deblan-mirror/tinyfilemanager
deblan-mirror/tinyfilemanager
1
0
Fork 0
mirror of https://github.com/prasathmani/tinyfilemanager synced 2024-05-06 07:43:14 +02:00
Code Issues Projects Releases Wiki Activity

Added - file upload from url #98

Browse source 
Fix: issues to rename files with single quote #105
Fix: Dropzone default timeout 30 seconds #102, #96, #75
Fix:  XSS cross-site attack screen (Chrome) #101
This commit is contained in:
Prasath Mani 2018-12-13 00:38:16 +05:30
parent 1a9bf95920
commit 9fdfdbfe94
1 changed files with 182 additions and 119 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

301
tinyfilemanager.php
View file

@ -319,6 +319,70 @@ if (isset($_POST['ajax']) && !FM_READONLY) {
echo $res;
}
//upload using url
if(isset($_POST['type']) && $_POST['type'] == "upload" && !empty($_REQUEST["uploadurl"])) {
$path = FM_ROOT_PATH;
if (FM_PATH != '') {
$path .= '/' . FM_PATH;
}
$url = !empty($_REQUEST["uploadurl"]) && preg_match("|^http(s)?://.+$|", stripslashes($_REQUEST["uploadurl"])) ? stripslashes($_REQUEST["uploadurl"]) : null;
$use_curl = false;defined("CURLOPT_PROGRESSFUNCTION");
$temp_file = tempnam(sys_get_temp_dir(), "upload-");
$fileinfo = new stdClass();
$fileinfo->name = trim(basename($url), ".\x00..\x20");
function event_callback ($message) {
global $callback;
echo json_encode($message);
}
function get_file_path () {
global $path, $fileinfo, $temp_file;
return $path."/".basename($fileinfo->name);
}
$err = false;
if (!$url) {
$success = false;
} else if ($use_curl) {
@$fp = fopen($temp_file, "w");
@$ch = curl_init($url);
curl_setopt($ch, CURLOPT_NOPROGRESS, false );
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_FILE, $fp);
@$success = curl_exec($ch);
$curl_info = curl_getinfo($ch);
if (!$success) {
$err = array("message" => curl_error($ch));
}
@curl_close($ch);
fclose($fp);
$fileinfo->size = $curl_info["size_download"];
$fileinfo->type = $curl_info["content_type"];
} else {
$ctx = stream_context_create();
@$success = copy($url, $temp_file, $ctx);
if (!$success) {
$err = error_get_last();
}
}
if ($success) {
$success = rename($temp_file, get_file_path());
}
if ($success) {
event_callback(array("done" => $fileinfo));
} else {
unlink($temp_file);
if (!$err) {
$err = array("message" => "Invalid url parameter");
}
event_callback(array("fail" => $err));
}
}
exit();
}
@ -817,25 +881,11 @@ if (isset($_GET['upload']) && !FM_READONLY) {
?>
<link href="https://cdnjs.cloudflare.com/ajax/libs/dropzone/5.5.1/min/dropzone.min.css" rel="stylesheet">
<script src="https://cdnjs.cloudflare.com/ajax/libs/dropzone/5.5.1/min/dropzone.min.js"></script>
<script>
Dropzone.options.fileUploader = {
init: function () {
this.on("sending", function (file) {
let _path = (file.fullPath) ? file.fullPath : file.name;
document.getElementById("fullpath").value = _path
}).on("success", function (res) {
console.log('Upload Status >> ', res.status);
}).on("error", function(file, response) {
alert(response);
});
}
}
</script>
<div class="path">
<div class="card mb-2">
<h6 class="card-header">
<?php echo lng('UploadingFiles') ?>
<i class="fa fa-arrow-circle-o-up"></i> <?php echo lng('UploadingFiles') ?>
&nbsp;&nbsp; <a href="#/upload-url" class="js-url-upload"><i class="fa fa-link"></i> Upload from URL</a>
<a href="?p=<?php echo FM_PATH ?>" class="float-right"><i class="fa fa-chevron-circle-left go-back"></i> <?php echo lng('Back')?></a>
</h6>
<div class="card-body">
@ -850,9 +900,39 @@ if (isset($_GET['upload']) && !FM_READONLY) {
<input name="file" type="file" multiple/>
</div>
</form>
<div class="upload-url-wrapper" style="display: none;">
<form id="js-form-url-upload" class="form-inline" onsubmit="return upload_from_url(this);" method="POST" action="">
<input type="hidden" name="type" value="upload" aria-label="hidden" aria-hidden="true">
<input type="url" placeholder="URL" name="uploadurl" required class="form-control" style="width: 80%">
<button type="submit" class="btn btn-primary ml-3"><?php echo lng('Upload') ?></button>
<div class="lds-facebook"><div></div><div></div><div></div></div>
</form>
<div id="js-url-upload__list" class="col-12 mt-3"></div>
</div>
</div>
</div>
</div>
<script src="https://cdnjs.cloudflare.com/ajax/libs/dropzone/5.5.1/min/dropzone.min.js"></script>
<script>
Dropzone.options.fileUploader = {
timeout: 120000,
init: function () {
this.on("sending", function (file, xhr, formData) {
let _path = (file.fullPath) ? file.fullPath : file.name;
document.getElementById("fullpath").value = _path;
xhr.ontimeout = (() => {
alert('Error: Server Timeout');
});
}).on("success", function (res) {
console.log('Upload Status >> ', res.status);
}).on("error", function(file, response) {
alert(response);
});
}
}
</script>
<?php
fm_show_footer();
exit;
@ -1262,7 +1342,7 @@ if (isset($_GET['edit'])) {
fm_set_msg('File not found', 'error');
fm_redirect(FM_SELF_URL . '?p=' . urlencode(FM_PATH));
}
header('X-XSS-Protection:0');
fm_show_header(); // HEADER
fm_show_nav_path(FM_PATH); // current path
@ -1506,7 +1586,7 @@ $all_files_size = 0;
<?php endif; ?>
<td class="inline-actions"><?php if (!FM_READONLY): ?>
<a title="<?php echo lng('Delete')?>" href="?p=<?php echo urlencode(FM_PATH) ?>&amp;del=<?php echo urlencode($f) ?>" onclick="return confirm('Delete folder?');"><i class="fa fa-trash-o" aria-hidden="true"></i></a>
<a title="<?php echo lng('Rename')?>" href="#" onclick="rename('<?php echo fm_enc(FM_PATH) ?>', '<?php echo fm_enc($f) ?>');return false;"><i class="fa fa-pencil-square-o" aria-hidden="true"></i></a>
<a title="<?php echo lng('Rename')?>" href="#" onclick="rename('<?php echo fm_enc(FM_PATH) ?>', '<?php echo fm_enc(addslashes($f)) ?>');return false;"><i class="fa fa-pencil-square-o" aria-hidden="true"></i></a>
<a title="<?php echo lng('CopyTo')?>..." href="?p=&amp;copy=<?php echo urlencode(trim(FM_PATH . '/' . $f, '/')) ?>"><i class="fa fa-files-o" aria-hidden="true"></i></a>
<?php endif; ?>
<a title="<?php echo lng('DirectLink')?>" href="<?php echo fm_enc(FM_ROOT_URL . (FM_PATH != '' ? '/' . FM_PATH : '') . '/' . $f . '/') ?>" target="_blank"><i class="fa fa-link" aria-hidden="true"></i></a>
@ -1556,7 +1636,7 @@ $all_files_size = 0;
<td class="inline-actions">
<?php if (!FM_READONLY): ?>
<a title="<?php echo lng('Delete') ?>" href="?p=<?php echo urlencode(FM_PATH) ?>&amp;del=<?php echo urlencode($f) ?>" onclick="return confirm('Delete file?');"><i class="fa fa-trash-o"></i></a>
<a title="<?php echo lng('Rename') ?>" href="#" onclick="rename('<?php echo fm_enc(FM_PATH) ?>', '<?php echo fm_enc($f) ?>');return false;"><i class="fa fa-pencil-square-o"></i></a>
<a title="<?php echo lng('Rename') ?>" href="#" onclick="rename('<?php echo fm_enc(FM_PATH) ?>', '<?php echo fm_enc(addslashes($f)) ?>');return false;"><i class="fa fa-pencil-square-o"></i></a>
<a title="<?php echo lng('CopyTo') ?>..."
href="?p=<?php echo urlencode(FM_PATH) ?>&amp;copy=<?php echo urlencode(trim(FM_PATH . '/' . $f, '/')) ?>"><i class="fa fa-files-o"></i></a>
<?php endif; ?>
@ -2953,6 +3033,43 @@ global $lang;
-webkit-box-shadow: none !important;
box-shadow: none !important;
}
.lds-facebook {
display: none;
position: relative;
width: 64px;
height: 64px;
}
.lds-facebook.show-me { display: inline-block;}
.lds-facebook div {
display: inline-block;
position: absolute;
left: 6px;
width: 13px;
background: #007bff;
animation: lds-facebook 1.2s cubic-bezier(0, 0.5, 0.5, 1) infinite;
}
.lds-facebook div:nth-child(1) {
left: 6px;
animation-delay: -0.24s;
}
.lds-facebook div:nth-child(2) {
left: 26px;
animation-delay: -0.12s;
}
.lds-facebook div:nth-child(3) {
left: 45px;
animation-delay: 0;
}
@keyframes lds-facebook {
0% {
top: 6px;
height: 51px;
}
50%, 100% {
top: 19px;
height: 26px;
}
}
</style>
</head>
<body>
@ -3011,52 +3128,23 @@ global $lang;
* @param path {String}
*/
function newfolder(e) {
var t = document.getElementById("newfilename").value,
n = document.querySelector('input[name="newfile"]:checked').value;
var t = document.getElementById("newfilename").value, n = document.querySelector('input[name="newfile"]:checked').value;
null !== t && "" !== t && n && (window.location.hash = "#", window.location.search = "p=" + encodeURIComponent(e) + "&new=" + encodeURIComponent(t) + "&type=" + encodeURIComponent(n))
}
function rename(e, t) {
var n = prompt("New name", t);
null !== n && "" !== n && n != t && (window.location.search = "p=" + encodeURIComponent(e) + "&ren=" + encodeURIComponent(t) + "&to=" + encodeURIComponent(n))
}
function change_checkboxes(e, t) {
for (var n = e.length - 1; n >= 0; n--) e[n].checked = "boolean" == typeof t ? t : !e[n].checked
}
function get_checkboxes() {
for (var e = document.getElementsByName("file[]"), t = [], n = e.length - 1; n >= 0; n--) (e[n].type = "checkbox") && t.push(e[n]); return t
}
function select_all() {
change_checkboxes(get_checkboxes(), !0)
}
function unselect_all() {
change_checkboxes(get_checkboxes(), !1)
}
function invert_all() {
change_checkboxes(get_checkboxes())
}
function checkbox_toggle() {
var e = get_checkboxes();
e.push(this), change_checkboxes(e)
}
/**
* Create file backup with .bck
*/
function backup(e, t) {
function rename(e, t) {var n = prompt("New name", t);null !== n && "" !== n && n != t && (window.location.search = "p=" + encodeURIComponent(e) + "&ren=" + encodeURIComponent(t) + "&to=" + encodeURIComponent(n))}
function change_checkboxes(e, t) { for (var n = e.length - 1; n >= 0; n--) e[n].checked = "boolean" == typeof t ? t : !e[n].checked }
function get_checkboxes() { for (var e = document.getElementsByName("file[]"), t = [], n = e.length - 1; n >= 0; n--) (e[n].type = "checkbox") && t.push(e[n]); return t }
function select_all() { change_checkboxes(get_checkboxes(), !0) }
function unselect_all() { change_checkboxes(get_checkboxes(), !1) }
function invert_all() { change_checkboxes(get_checkboxes()) }
function checkbox_toggle() { var e = get_checkboxes(); e.push(this), change_checkboxes(e) }
function backup(e, t) { //Create file backup with .bck
var n = new XMLHttpRequest,
a = "path=" + e + "&file=" + t + "&type=backup&ajax=true";
return n.open("POST", "", !0), n.setRequestHeader("Content-type", "application/x-www-form-urlencoded"), n.onreadystatechange = function () {
4 == n.readyState && 200 == n.status && alert(n.responseText)
}, n.send(a), !1
}
//Save file
function edit_save(e, t) {
var n = "ace" == t ? editor.getSession().getValue() : document.getElementById("normal-editor").value;
@ -3069,10 +3157,7 @@ global $lang;
o.appendChild(c), a.appendChild(o), document.body.appendChild(a), a.submit()
}
}
/**
* Get latest release from git repo
*/
//Get latest release from git repo
function latest_release_info() {
$.getJSON("https://api.github.com/repos/prasathmani/tinyfilemanager/releases/latest").done(function(release) {
if(release) {
@ -3084,72 +3169,56 @@ global $lang;
}
});
}
/**
* Save Settings
* @param Object $this
*/
//Save Settings
function save_settings($this) {
let form = $($this);
$.ajax({
type: form.attr('method'),
url: form.attr('action'),
data: form.serialize()+"&ajax="+true,
success: function (data) {
if(data) {
window.location.reload();
}
}
});
return false;
type: form.attr('method'), url: form.attr('action'), data: form.serialize()+"&ajax="+true,
success: function (data) {if(data) { window.location.reload();}}
}); return false;
}
/**
* Create new password hash
* @param Object $this
*/
//Create new password hash
function new_password_hash($this) {
let form = $($this);
let $pwd = $("#js-pwd-result");
$pwd.val('');
let form = $($this), $pwd = $("#js-pwd-result"); $pwd.val('');
$.ajax({
type: form.attr('method'),
url: form.attr('action'),
data: form.serialize()+"&ajax="+true,
type: form.attr('method'), url: form.attr('action'), data: form.serialize()+"&ajax="+true,
success: function (data) { if(data) { $pwd.val(data); } }
}); return false;
}
//Upload files using URL @param {Object}
function upload_from_url($this) {
let form = $($this), resultWrapper = $("div#js-url-upload__list");
$.ajax({
type: form.attr('method'), url: form.attr('action'), data: form.serialize()+"&ajax="+true,
beforeSend: function() { form.find("input[name=uploadurl]").attr("disabled","disabled"); form.find("button").hide(); form.find(".lds-facebook").addClass('show-me'); },
success: function (data) {
if(data) {
$pwd.val(data);
data = JSON.parse(data);
if(data.done) {
resultWrapper.append('<div class="alert alert-success row">Uploaded Successful: '+data.done.name+'</div>'); form.find("input[name=uploadurl]").val('');
} else if(data['fail']) { resultWrapper.append('<div class="alert alert-danger row">Error: '+data.fail.message+'</div>'); }
form.find("input[name=uploadurl]").removeAttr("disabled");form.find("button").show();form.find(".lds-facebook").removeClass('show-me');
}
},
error: function(xhr) {
form.find("input[name=uploadurl]").removeAttr("disabled");form.find("button").show();form.find(".lds-facebook").removeClass('show-me');console.error(xhr);
}
});
return false;
}); return false;
}
/**
* jQuery Document Ready Event
*/
// Dom Ready Event
$(document).ready( function () {
//dataTable init
var $table = $('#main-table'),
tableLng = $table.find('th').length,
_targets = (tableLng && tableLng == 7 ) ? [0, 4,5,6] : tableLng == 5 ? [0,4] : [3],
mainTable = $('#main-table').DataTable({
"paging": false,
"info": false,
"columnDefs": [
{
"targets": _targets,
"orderable": false
}
]
mainTable = $('#main-table').DataTable({"paging": false, "info": false, "columnDefs": [{"targets": _targets, "orderable": false}]
});
/**
* Search using custom input box
*/
$('#search-addon').on( 'keyup', function () {
$('#search-addon').on( 'keyup', function () { //Search using custom input box
mainTable.search( this.value ).draw();
});
$("a.js-url-upload").on("click", function(e){ //upload using URL
e.preventDefault(); $("#fileUploader").hide(); $("div.upload-url-wrapper").show();
});
});
</script>
<?php if (isset($_GET['view']) && FM_USE_HIGHLIGHTJS): ?>
@ -3164,14 +3233,10 @@ global $lang;
//editor.setTheme("ace/theme/twilight"); //Dark Theme
function ace_commend (cmd) { editor.commands.exec(cmd, editor); }
editor.commands.addCommands([{
name: 'save',
bindKey: {win: 'Ctrl-S', mac: 'Command-S'},
exec: function(editor) {
edit_save(this, 'ace');
}
name: 'save', bindKey: {win: 'Ctrl-S', mac: 'Command-S'},
exec: function(editor) { edit_save(this, 'ace'); }
},{
name: 'goToNo',
bindKey: {win: 'Ctrl-G', mac: 'Command-G'},
name: 'goToNo', bindKey: {win: 'Ctrl-G', mac: 'Command-G'},
exec: function(editor) {
let x = parseInt(prompt("Enter a Line Number [1 - "+editor.session.getLength()+"]", "1"), 10);
editor.gotoLine(x);
@ -3198,15 +3263,13 @@ global $lang;
});
$("select#js-ace-mode, select#js-ace-theme").on("change", function(e){
e.preventDefault();
let selectedValue = $(this).val();
let selectionType = $(this).attr("data-type");
let selectedValue = $(this).val(), selectionType = $(this).attr("data-type");
if(selectedValue && selectionType == "mode") {
editor.getSession().setMode(selectedValue);
} else if(selectedValue && selectionType == "theme") {
editor.setTheme(selectedValue);
}
});
</script>
<?php endif; ?>
</body>
@ -3275,7 +3338,7 @@ function lng($txt) {
$tr['en']['NewItem'] = 'New Item'; $tr['en']['Folder'] = 'Folder';
$tr['en']['Delete'] = 'Delete'; $tr['en']['Rename'] = 'Rename';
$tr['en']['CopyTo'] = 'Copy to'; $tr['en']['DirectLink'] = 'Direct link';
$tr['en']['UploadingFiles'] = 'Uploading files'; $tr['en']['ChangePermissions'] = 'Change Permissions';
$tr['en']['UploadingFiles'] = 'Upload Files'; $tr['en']['ChangePermissions'] = 'Change Permissions';
$tr['en']['Copying'] = 'Copying'; $tr['en']['CreateNewItem'] = 'Create New Item';
$tr['en']['Name'] = 'Name'; $tr['en']['AdvancedEditor'] = 'Advanced Editor';
$tr['en']['RememberMe'] = 'Remember Me'; $tr['en']['Actions'] = 'Actions';