9a499734c5
* Fix the RCE vuln via Upload from URL This commit attemps to fix the Remote Code Execution (authenticated) via Upload from URL. Some notes about the proposed solution: * A new function (fm_is_file_allowed) has been created to validate if the filename is allowed. This function gets the the filename as parameter and returns true if it validates as allowed. Otherwise returns false (the default). * It's better to have such validatation(s) in one place instead of spread all over the code. There are other places in the application where the filename is validated and they should all be refactored to call this function. Then we can focus all needed validations in one place only! NOTE: This refactoring was not done - the only goal was to fix this security vulnerability only. * The fm_is_file_allowed() function validates the filename based on its extension only. No other validatation(s) have been implemented in this commit. * File extensions are assumed to be case-insensitive. For example, php == PHP == Php == PhP, etc. This is consitent with some web servers. Without this, the user will have to populate the $allowed_extensions with all possible allowed combinations. * Although, there is one drawback to the current solution, which is that all files must have an extension to be uploaded. This is not consitent with modern filesystems. Maybe a better solution would be to automatically append an extension to the filename if no extension has been found (e.g., .html or .txt which are generally considered to be harmless). This must be decided by the application's maintainers. * Fix the RCE vulns via new/rename file Sanitize the arguments to stat using escapeshellarg() Co-authored-by: Jorge Morgado <jorge@morgado.ch> |
||
---|---|---|
.github | ||
LICENSE | ||
README.md | ||
screenshot.gif | ||
SECURITY.md | ||
tinyfilemanager.php | ||
translation.json |
Tiny File Manager
It is web based file manager and it is a simple, fast and small file manager with a single file, multi-language ready web application for storing, editing and managing files and folders online via web browser. The Application runs on PHP 5.5+, a build-in support for managing text files with cloud9 IDE and it supports syntax highlighting for over 150+ languages and over 35+ themes. .
Demo
Login Details : admin/admin@123 | user/12345
Documents
TinyFileManager.github.io | Password Generater
Requirements
- PHP 5.5.0 or higher.
- Fileinfo, iconv, zip, tar and mbstring extensions are strongly recommended.
How to use
Download ZIP with latest version from master branch.
Just copy the tinyfilemanager.php to your webspace - thats all :) You can also change the file name from "tinyfilemanager.php" to something else, you know what i meant for.
Default username/password: admin/admin@123 and user/12345.
Warning: Please set your own username and password in $auth_users
before use. password is encrypted with password_hash()
. to generate new password hash here
To enable/disable authentication set $use_auth
to true or false.
Supported constants:
FM_ROOT_PATH
- default is$_SERVER['DOCUMENT_ROOT']
FM_ROOT_URL
- default is'http(s)://site.domain/'
FM_SELF_URL
- default is'http(s)://site.domain/' . $_SERVER['PHP_SELF']
FM_ICONV_INPUT_ENC
- default is'CP1251'
FM_USE_HIGHLIGHTJS
- default istrue
FM_HIGHLIGHTJS_STYLE
- default is'vs'
FM_DATETIME_FORMAT
- default is'd.m.y H:i'
FM_EXTENSION
- default is""
//upload files extensions
📢 Features
- 💿 Open Source, light and extremely simple
- 📱 Mobile friendly view for touch devices
- ℹ️ Basic features likes Create, Delete, Modify, View, Quick View, Download, Copy and Move files
- ⏫ Ajax Upload, Ability to drag & drop, upload from URL, multiple files upload and file extensions filter
- 📁 Ability to create folders and files
- 🎁 Ability to compress, extract files (
zip
,tar
) - 😎 Support user permissions - based on session and each user root folder mapping
- 💾 Copy direct file URL
- ✏️ Cloud9 IDE - Syntax highlighting for over
150+
languages, Over35+
themes with your favorite programming style - 📄 Google/Microsoft doc viewer helps you preview
PDF/DOC/XLS/PPT/etc
. 25 MB can be previewed with the Google Drive viewer - ⚡ Backup files and IP white and blacklisting
- 🔎 Search - Search and Sorting using
datatable js
- 📁 Exclude folders from listing
- 🌐 Multi-language support (English, Spanish, French, Italian, German, Russian, Thailand, Chinese and more..) for translations
translation.json
is file required - ‼️ lots more...
License, Credit
- Available under the GNU license
- Original concept and development by github.com/alexantr/filemanager
- CDN Used - jQuery, Bootstrap, Font Awesome, Highlight js, ace js, DropZone js, ekko-lightbox js, and DataTable js
- To report a bug or request a feature, please file an issue