diff --git a/README.md b/README.md index ac6189e..2ea8f54 100644 --- a/README.md +++ b/README.md @@ -55,7 +55,7 @@ To enable/disable authentication set `$use_auth` to true or false. - :cd: Open Source, light and extremely simple - :iphone: Mobile friendly view for touch devices -- :information_source: Basic features likes Create, Delete, Modify, View, Download, Copy and Move files +- :information_source: Basic features likes Create, Delete, Modify, View, Quick View, Download, Copy and Move files - :arrow_double_up: Ajax Upload, Ability to drag & drop, upload from URL, multiple files upload and file extensions filter - :file_folder: Ability to create folders and files - :gift: Ability to compress, extract files (`zip`, `tar`) @@ -74,10 +74,7 @@ To enable/disable authentication set `$use_auth` to true or false. - Available under the [GNU license](https://github.com/prasathmani/tinyfilemanager/blob/master/LICENSE) - Original concept and development by github.com/alexantr/filemanager -- CDN Used - _jQuery, Bootstrap, Font Awesome, Highlight js, ace js, DropZone js, DataTable js_ +- CDN Used - _jQuery, Bootstrap, Font Awesome, Highlight js, ace js, DropZone js, ekko-lightbox js, and DataTable js_ - To report a bug or request a feature, please file an [issue](https://github.com/prasathmani/tinyfilemanager/issues) -- We hope our tools will be helpful for you. If you find Tiny File Manager useful for your personal or commercial projects, Help me out for a couple of -[![Beerpay](https://beerpay.io/prasathmani/tinyfilemanager/badge.svg?style=flat-square)](https://beerpay.io/prasathmani/tinyfilemanager) - diff --git a/tinyfilemanager.php b/tinyfilemanager.php index 2b53818..b08f8e5 100644 --- a/tinyfilemanager.php +++ b/tinyfilemanager.php @@ -3,13 +3,13 @@ $CONFIG = '{"lang":"en","error_reporting":false,"show_hidden":false}'; /** - * H3K | Tiny File Manager V2.3.4 + * H3K | Tiny File Manager V2.3.5 * CCP Programmers | ccpprogrammers@gmail.com * https://tinyfilemanager.github.io */ //TFM version -define('VERSION', '2.3.4'); +define('VERSION', '2.3.5'); // Auth with login/password (set true/false to enable/disable it) $use_auth = true; @@ -1958,6 +1958,27 @@ function fm_redirect($url, $code = 302) exit; } +/** + * Path traversal prevention and clean the url + * It replaces (consecutive) occurrences of / and \\ with whatever is in DIRECTORY_SEPARATOR, and processes /. and /.. fine. + * @param $path + * @return string + */ +function get_absolute_path($path) { + $path = str_replace(array('/', '\\'), DIRECTORY_SEPARATOR, $path); + $parts = array_filter(explode(DIRECTORY_SEPARATOR, $path), 'strlen'); + $absolutes = array(); + foreach ($parts as $part) { + if ('.' == $part) continue; + if ('..' == $part) { + array_pop($absolutes); + } else { + $absolutes[] = $part; + } + } + return implode(DIRECTORY_SEPARATOR, $absolutes); +} + /** * Clean path * @param string $path @@ -1968,6 +1989,7 @@ function fm_clean_path($path) $path = trim($path); $path = trim($path, '\\/'); $path = str_replace(array('../', '..\\'), '', $path); + $path = get_absolute_path($path); if ($path == '..') { $path = ''; } @@ -3237,7 +3259,7 @@ $isStickyNavBar = $sticky_navbar ? 'navbar-fixed' : 'navbar-normal';