mirror of
https://github.com/prasathmani/tinyfilemanager
synced 2024-06-19 22:25:20 +02:00
Fix for path traversal vulnerability, reported by - @hhc0null/Hiroki MATSUKUMA
This commit is contained in:
parent
b546ac168e
commit
ae971c8b99
|
@ -55,7 +55,7 @@ To enable/disable authentication set `$use_auth` to true or false.
|
||||||
|
|
||||||
- :cd: Open Source, light and extremely simple
|
- :cd: Open Source, light and extremely simple
|
||||||
- :iphone: Mobile friendly view for touch devices
|
- :iphone: Mobile friendly view for touch devices
|
||||||
- :information_source: Basic features likes Create, Delete, Modify, View, Download, Copy and Move files
|
- :information_source: Basic features likes Create, Delete, Modify, View, Quick View, Download, Copy and Move files
|
||||||
- :arrow_double_up: Ajax Upload, Ability to drag & drop, upload from URL, multiple files upload and file extensions filter
|
- :arrow_double_up: Ajax Upload, Ability to drag & drop, upload from URL, multiple files upload and file extensions filter
|
||||||
- :file_folder: Ability to create folders and files
|
- :file_folder: Ability to create folders and files
|
||||||
- :gift: Ability to compress, extract files (`zip`, `tar`)
|
- :gift: Ability to compress, extract files (`zip`, `tar`)
|
||||||
|
@ -74,10 +74,7 @@ To enable/disable authentication set `$use_auth` to true or false.
|
||||||
|
|
||||||
- Available under the [GNU license](https://github.com/prasathmani/tinyfilemanager/blob/master/LICENSE)
|
- Available under the [GNU license](https://github.com/prasathmani/tinyfilemanager/blob/master/LICENSE)
|
||||||
- Original concept and development by github.com/alexantr/filemanager
|
- Original concept and development by github.com/alexantr/filemanager
|
||||||
- CDN Used - _jQuery, Bootstrap, Font Awesome, Highlight js, ace js, DropZone js, DataTable js_
|
- CDN Used - _jQuery, Bootstrap, Font Awesome, Highlight js, ace js, DropZone js, ekko-lightbox js, and DataTable js_
|
||||||
- To report a bug or request a feature, please file an [issue](https://github.com/prasathmani/tinyfilemanager/issues)
|
- To report a bug or request a feature, please file an [issue](https://github.com/prasathmani/tinyfilemanager/issues)
|
||||||
- We hope our tools will be helpful for you. If you find Tiny File Manager useful for your personal or commercial projects, Help me out for a couple of
|
|
||||||
[![Beerpay](https://beerpay.io/prasathmani/tinyfilemanager/badge.svg?style=flat-square)](https://beerpay.io/prasathmani/tinyfilemanager)
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -3,13 +3,13 @@
|
||||||
$CONFIG = '{"lang":"en","error_reporting":false,"show_hidden":false}';
|
$CONFIG = '{"lang":"en","error_reporting":false,"show_hidden":false}';
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* H3K | Tiny File Manager V2.3.4
|
* H3K | Tiny File Manager V2.3.5
|
||||||
* CCP Programmers | ccpprogrammers@gmail.com
|
* CCP Programmers | ccpprogrammers@gmail.com
|
||||||
* https://tinyfilemanager.github.io
|
* https://tinyfilemanager.github.io
|
||||||
*/
|
*/
|
||||||
|
|
||||||
//TFM version
|
//TFM version
|
||||||
define('VERSION', '2.3.4');
|
define('VERSION', '2.3.5');
|
||||||
|
|
||||||
// Auth with login/password (set true/false to enable/disable it)
|
// Auth with login/password (set true/false to enable/disable it)
|
||||||
$use_auth = true;
|
$use_auth = true;
|
||||||
|
@ -1958,6 +1958,27 @@ function fm_redirect($url, $code = 302)
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Path traversal prevention and clean the url
|
||||||
|
* It replaces (consecutive) occurrences of / and \\ with whatever is in DIRECTORY_SEPARATOR, and processes /. and /.. fine.
|
||||||
|
* @param $path
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
function get_absolute_path($path) {
|
||||||
|
$path = str_replace(array('/', '\\'), DIRECTORY_SEPARATOR, $path);
|
||||||
|
$parts = array_filter(explode(DIRECTORY_SEPARATOR, $path), 'strlen');
|
||||||
|
$absolutes = array();
|
||||||
|
foreach ($parts as $part) {
|
||||||
|
if ('.' == $part) continue;
|
||||||
|
if ('..' == $part) {
|
||||||
|
array_pop($absolutes);
|
||||||
|
} else {
|
||||||
|
$absolutes[] = $part;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return implode(DIRECTORY_SEPARATOR, $absolutes);
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Clean path
|
* Clean path
|
||||||
* @param string $path
|
* @param string $path
|
||||||
|
@ -1968,6 +1989,7 @@ function fm_clean_path($path)
|
||||||
$path = trim($path);
|
$path = trim($path);
|
||||||
$path = trim($path, '\\/');
|
$path = trim($path, '\\/');
|
||||||
$path = str_replace(array('../', '..\\'), '', $path);
|
$path = str_replace(array('../', '..\\'), '', $path);
|
||||||
|
$path = get_absolute_path($path);
|
||||||
if ($path == '..') {
|
if ($path == '..') {
|
||||||
$path = '';
|
$path = '';
|
||||||
}
|
}
|
||||||
|
@ -3237,7 +3259,7 @@ $isStickyNavBar = $sticky_navbar ? 'navbar-fixed' : 'navbar-normal';
|
||||||
<script>
|
<script>
|
||||||
$(document).on('click', '[data-toggle="lightbox"]', function(event) {
|
$(document).on('click', '[data-toggle="lightbox"]', function(event) {
|
||||||
event.preventDefault();
|
event.preventDefault();
|
||||||
var reInitHighlight = function() { if(typeof isHighlightingEnabled !== "undefined" && isHighlightingEnabled) { setTimeout(function () { $('.ekko-lightbox-container pre code').each(function (i, e) { hljs.highlightBlock(e) }); }, 111); } };
|
var reInitHighlight = function() { if(typeof isHighlightingEnabled !== "undefined" && isHighlightingEnabled) { setTimeout(function () { $('.ekko-lightbox-container pre code').each(function (i, e) { hljs.highlightBlock(e) }); }, 555); } };
|
||||||
$(this).ekkoLightbox({
|
$(this).ekkoLightbox({
|
||||||
alwaysShowClose: true,
|
alwaysShowClose: true,
|
||||||
showArrows: true,
|
showArrows: true,
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
{
|
{
|
||||||
"appName": "Tiny File Manager",
|
"appName": "Tiny File Manager",
|
||||||
"version": "2.3.4",
|
"version": "2.3.5",
|
||||||
"language": [
|
"language": [
|
||||||
{
|
{
|
||||||
"name": "русский",
|
"name": "русский",
|
||||||
|
|
Loading…
Reference in a new issue