_ITEMS') || define('FM_EXCLUDE_ITEMS', (version_compare(PHP_VERSION, '7.0.0', '<') ? serialize($exclude_items) : $exclude_items));
defined('FM_DOC_VIEWER') || define('FM_DOC_VIEWER', $online_viewer);
-define('FM_READONLY', $use_auth && !empty($readonly_users) && isset($_SESSION[FM_SESSION_ID]['logged']) && in_array($_SESSION[FM_SESSION_ID]['logged'], $readonly_users));
+define('FM_READONLY', $global_readonly || ($use_auth && !empty($readonly_users) && isset($_SESSION[FM_SESSION_ID]['logged']) && in_array($_SESSION[FM_SESSION_ID]['logged'], $readonly_users)));
define('FM_IS_WIN', DIRECTORY_SEPARATOR == '\\');
// always use ?p=
@@ -420,20 +424,21 @@ unset($p, $use_auth, $iconv_input_encoding, $use_highlightjs, $highlightjs_style
/*************************** ACTIONS ***************************/
// AJAX Request
+if (isset($_POST['ajax'], $_POST['token']) && !FM_READONLY) {
+ if(!verifyToken($_POST['token'])) {
+ header('HTTP/1.0 401 Unauthorized');
+ die("Invalid Token.");
+ }
-if (isset($_POST['ajax'])) {
//search : get list of files from the current folder
if(isset($_POST['type']) && $_POST['type']=="search") {
- $dir = FM_ROOT_PATH;
- $response = scan(fm_clean_path($_POST['path']), $_POST['content']);
+ $dir = $_POST['path'] == "." ? '': $_POST['path'];
+ $response = scan(fm_clean_path($dir), $_POST['content']);
echo json_encode($response);
exit();
}
-}
-if (isset($_POST['ajax']) && !FM_READONLY) {
-
- // save
+ // save editor file
if (isset($_POST['type']) && $_POST['type'] == "save") {
// get current path
$path = FM_ROOT_PATH;
@@ -449,7 +454,7 @@ if (isset($_POST['ajax']) && !FM_READONLY) {
$file = str_replace('/', '', $file);
if ($file == '' || !is_file($path . '/' . $file)) {
fm_set_msg(lng('File not found'), 'error');
- fm_redirect(FM_SELF_URL . '?p=' . urlencode(FM_PATH));
+ $FM_PATH=FM_PATH; fm_redirect(FM_SELF_URL . '?p=' . urlencode($FM_PATH));
}
header('X-XSS-Protection:0');
$file_path = $path . '/' . $file;
@@ -492,7 +497,7 @@ if (isset($_POST['ajax']) && !FM_READONLY) {
// Save Config
if (isset($_POST['type']) && $_POST['type'] == "settings") {
- global $cfg, $lang, $report_errors, $show_hidden_files, $lang_list, $hide_Cols, $calc_folder, $theme;
+ global $cfg, $lang, $report_errors, $show_hidden_files, $lang_list, $hide_Cols, $theme;
$newLng = $_POST['js-language'];
fm_get_translations([]);
if (!array_key_exists($newLng, $lang_list)) {
@@ -525,10 +530,6 @@ if (isset($_POST['ajax']) && !FM_READONLY) {
$cfg->data['hide_Cols'] = $hco;
$hide_Cols = $hco;
}
- if ($cfg->data['calc_folder'] != $caf) {
- $cfg->data['calc_folder'] = $caf;
- $calc_folder = $caf;
- }
if ($cfg->data['theme'] != $te3) {
$cfg->data['theme'] = $te3;
$theme = $te3;
@@ -635,9 +636,9 @@ if (isset($_POST['ajax']) && !FM_READONLY) {
// Delete file / folder
-if (isset($_GET['del']) && !FM_READONLY) {
+if (isset($_GET['del'], $_POST['token']) && !FM_READONLY) {
$del = str_replace( '/', '', fm_clean_path( $_GET['del'] ) );
- if ($del != '' && $del != '..' && $del != '.') {
+ if ($del != '' && $del != '..' && $del != '.' && verifyToken($_POST['token'])) {
$path = FM_ROOT_PATH;
if (FM_PATH != '') {
$path .= '/' . FM_PATH;
@@ -653,19 +654,19 @@ if (isset($_GET['del']) && !FM_READONLY) {
} else {
fm_set_msg(lng('Invalid file or folder name'), 'error');
}
- fm_redirect(FM_SELF_URL . '?p=' . urlencode(FM_PATH));
+ $FM_PATH=FM_PATH; fm_redirect(FM_SELF_URL . '?p=' . urlencode($FM_PATH));
}
// Create folder
-if (isset($_GET['new']) && isset($_GET['type']) && !FM_READONLY) {
- $type = $_GET['type'];
- $new = str_replace( '/', '', fm_clean_path( strip_tags( $_GET['new'] ) ) );
- if (fm_isvalid_filename($new) && $new != '' && $new != '..' && $new != '.') {
+if (isset($_POST['newfilename'], $_POST['newfile'], $_POST['token']) && !FM_READONLY) {
+ $type = $_POST['newfile'];
+ $new = str_replace( '/', '', fm_clean_path( strip_tags( $_POST['newfilename'] ) ) );
+ if (fm_isvalid_filename($new) && $new != '' && $new != '..' && $new != '.' && verifyToken($_POST['token'])) {
$path = FM_ROOT_PATH;
if (FM_PATH != '') {
$path .= '/' . FM_PATH;
}
- if ($_GET['type'] == "file") {
+ if ($type == "file") {
if (!file_exists($path . '/' . $new)) {
if(fm_is_valid_ext($new)) {
@fopen($path . '/' . $new, 'w') or die('Cannot open file: ' . $new);
@@ -688,7 +689,7 @@ if (isset($_GET['new']) && isset($_GET['type']) && !FM_READONLY) {
} else {
fm_set_msg(lng('Invalid characters in file or folder name'), 'error');
}
- fm_redirect(FM_SELF_URL . '?p=' . urlencode(FM_PATH));
+ $FM_PATH=FM_PATH; fm_redirect(FM_SELF_URL . '?p=' . urlencode($FM_PATH));
}
// Copy folder / file
@@ -699,7 +700,7 @@ if (isset($_GET['copy'], $_GET['finish']) && !FM_READONLY) {
// empty path
if ($copy == '') {
fm_set_msg(lng('Source path not defined'), 'error');
- fm_redirect(FM_SELF_URL . '?p=' . urlencode(FM_PATH));
+ $FM_PATH=FM_PATH; fm_redirect(FM_SELF_URL . '?p=' . urlencode($FM_PATH));
}
// abs path from
$from = FM_ROOT_PATH . '/' . $copy;
@@ -758,11 +759,16 @@ if (isset($_GET['copy'], $_GET['finish']) && !FM_READONLY) {
fm_set_msg(lng('Paths must be not equal'), 'alert');
}
}
- fm_redirect(FM_SELF_URL . '?p=' . urlencode(FM_PATH));
+ $FM_PATH=FM_PATH; fm_redirect(FM_SELF_URL . '?p=' . urlencode($FM_PATH));
}
// Mass copy files/ folders
-if (isset($_POST['file'], $_POST['copy_to'], $_POST['finish']) && !FM_READONLY) {
+if (isset($_POST['file'], $_POST['copy_to'], $_POST['finish'], $_POST['token']) && !FM_READONLY) {
+
+ if(!verifyToken($_POST['token'])) {
+ fm_set_msg("Invalid Token.", 'error');
+ }
+
// from
$path = FM_ROOT_PATH;
if (FM_PATH != '') {
@@ -776,12 +782,12 @@ if (isset($_POST['file'], $_POST['copy_to'], $_POST['finish']) && !FM_READONLY)
}
if ($path == $copy_to_path) {
fm_set_msg(lng('Paths must be not equal'), 'alert');
- fm_redirect(FM_SELF_URL . '?p=' . urlencode(FM_PATH));
+ $FM_PATH=FM_PATH; fm_redirect(FM_SELF_URL . '?p=' . urlencode($FM_PATH));
}
if (!is_dir($copy_to_path)) {
if (!fm_mkdir($copy_to_path, true)) {
fm_set_msg('Unable to create destination folder', 'error');
- fm_redirect(FM_SELF_URL . '?p=' . urlencode(FM_PATH));
+ $FM_PATH=FM_PATH; fm_redirect(FM_SELF_URL . '?p=' . urlencode($FM_PATH));
}
}
// move?
@@ -819,17 +825,20 @@ if (isset($_POST['file'], $_POST['copy_to'], $_POST['finish']) && !FM_READONLY)
} else {
fm_set_msg(lng('Nothing selected'), 'alert');
}
- fm_redirect(FM_SELF_URL . '?p=' . urlencode(FM_PATH));
+ $FM_PATH=FM_PATH; fm_redirect(FM_SELF_URL . '?p=' . urlencode($FM_PATH));
}
// Rename
-if (isset($_GET['ren'], $_GET['to']) && !FM_READONLY) {
+if (isset($_POST['rename_from'], $_POST['rename_to'], $_POST['token']) && !FM_READONLY) {
+ if(!verifyToken($_POST['token'])) {
+ fm_set_msg("Invalid Token.", 'error');
+ }
// old name
- $old = $_GET['ren'];
+ $old = $_POST['rename_from'];
$old = fm_clean_path($old);
$old = str_replace('/', '', $old);
// new name
- $new = $_GET['to'];
+ $new = $_POST['rename_to'];
$new = fm_clean_path(strip_tags($new));
$new = str_replace('/', '', $new);
// path
@@ -847,11 +856,15 @@ if (isset($_GET['ren'], $_GET['to']) && !FM_READONLY) {
} else {
fm_set_msg(lng('Invalid characters in file name'), 'error');
}
- fm_redirect(FM_SELF_URL . '?p=' . urlencode(FM_PATH));
+ $FM_PATH=FM_PATH; fm_redirect(FM_SELF_URL . '?p=' . urlencode($FM_PATH));
}
// Download
-if (isset($_GET['dl'])) {
+if (isset($_GET['dl'], $_POST['token'])) {
+ if(!verifyToken($_POST['token'])) {
+ fm_set_msg("Invalid Token.", 'error');
+ }
+
$dl = $_GET['dl'];
$dl = fm_clean_path($dl);
$dl = str_replace('/', '', $dl);
@@ -864,12 +877,22 @@ if (isset($_GET['dl'])) {
exit;
} else {
fm_set_msg(lng('File not found'), 'error');
- fm_redirect(FM_SELF_URL . '?p=' . urlencode(FM_PATH));
+ $FM_PATH=FM_PATH; fm_redirect(FM_SELF_URL . '?p=' . urlencode($FM_PATH));
}
}
// Upload
if (!empty($_FILES) && !FM_READONLY) {
+ if(isset($_POST['token'])) {
+ if(!verifyToken($_POST['token'])) {
+ $response = array ('status' => 'error','info' => "Invalid Token.");
+ echo json_encode($response); exit();
+ }
+ } else {
+ $response = array ('status' => 'error','info' => "Token Missing.");
+ echo json_encode($response); exit();
+ }
+
$override_file_name = false;
$chunkIndex = $_POST['dzchunkindex'];
$chunkTotal = $_POST['dztotalchunkcount'];
@@ -927,10 +950,16 @@ if (!empty($_FILES) && !FM_READONLY) {
$in = @fopen($tmp_name, "rb");
if ($in) {
while ($buff = fread($in, 4096)) { fwrite($out, $buff); }
+ $response = array (
+ 'status' => 'success',
+ 'info' => "file upload successful",
+ 'fullPath' => $fullPath
+ );
} else {
$response = array (
'status' => 'error',
- 'info' => "failed to open output stream"
+ 'info' => "failed to open output stream",
+ 'errorDetails' => error_get_last()
);
}
@fclose($in);
@@ -987,7 +1016,12 @@ if (!empty($_FILES) && !FM_READONLY) {
}
// Mass deleting
-if (isset($_POST['group'], $_POST['delete']) && !FM_READONLY) {
+if (isset($_POST['group'], $_POST['delete'], $_POST['token']) && !FM_READONLY) {
+
+ if(!verifyToken($_POST['token'])) {
+ fm_set_msg(lng("Invalid Token."), 'error');
+ }
+
$path = FM_ROOT_PATH;
if (FM_PATH != '') {
$path .= '/' . FM_PATH;
@@ -1013,11 +1047,16 @@ if (isset($_POST['group'], $_POST['delete']) && !FM_READONLY) {
fm_set_msg(lng('Nothing selected'), 'alert');
}
- fm_redirect(FM_SELF_URL . '?p=' . urlencode(FM_PATH));
+ $FM_PATH=FM_PATH; fm_redirect(FM_SELF_URL . '?p=' . urlencode($FM_PATH));
}
// Pack files
-if (isset($_POST['group']) && (isset($_POST['zip']) || isset($_POST['tar'])) && !FM_READONLY) {
+if (isset($_POST['group'], $_POST['token']) && (isset($_POST['zip']) || isset($_POST['tar'])) && !FM_READONLY) {
+
+ if(!verifyToken($_POST['token'])) {
+ fm_set_msg(lng("Invalid Token."), 'error');
+ }
+
$path = FM_ROOT_PATH;
$ext = 'zip';
if (FM_PATH != '') {
@@ -1030,7 +1069,7 @@ if (isset($_POST['group']) && (isset($_POST['zip']) || isset($_POST['tar'])) &&
if (($ext == "zip" && !class_exists('ZipArchive')) || ($ext == "tar" && !class_exists('PharData'))) {
fm_set_msg(lng('Operations with archives are not available'), 'error');
- fm_redirect(FM_SELF_URL . '?p=' . urlencode(FM_PATH));
+ $FM_PATH=FM_PATH; fm_redirect(FM_SELF_URL . '?p=' . urlencode($FM_PATH));
}
$files = $_POST['file'];
@@ -1062,12 +1101,17 @@ if (isset($_POST['group']) && (isset($_POST['zip']) || isset($_POST['tar'])) &&
fm_set_msg(lng('Nothing selected'), 'alert');
}
- fm_redirect(FM_SELF_URL . '?p=' . urlencode(FM_PATH));
+ $FM_PATH=FM_PATH; fm_redirect(FM_SELF_URL . '?p=' . urlencode($FM_PATH));
}
// Unpack
-if (isset($_GET['unzip']) && !FM_READONLY) {
- $unzip = $_GET['unzip'];
+if (isset($_POST['unzip'], $_POST['token']) && !FM_READONLY) {
+
+ if(!verifyToken($_POST['token'])) {
+ fm_set_msg(lng("Invalid Token."), 'error');
+ }
+
+ $unzip = $_POST['unzip'];
$unzip = fm_clean_path($unzip);
$unzip = str_replace('/', '', $unzip);
$isValid = false;
@@ -1088,13 +1132,13 @@ if (isset($_GET['unzip']) && !FM_READONLY) {
if (($ext == "zip" && !class_exists('ZipArchive')) || ($ext == "tar" && !class_exists('PharData'))) {
fm_set_msg(lng('Operations with archives are not available'), 'error');
- fm_redirect(FM_SELF_URL . '?p=' . urlencode(FM_PATH));
+ $FM_PATH=FM_PATH; fm_redirect(FM_SELF_URL . '?p=' . urlencode($FM_PATH));
}
if ($isValid) {
//to folder
$tofolder = '';
- if (isset($_GET['tofolder'])) {
+ if (isset($_POST['tofolder'])) {
$tofolder = pathinfo($zip_path, PATHINFO_FILENAME);
if (fm_mkdir($path . '/' . $tofolder, true)) {
$path .= '/' . $tofolder;
@@ -1127,11 +1171,16 @@ if (isset($_GET['unzip']) && !FM_READONLY) {
} else {
fm_set_msg(lng('File not found'), 'error');
}
- fm_redirect(FM_SELF_URL . '?p=' . urlencode(FM_PATH));
+ $FM_PATH=FM_PATH; fm_redirect(FM_SELF_URL . '?p=' . urlencode($FM_PATH));
}
// Change Perms (not for Windows)
-if (isset($_POST['chmod']) && !FM_READONLY && !FM_IS_WIN) {
+if (isset($_POST['chmod'], $_POST['token']) && !FM_READONLY && !FM_IS_WIN) {
+
+ if(!verifyToken($_POST['token'])) {
+ fm_set_msg(lng("Invalid Token."), 'error');
+ }
+
$path = FM_ROOT_PATH;
if (FM_PATH != '') {
$path .= '/' . FM_PATH;
@@ -1142,7 +1191,7 @@ if (isset($_POST['chmod']) && !FM_READONLY && !FM_IS_WIN) {
$file = str_replace('/', '', $file);
if ($file == '' || (!is_file($path . '/' . $file) && !is_dir($path . '/' . $file))) {
fm_set_msg(lng('File not found'), 'error');
- fm_redirect(FM_SELF_URL . '?p=' . urlencode(FM_PATH));
+ $FM_PATH=FM_PATH; fm_redirect(FM_SELF_URL . '?p=' . urlencode($FM_PATH));
}
$mode = 0;
@@ -1180,7 +1229,7 @@ if (isset($_POST['chmod']) && !FM_READONLY && !FM_IS_WIN) {
fm_set_msg(lng('Permissions not changed'), 'error');
}
- fm_redirect(FM_SELF_URL . '?p=' . urlencode(FM_PATH));
+ $FM_PATH=FM_PATH; fm_redirect(FM_SELF_URL . '?p=' . urlencode($FM_PATH));
}
/*************************** /ACTIONS ***************************/
@@ -1241,7 +1290,7 @@ if (isset($_GET['upload']) && !FM_READONLY) {
return '';
}
?>
-
+
@@ -1258,22 +1307,24 @@ if (isset($_GET['upload']) && !FM_READONLY) {
- :
+ :
-
@@ -1281,7 +1332,7 @@ if (isset($_GET['upload']) && !FM_READONLY) {
-
+
-
+
+