fm_get_file_mimes() was causing errors for unknown extensions as it was causing an error as array element was not defined and return value was never checked. According to https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types/Common_types and several other resources, application/octet-stream is the default value for all other cases. An unknown file type should use this type. I put a check in there to use that by default so a valid value is always returned.
It might be useful to replace this function with the built-in PHP function mime_content_type() but that adds some additional dependencies as it does not always work out of the box with PHP.
Added in the preferences option to change the light or dark theme,
Now to change the theme will be in the preferences / settings area, along with other settings, and may even have other themes in the future.
Added error checking and message for when file fails to write on the server side. Before this change if a write failed on the server side it would still present the user with a misleading "Saved Successfully" Message.
Eliminates the following PHP warnings when error reporting is turned on:
Notice: A non well formed numeric value encountered in tinyfilemanager.php on line 2443
Notice: A non well formed numeric value encountered in tinyfilemanager.php on line 2444
This happens because PHP floor and round are expecting a (float), not an (int).
* Added optional configuration file loading
* First commit of optional configuration file
This file is OPTIONAL.
If this file is not present in your webserver, tinyfilemanager will works with its internal configuration.
* removed define
define is not a configuration
* feat(/): add support user customized config file (if exists)
* Show current process ID in Status bar + Make fm_get_filesize function much more concise (#245)
* Update Simplified Chinese (#241)
* Feature Font Size Choose Options / Bug Fix Settings not visible in auth=false (#240)
* Bug fix and PR #245, #241, #240
Co-authored-by: 刘明野 <898310895@qq.com>
Co-authored-by: B Bharath Kumar Reddy <39063133+bbharathkumarreddy@users.noreply.github.com>
Co-authored-by: Prasath Mani <prasath.mani@publicissapient.com>
Co-authored-by: Prasath Mani <prasathmani@users.noreply.github.com>
* Fix the RCE vuln via Upload from URL
This commit attemps to fix the Remote Code Execution
(authenticated) via Upload from URL. Some notes about
the proposed solution:
* A new function (fm_is_file_allowed) has been created to
validate if the filename is allowed. This function gets the
the filename as parameter and returns true if it validates
as allowed. Otherwise returns false (the default).
* It's better to have such validatation(s) in one place
instead of spread all over the code. There are other places in
the application where the filename is validated and they should
all be refactored to call this function. Then we can focus
all needed validations in one place only!
NOTE: This refactoring was not done - the only goal was to fix
this security vulnerability only.
* The fm_is_file_allowed() function validates the filename
based on its extension only. No other validatation(s) have been
implemented in this commit.
* File extensions are assumed to be case-insensitive.
For example, php == PHP == Php == PhP, etc. This is consitent
with some web servers. Without this, the user will have to populate
the $allowed_extensions with all possible allowed combinations.
* Although, there is one drawback to the current solution, which
is that all files must have an extension to be uploaded. This is not
consitent with modern filesystems. Maybe a better solution would be
to automatically append an extension to the filename if no
extension has been found (e.g., .html or .txt which are generally
considered to be harmless). This must be decided by the
application's maintainers.
* Fix the RCE vulns via new/rename file
Sanitize the arguments to stat using escapeshellarg()
Co-authored-by: Jorge Morgado <jorge@morgado.ch>
Setting $hide_Cols=true while having FM_IS_WIN=false will lead to a "Type error" when setting up the dataTable. The desired page is generated, but the Search function does not work, as the dataTable is broken.
With this fix the dataTable is written accordingly, with either FM_IS_WIN or $hide_Cols set or unset.
FastCGI sent in stderr: "PHP message: PHP Warning: Use of undefined constant online_viewer - assumed 'online_viewer' (this will throw an Error in a future version of PHP) in /www/admin/index.php on line 1383
view file is insecure #187
Get files size (recursive) #186
There is no possibility for translation for some hints (title =) #185
View dirSize instead of word "Folder" #184
Document type detection #183
Stored Cross-site Scripting (XSS) Vulnerability detected in File Names #180
strings in code #177
Remove tracking #164
* Add Arabic Translation
* add some keywords and handling Fixed keywords [untranslated]
* add new translation words
* improve existing translation words
* Add Simplified Chinese support
And distinguish it from Traditional Chinese.
* Add two fields for translation.
* Add two fields for translation.
* Translated.
Added new Translation JSON file
New languages added - Spanish, German, Thailand and Chinese
Removed languages from tinyfilemanager.php file
Updated IDE languages and themes
