deblan-mirror/tinyfilemanager
deblan-mirror/tinyfilemanager
1
0
Fork 0
mirror of https://github.com/prasathmani/tinyfilemanager synced 2024-05-03 14:23:14 +02:00
Code Issues Projects Releases Wiki Activity

Fix security issues #525 and #526

Browse source
This commit is contained in:
Prasath Mani 2021-04-22 13:41:35 +05:30
parent 03c3f6d7f9
commit a04567d3ba
4 changed files with 122 additions and 102 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
README.md
View file

@ -38,7 +38,7 @@ Default username/password: **admin/admin@123** and **user/12345**.
To enable/disable authentication set `$use_auth` to true or false. To enable/disable authentication set `$use_auth` to true or false.
:information_source: The default configuration will be loaded from `config.php`, it is an additional configuration file, Feel free to remove completely this file and configure "tinyfilemanager.php" as a single file application. :information_source: Rename the `config-sample.php` file into `config.php` to use configuration, it is an additional configuration file, Feel free to remove completely this file and configure "tinyfilemanager.php" as a single file application.
### :loudspeaker: Features ### :loudspeaker: Features

4
config.php → config-sample.php
View file

@ -2,7 +2,7 @@
/* /*
################################################################################################################# #################################################################################################################
This is an OPTIONAL configuration file. This is an OPTIONAL configuration file. rename this file into config.php to use this configuration
The role of this file is to make updating of "tinyfilemanager.php" easier. The role of this file is to make updating of "tinyfilemanager.php" easier.
So you can: So you can:
-Feel free to remove completely this file and configure "tinyfilemanager.php" as a single file application. -Feel free to remove completely this file and configure "tinyfilemanager.php" as a single file application.
@ -85,7 +85,7 @@ $favicon_path = '';
// Files and folders to excluded from listing // Files and folders to excluded from listing
// e.g. array('myfile.html', 'personal-folder', '*.php', ...) // e.g. array('myfile.html', 'personal-folder', '*.php', ...)
$exclude_items = array(); $exclude_items = array('');
// Online office Docs Viewer // Online office Docs Viewer
// Availabe rules are 'google', 'microsoft' or false // Availabe rules are 'google', 'microsoft' or false

46
tinyfilemanager.php
View file

@ -3,13 +3,13 @@
$CONFIG = '{"lang":"en","error_reporting":false,"show_hidden":false,"hide_Cols":false,"calc_folder":false}'; $CONFIG = '{"lang":"en","error_reporting":false,"show_hidden":false,"hide_Cols":false,"calc_folder":false}';
/** /**
* H3K | Tiny File Manager V2.4.4 * H3K | Tiny File Manager V2.4.5
* CCP Programmers | ccpprogrammers@gmail.com * CCP Programmers | ccpprogrammers@gmail.com
* https://tinyfilemanager.github.io * https://tinyfilemanager.github.io
*/ */
//TFM version //TFM version
define('VERSION', '2.4.4'); define('VERSION', '2.4.5');
//Application Title //Application Title
define('APP_TITLE', 'Tiny File Manager'); define('APP_TITLE', 'Tiny File Manager');
@ -526,17 +526,7 @@ if (isset($_POST['ajax']) && !FM_READONLY) {
$path .= '/' . FM_PATH; $path .= '/' . FM_PATH;
} }
$url = !empty($_REQUEST["uploadurl"]) && preg_match("|^http(s)?://.+$|", stripslashes($_REQUEST["uploadurl"])) ? stripslashes($_REQUEST["uploadurl"]) : null; function event_callback ($message) {
$use_curl = false;
$temp_file = tempnam(sys_get_temp_dir(), "upload-");
$fileinfo = new stdClass();
$fileinfo->name = trim(basename($url), ".\x00..\x20");
$allowed = (FM_UPLOAD_EXTENSION) ? explode(',', FM_UPLOAD_EXTENSION) : false;
$ext = strtolower(pathinfo($fileinfo->name, PATHINFO_EXTENSION));
$isFileAllowed = ($allowed) ? in_array($ext, $allowed) : true;
function event_callback ($message) {
global $callback; global $callback;
echo json_encode($message); echo json_encode($message);
} }
@ -546,6 +536,28 @@ if (isset($_POST['ajax']) && !FM_READONLY) {
return $path."/".basename($fileinfo->name); return $path."/".basename($fileinfo->name);
} }
$url = !empty($_REQUEST["uploadurl"]) && preg_match("|^http(s)?://.+$|", stripslashes($_REQUEST["uploadurl"])) ? stripslashes($_REQUEST["uploadurl"]) : null;
//prevent 127.* domain and known ports
$domain = parse_url($url, PHP_URL_HOST);
$port = parse_url($url, PHP_URL_PORT);
$knownPorts = [22, 23, 25, 3306];
if (preg_match("/^localhost$|^127(?:\.[0-9]+){0,2}\.[0-9]+$|^(?:0*\:)*?:?0*1$/i", $domain) || in_array($port, $knownPorts)) {
$err = array("message" => "URL is not allowed");
event_callback(array("fail" => $err));
exit();
}
$use_curl = false;
$temp_file = tempnam(sys_get_temp_dir(), "upload-");
$fileinfo = new stdClass();
$fileinfo->name = trim(basename($url), ".\x00..\x20");
$allowed = (FM_UPLOAD_EXTENSION) ? explode(',', FM_UPLOAD_EXTENSION) : false;
$ext = strtolower(pathinfo($fileinfo->name, PATHINFO_EXTENSION));
$isFileAllowed = ($allowed) ? in_array($ext, $allowed) : true;
$err = false; $err = false;
if(!$isFileAllowed) { if(!$isFileAllowed) {
@ -855,6 +867,14 @@ if (!empty($_FILES) && !FM_READONLY) {
$ext = strtolower(pathinfo($filename, PATHINFO_EXTENSION)); $ext = strtolower(pathinfo($filename, PATHINFO_EXTENSION));
$isFileAllowed = ($allowed) ? in_array($ext, $allowed) : true; $isFileAllowed = ($allowed) ? in_array($ext, $allowed) : true;
if(!fm_isvalid_filename($filename) && !fm_isvalid_filename($_REQUEST['fullpath'])) {
$response = array (
'status' => 'error',
'info' => "Invalid File name!",
);
echo json_encode($response); exit();
}
$targetPath = $path . $ds; $targetPath = $path . $ds;
if ( is_writable($targetPath) ) { if ( is_writable($targetPath) ) {
$fullPath = $path . '/' . $_REQUEST['fullpath']; $fullPath = $path . '/' . $_REQUEST['fullpath'];

172
translation.json
View file

@ -1,6 +1,6 @@
{ {
"appName": "Tiny File Manager", "appName": "Tiny File Manager",
"version": "2.4.3", "version": "2.4.5",
"language": [ "language": [
{ {
"name": "Norsk", "name": "Norsk",
@ -80,9 +80,9 @@
"You are logged in": "Du er innlogget", "You are logged in": "Du er innlogget",
"Login failed. Invalid username or password": "Innlogging feilet. Feil brukernavn eller passord", "Login failed. Invalid username or password": "Innlogging feilet. Feil brukernavn eller passord",
"password_hash not supported, Upgrade PHP version": "password_hash er ikke støttet, venligst oppdater PHP versjonen" "password_hash not supported, Upgrade PHP version": "password_hash er ikke støttet, venligst oppdater PHP versjonen"
} }
}, { },
{
"name": "فارسی", "name": "فارسی",
"code": "Fa", "code": "Fa",
"translation": { "translation": {
@ -550,7 +550,7 @@
"Change": "Ändern", "Change": "Ändern",
"Settings": "Einstellungen", "Settings": "Einstellungen",
"Language": "Sprache", "Language": "Sprache",
"You are logged in": "Du bist eingeloggt.", "You are logged in": "Du bist eingeloggt.",
"Login failed. Invalid username or password": "Login fehlgeschlagen. Falscher Benutzername oder Passwort.", "Login failed. Invalid username or password": "Login fehlgeschlagen. Falscher Benutzername oder Passwort.",
"password_hash not supported, Upgrade PHP version": "password_hash wird nicht unterstützt, aktualisiere die PHP-Version" "password_hash not supported, Upgrade PHP version": "password_hash wird nicht unterstützt, aktualisiere die PHP-Version"
} }
@ -754,19 +754,19 @@
"enable": "開啟", "enable": "開啟",
"disable": "關閉", "disable": "關閉",
"ErrorReporting": "錯誤報告", "ErrorReporting": "錯誤報告",
"Help": "幫助", "Help": "幫助",
"ShowHiddenFiles": "顯示隱藏的檔案", "ShowHiddenFiles": "顯示隱藏的檔案",
"HideColumns": "不顯示權限以及擁有者", "HideColumns": "不顯示權限以及擁有者",
"CalculateFolderSize": "顯示資料夾大小", "CalculateFolderSize": "顯示資料夾大小",
"Help Documents": "幫助文件", "Help Documents": "幫助文件",
"Report Issue": "回報問題", "Report Issue": "回報問題",
"Check Latest Version": "檢查最新版本", "Check Latest Version": "檢查最新版本",
"Generate new password hash": "建立新的密碼 Hash 函數", "Generate new password hash": "建立新的密碼 Hash 函數",
"Generate": "建立", "Generate": "建立",
"FullSize": "所有檔案容量", "FullSize": "所有檔案容量",
"MemoryUsed": "使用的記憶體大小", "MemoryUsed": "使用的記憶體大小",
"PartitionSize" : "剩餘可用空間", "PartitionSize": "剩餘可用空間",
"FreeOf": "硬碟容量:" "FreeOf": "硬碟容量:"
} }
}, },
{ {
@ -1449,75 +1449,75 @@
"FreeOf": "voľné z" "FreeOf": "voľné z"
} }
}, },
{ {
"name": "Suomi", "name": "Suomi",
"code": "fi", "code": "fi",
"translation": { "translation": {
"AppName": "Tiny File Manager", "AppName": "Tiny File Manager",
"AppTitle": "File Manager", "AppTitle": "File Manager",
"Login": "Kirjautuminen", "Login": "Kirjautuminen",
"Username": "Käyttäjänimi", "Username": "Käyttäjänimi",
"Password": "Salasana", "Password": "Salasana",
"Logout": "Kirjaudu ulos", "Logout": "Kirjaudu ulos",
"Move": "Siirrä", "Move": "Siirrä",
"Copy": "Kopioi", "Copy": "Kopioi",
"Save": "Tallenna", "Save": "Tallenna",
"SelectAll": "Valitse kaikki", "SelectAll": "Valitse kaikki",
"UnSelectAll": "Poista valinnat", "UnSelectAll": "Poista valinnat",
"File": "Tiedosto", "File": "Tiedosto",
"Back": "Takaisin", "Back": "Takaisin",
"Size": "Koko", "Size": "Koko",
"Perms": "Oikeudet", "Perms": "Oikeudet",
"Modified": "Muokattu", "Modified": "Muokattu",
"Owner": "Omistaja", "Owner": "Omistaja",
"Search": "Haku", "Search": "Haku",
"NewItem": "Luo uusi...", "NewItem": "Luo uusi...",
"Folder": "Kansio", "Folder": "Kansio",
"Delete": "Poista", "Delete": "Poista",
"Rename": "Nimeä uudelleen", "Rename": "Nimeä uudelleen",
"CopyTo": "Kopioi kohteeseen", "CopyTo": "Kopioi kohteeseen",
"DirectLink": "Suora linkki", "DirectLink": "Suora linkki",
"UploadingFiles": "Siirrä tiedostoja", "UploadingFiles": "Siirrä tiedostoja",
"ChangePermissions": "Muuta oikeuksia", "ChangePermissions": "Muuta oikeuksia",
"Copying": "Kopioidaan", "Copying": "Kopioidaan",
"CreateNewItem": "Luo uusi tiedosto tai kansio", "CreateNewItem": "Luo uusi tiedosto tai kansio",
"Name": "Nimi", "Name": "Nimi",
"AdvancedEditor": "Edistynyt editori", "AdvancedEditor": "Edistynyt editori",
"RememberMe": "Muista minut", "RememberMe": "Muista minut",
"Actions": "Toiminnot", "Actions": "Toiminnot",
"Upload": "Vie", "Upload": "Vie",
"Cancel": "Peruuta", "Cancel": "Peruuta",
"InvertSelection": "Vaihda valinta", "InvertSelection": "Vaihda valinta",
"DestinationFolder": "Kohdekansio", "DestinationFolder": "Kohdekansio",
"ItemType": "Tiedoston tyyppi", "ItemType": "Tiedoston tyyppi",
"ItemName": "Nimi", "ItemName": "Nimi",
"CreateNow": "Luo nyt", "CreateNow": "Luo nyt",
"Download": "Lataa", "Download": "Lataa",
"Open": "Avaa", "Open": "Avaa",
"UnZip": "Pura", "UnZip": "Pura",
"UnZipToFolder": "Pura kansioon", "UnZipToFolder": "Pura kansioon",
"Edit": "Muokkaa", "Edit": "Muokkaa",
"NormalEditor": "Editori", "NormalEditor": "Editori",
"BackUp": "Varmuuskopioi", "BackUp": "Varmuuskopioi",
"SourceFolder": "Kohdekansio", "SourceFolder": "Kohdekansio",
"Files": "Tiedostot", "Files": "Tiedostot",
"Change": "Vaihda", "Change": "Vaihda",
"Settings": "Asetukset", "Settings": "Asetukset",
"Language": "Kieli", "Language": "Kieli",
"MemoryUsed": "Muistia käytetty", "MemoryUsed": "Muistia käytetty",
"PartitionSize": "Osion koko", "PartitionSize": "Osion koko",
"ErrorReporting": "Virheraportit", "ErrorReporting": "Virheraportit",
"ShowHiddenFiles": "Näytä piilotiedostot", "ShowHiddenFiles": "Näytä piilotiedostot",
"Preview": "Esikatsele", "Preview": "Esikatsele",
"Help": "Apua", "Help": "Apua",
"FullSize": "Täysikokoinen", "FullSize": "Täysikokoinen",
"FreeOf": "Vapaana", "FreeOf": "Vapaana",
"CalculateFolderSize": "Laske kansion koko", "CalculateFolderSize": "Laske kansion koko",
"CheckLatestVersion": "Tarkista päivitykset", "CheckLatestVersion": "Tarkista päivitykset",
"Generate new password hash": "Luo uusi salasana-hash", "Generate new password hash": "Luo uusi salasana-hash",
"HideColumns": "Piilota oikeudet-/omistaja-sarakkeet" "HideColumns": "Piilota oikeudet-/omistaja-sarakkeet"
} }
}, },
{ {
"name": "한국어", "name": "한국어",
"code": "ko", "code": "ko",