mirror of
https://github.com/prasathmani/tinyfilemanager
synced 2024-05-27 02:52:19 +02:00
Fix for path traversal vulnerability, reported by - @hhc0null/Hiroki MATSUKUMA
This commit is contained in:
parent
b546ac168e
commit
ae971c8b99
|
@ -55,7 +55,7 @@ To enable/disable authentication set `$use_auth` to true or false.
|
|||
|
||||
- :cd: Open Source, light and extremely simple
|
||||
- :iphone: Mobile friendly view for touch devices
|
||||
- :information_source: Basic features likes Create, Delete, Modify, View, Download, Copy and Move files
|
||||
- :information_source: Basic features likes Create, Delete, Modify, View, Quick View, Download, Copy and Move files
|
||||
- :arrow_double_up: Ajax Upload, Ability to drag & drop, upload from URL, multiple files upload and file extensions filter
|
||||
- :file_folder: Ability to create folders and files
|
||||
- :gift: Ability to compress, extract files (`zip`, `tar`)
|
||||
|
@ -74,10 +74,7 @@ To enable/disable authentication set `$use_auth` to true or false.
|
|||
|
||||
- Available under the [GNU license](https://github.com/prasathmani/tinyfilemanager/blob/master/LICENSE)
|
||||
- Original concept and development by github.com/alexantr/filemanager
|
||||
- CDN Used - _jQuery, Bootstrap, Font Awesome, Highlight js, ace js, DropZone js, DataTable js_
|
||||
- CDN Used - _jQuery, Bootstrap, Font Awesome, Highlight js, ace js, DropZone js, ekko-lightbox js, and DataTable js_
|
||||
- To report a bug or request a feature, please file an [issue](https://github.com/prasathmani/tinyfilemanager/issues)
|
||||
- We hope our tools will be helpful for you. If you find Tiny File Manager useful for your personal or commercial projects, Help me out for a couple of
|
||||
[![Beerpay](https://beerpay.io/prasathmani/tinyfilemanager/badge.svg?style=flat-square)](https://beerpay.io/prasathmani/tinyfilemanager)
|
||||
|
||||
|
||||
|
||||
|
|
|
@ -3,13 +3,13 @@
|
|||
$CONFIG = '{"lang":"en","error_reporting":false,"show_hidden":false}';
|
||||
|
||||
/**
|
||||
* H3K | Tiny File Manager V2.3.4
|
||||
* H3K | Tiny File Manager V2.3.5
|
||||
* CCP Programmers | ccpprogrammers@gmail.com
|
||||
* https://tinyfilemanager.github.io
|
||||
*/
|
||||
|
||||
//TFM version
|
||||
define('VERSION', '2.3.4');
|
||||
define('VERSION', '2.3.5');
|
||||
|
||||
// Auth with login/password (set true/false to enable/disable it)
|
||||
$use_auth = true;
|
||||
|
@ -1958,6 +1958,27 @@ function fm_redirect($url, $code = 302)
|
|||
exit;
|
||||
}
|
||||
|
||||
/**
|
||||
* Path traversal prevention and clean the url
|
||||
* It replaces (consecutive) occurrences of / and \\ with whatever is in DIRECTORY_SEPARATOR, and processes /. and /.. fine.
|
||||
* @param $path
|
||||
* @return string
|
||||
*/
|
||||
function get_absolute_path($path) {
|
||||
$path = str_replace(array('/', '\\'), DIRECTORY_SEPARATOR, $path);
|
||||
$parts = array_filter(explode(DIRECTORY_SEPARATOR, $path), 'strlen');
|
||||
$absolutes = array();
|
||||
foreach ($parts as $part) {
|
||||
if ('.' == $part) continue;
|
||||
if ('..' == $part) {
|
||||
array_pop($absolutes);
|
||||
} else {
|
||||
$absolutes[] = $part;
|
||||
}
|
||||
}
|
||||
return implode(DIRECTORY_SEPARATOR, $absolutes);
|
||||
}
|
||||
|
||||
/**
|
||||
* Clean path
|
||||
* @param string $path
|
||||
|
@ -1968,6 +1989,7 @@ function fm_clean_path($path)
|
|||
$path = trim($path);
|
||||
$path = trim($path, '\\/');
|
||||
$path = str_replace(array('../', '..\\'), '', $path);
|
||||
$path = get_absolute_path($path);
|
||||
if ($path == '..') {
|
||||
$path = '';
|
||||
}
|
||||
|
@ -3237,7 +3259,7 @@ $isStickyNavBar = $sticky_navbar ? 'navbar-fixed' : 'navbar-normal';
|
|||
<script>
|
||||
$(document).on('click', '[data-toggle="lightbox"]', function(event) {
|
||||
event.preventDefault();
|
||||
var reInitHighlight = function() { if(typeof isHighlightingEnabled !== "undefined" && isHighlightingEnabled) { setTimeout(function () { $('.ekko-lightbox-container pre code').each(function (i, e) { hljs.highlightBlock(e) }); }, 111); } };
|
||||
var reInitHighlight = function() { if(typeof isHighlightingEnabled !== "undefined" && isHighlightingEnabled) { setTimeout(function () { $('.ekko-lightbox-container pre code').each(function (i, e) { hljs.highlightBlock(e) }); }, 555); } };
|
||||
$(this).ekkoLightbox({
|
||||
alwaysShowClose: true,
|
||||
showArrows: true,
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
{
|
||||
"appName": "Tiny File Manager",
|
||||
"version": "2.3.4",
|
||||
"version": "2.3.5",
|
||||
"language": [
|
||||
{
|
||||
"name": "русский",
|
||||
|
|
Loading…
Reference in a new issue