deblan-mirror/tinyfilemanager
deblan-mirror/tinyfilemanager
1
0
Fork 0
mirror of https://github.com/prasathmani/tinyfilemanager synced 2024-05-17 21:16:38 +02:00
Code Issues Projects Releases Wiki Activity

Fix security issues #525 and #526

Browse source
This commit is contained in:
Prasath Mani 2021-04-22 13:41:35 +05:30
parent 03c3f6d7f9
commit a04567d3ba
4 changed files with 122 additions and 102 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
README.md
View file

@ -38,7 +38,7 @@ Default username/password: **admin/admin@123** and **user/12345**.
To enable/disable authentication set `$use_auth` to true or false. To enable/disable authentication set `$use_auth` to true or false.
:information_source: The default configuration will be loaded from `config.php`, it is an additional configuration file, Feel free to remove completely this file and configure "tinyfilemanager.php" as a single file application. :information_source: Rename the `config-sample.php` file into `config.php` to use configuration, it is an additional configuration file, Feel free to remove completely this file and configure "tinyfilemanager.php" as a single file application.
### :loudspeaker: Features ### :loudspeaker: Features

4
config.php → config-sample.php
View file

@ -2,7 +2,7 @@
/* /*
################################################################################################################# #################################################################################################################
This is an OPTIONAL configuration file. This is an OPTIONAL configuration file. rename this file into config.php to use this configuration
The role of this file is to make updating of "tinyfilemanager.php" easier. The role of this file is to make updating of "tinyfilemanager.php" easier.
So you can: So you can:
-Feel free to remove completely this file and configure "tinyfilemanager.php" as a single file application. -Feel free to remove completely this file and configure "tinyfilemanager.php" as a single file application.
@ -85,7 +85,7 @@ $favicon_path = '';
// Files and folders to excluded from listing // Files and folders to excluded from listing
// e.g. array('myfile.html', 'personal-folder', '*.php', ...) // e.g. array('myfile.html', 'personal-folder', '*.php', ...)
$exclude_items = array(); $exclude_items = array('');
// Online office Docs Viewer // Online office Docs Viewer
// Availabe rules are 'google', 'microsoft' or false // Availabe rules are 'google', 'microsoft' or false

44
tinyfilemanager.php
View file

@ -3,13 +3,13 @@
$CONFIG = '{"lang":"en","error_reporting":false,"show_hidden":false,"hide_Cols":false,"calc_folder":false}'; $CONFIG = '{"lang":"en","error_reporting":false,"show_hidden":false,"hide_Cols":false,"calc_folder":false}';
/** /**
* H3K | Tiny File Manager V2.4.4 * H3K | Tiny File Manager V2.4.5
* CCP Programmers | ccpprogrammers@gmail.com * CCP Programmers | ccpprogrammers@gmail.com
* https://tinyfilemanager.github.io * https://tinyfilemanager.github.io
*/ */
//TFM version //TFM version
define('VERSION', '2.4.4'); define('VERSION', '2.4.5');
//Application Title //Application Title
define('APP_TITLE', 'Tiny File Manager'); define('APP_TITLE', 'Tiny File Manager');
@ -526,16 +526,6 @@ if (isset($_POST['ajax']) && !FM_READONLY) {
$path .= '/' . FM_PATH; $path .= '/' . FM_PATH;
} }
$url = !empty($_REQUEST["uploadurl"]) && preg_match("|^http(s)?://.+$|", stripslashes($_REQUEST["uploadurl"])) ? stripslashes($_REQUEST["uploadurl"]) : null;
$use_curl = false;
$temp_file = tempnam(sys_get_temp_dir(), "upload-");
$fileinfo = new stdClass();
$fileinfo->name = trim(basename($url), ".\x00..\x20");
$allowed = (FM_UPLOAD_EXTENSION) ? explode(',', FM_UPLOAD_EXTENSION) : false;
$ext = strtolower(pathinfo($fileinfo->name, PATHINFO_EXTENSION));
$isFileAllowed = ($allowed) ? in_array($ext, $allowed) : true;
function event_callback ($message) { function event_callback ($message) {
global $callback; global $callback;
echo json_encode($message); echo json_encode($message);
@ -546,6 +536,28 @@ if (isset($_POST['ajax']) && !FM_READONLY) {
return $path."/".basename($fileinfo->name); return $path."/".basename($fileinfo->name);
} }
$url = !empty($_REQUEST["uploadurl"]) && preg_match("|^http(s)?://.+$|", stripslashes($_REQUEST["uploadurl"])) ? stripslashes($_REQUEST["uploadurl"]) : null;
//prevent 127.* domain and known ports
$domain = parse_url($url, PHP_URL_HOST);
$port = parse_url($url, PHP_URL_PORT);
$knownPorts = [22, 23, 25, 3306];
if (preg_match("/^localhost$|^127(?:\.[0-9]+){0,2}\.[0-9]+$|^(?:0*\:)*?:?0*1$/i", $domain) || in_array($port, $knownPorts)) {
$err = array("message" => "URL is not allowed");
event_callback(array("fail" => $err));
exit();
}
$use_curl = false;
$temp_file = tempnam(sys_get_temp_dir(), "upload-");
$fileinfo = new stdClass();
$fileinfo->name = trim(basename($url), ".\x00..\x20");
$allowed = (FM_UPLOAD_EXTENSION) ? explode(',', FM_UPLOAD_EXTENSION) : false;
$ext = strtolower(pathinfo($fileinfo->name, PATHINFO_EXTENSION));
$isFileAllowed = ($allowed) ? in_array($ext, $allowed) : true;
$err = false; $err = false;
if(!$isFileAllowed) { if(!$isFileAllowed) {
@ -855,6 +867,14 @@ if (!empty($_FILES) && !FM_READONLY) {
$ext = strtolower(pathinfo($filename, PATHINFO_EXTENSION)); $ext = strtolower(pathinfo($filename, PATHINFO_EXTENSION));
$isFileAllowed = ($allowed) ? in_array($ext, $allowed) : true; $isFileAllowed = ($allowed) ? in_array($ext, $allowed) : true;
if(!fm_isvalid_filename($filename) && !fm_isvalid_filename($_REQUEST['fullpath'])) {
$response = array (
'status' => 'error',
'info' => "Invalid File name!",
);
echo json_encode($response); exit();
}
$targetPath = $path . $ds; $targetPath = $path . $ds;
if ( is_writable($targetPath) ) { if ( is_writable($targetPath) ) {
$fullPath = $path . '/' . $_REQUEST['fullpath']; $fullPath = $path . '/' . $_REQUEST['fullpath'];

6
translation.json
View file

@ -1,6 +1,6 @@
{ {
"appName": "Tiny File Manager", "appName": "Tiny File Manager",
"version": "2.4.3", "version": "2.4.5",
"language": [ "language": [
{ {
"name": "Norsk", "name": "Norsk",
@ -80,9 +80,9 @@
"You are logged in": "Du er innlogget", "You are logged in": "Du er innlogget",
"Login failed. Invalid username or password": "Innlogging feilet. Feil brukernavn eller passord", "Login failed. Invalid username or password": "Innlogging feilet. Feil brukernavn eller passord",
"password_hash not supported, Upgrade PHP version": "password_hash er ikke støttet, venligst oppdater PHP versjonen" "password_hash not supported, Upgrade PHP version": "password_hash er ikke støttet, venligst oppdater PHP versjonen"
} }
}, { },
{
"name": "فارسی", "name": "فارسی",
"code": "Fa", "code": "Fa",
"translation": { "translation": {