mirror of
https://github.com/prasathmani/tinyfilemanager
synced 2024-05-09 17:16:38 +02:00
Security fix #357
Download file causes timeout #353 Download Restart @ 88% #312 download large file issues #259 File upload issue #354 FIle Upload URL error #360 Bug in .tar archive extraction when destination(s) file(s) already exist (HTTP error 500) #332 Backup File return false #201
This commit is contained in:
parent
1482e41f74
commit
a0c595a8e1
|
@ -3,13 +3,13 @@
|
||||||
$CONFIG = '{"lang":"en","error_reporting":false,"show_hidden":false,"hide_Cols":false,"calc_folder":false}';
|
$CONFIG = '{"lang":"en","error_reporting":false,"show_hidden":false,"hide_Cols":false,"calc_folder":false}';
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* H3K | Tiny File Manager V2.4.1
|
* H3K | Tiny File Manager V2.4.2
|
||||||
* CCP Programmers | ccpprogrammers@gmail.com
|
* CCP Programmers | ccpprogrammers@gmail.com
|
||||||
* https://tinyfilemanager.github.io
|
* https://tinyfilemanager.github.io
|
||||||
*/
|
*/
|
||||||
|
|
||||||
//TFM version
|
//TFM version
|
||||||
define('VERSION', '2.4.1');
|
define('VERSION', '2.4.2');
|
||||||
|
|
||||||
//Application Title
|
//Application Title
|
||||||
define('APP_TITLE', 'Tiny File Manager');
|
define('APP_TITLE', 'Tiny File Manager');
|
||||||
|
@ -417,7 +417,7 @@ if (isset($_POST['ajax']) && !FM_READONLY) {
|
||||||
//search : get list of files from the current folder
|
//search : get list of files from the current folder
|
||||||
if(isset($_POST['type']) && $_POST['type']=="search") {
|
if(isset($_POST['type']) && $_POST['type']=="search") {
|
||||||
$dir = FM_ROOT_PATH;
|
$dir = FM_ROOT_PATH;
|
||||||
$response = scan($_POST['path'], $_POST['content']);
|
$response = scan(fm_clean_path($_POST['path']), $_POST['content']);
|
||||||
echo json_encode($response);
|
echo json_encode($response);
|
||||||
exit();
|
exit();
|
||||||
}
|
}
|
||||||
|
@ -425,11 +425,16 @@ if (isset($_POST['ajax']) && !FM_READONLY) {
|
||||||
// backup files
|
// backup files
|
||||||
if (isset($_POST['type']) && $_POST['type'] == "backup") {
|
if (isset($_POST['type']) && $_POST['type'] == "backup") {
|
||||||
$file = $_POST['file'];
|
$file = $_POST['file'];
|
||||||
$path = $_POST['path'];
|
$dir = fm_clean_path($_POST['path']);
|
||||||
$date = date("dMy-His");
|
$path = FM_ROOT_PATH.'/'.$dir;
|
||||||
$newFile = $file . '-' . $date . '.bak';
|
if($dir) {
|
||||||
copy($path . '/' . $file, $path . '/' . $newFile) or die("Unable to backup");
|
$date = date("dMy-His");
|
||||||
echo "Backup $newFile Created";
|
$newFile = $file . '-' . $date . '.bak';
|
||||||
|
copy($path . '/' . $file, $path . '/' . $newFile) or die("Unable to backup");
|
||||||
|
echo "Backup $newFile Created";
|
||||||
|
} else {
|
||||||
|
echo "Error! Not allowed";
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Save Config
|
// Save Config
|
||||||
|
@ -785,17 +790,7 @@ if (isset($_GET['dl'])) {
|
||||||
$path .= '/' . FM_PATH;
|
$path .= '/' . FM_PATH;
|
||||||
}
|
}
|
||||||
if ($dl != '' && is_file($path . '/' . $dl)) {
|
if ($dl != '' && is_file($path . '/' . $dl)) {
|
||||||
header('Content-Description: File Transfer');
|
fm_download_file($path . '/' . $dl, $dl, 1024);
|
||||||
header('Content-Type: application/octet-stream');
|
|
||||||
header('Content-Disposition: attachment; filename="' . basename($path . '/' . $dl) . '"');
|
|
||||||
header('Content-Transfer-Encoding: binary');
|
|
||||||
header('Connection: Keep-Alive');
|
|
||||||
header('Expires: 0');
|
|
||||||
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
|
|
||||||
header('Pragma: public');
|
|
||||||
header('Content-Length: ' . filesize($path . '/' . $dl));
|
|
||||||
ob_end_clean();
|
|
||||||
readfile($path . '/' . $dl);
|
|
||||||
exit;
|
exit;
|
||||||
} else {
|
} else {
|
||||||
fm_set_msg('File not found', 'error');
|
fm_set_msg('File not found', 'error');
|
||||||
|
@ -816,6 +811,10 @@ if (!empty($_FILES) && !FM_READONLY) {
|
||||||
$errors = 0;
|
$errors = 0;
|
||||||
$uploads = 0;
|
$uploads = 0;
|
||||||
$allowed = (FM_UPLOAD_EXTENSION) ? explode(',', FM_UPLOAD_EXTENSION) : false;
|
$allowed = (FM_UPLOAD_EXTENSION) ? explode(',', FM_UPLOAD_EXTENSION) : false;
|
||||||
|
$response = array (
|
||||||
|
'status' => 'error',
|
||||||
|
'info' => 'Oops! Try again'
|
||||||
|
);
|
||||||
|
|
||||||
$filename = $f['file']['name'];
|
$filename = $f['file']['name'];
|
||||||
$tmp_name = $f['file']['tmp_name'];
|
$tmp_name = $f['file']['tmp_name'];
|
||||||
|
@ -989,8 +988,17 @@ if (isset($_GET['unzip']) && !FM_READONLY) {
|
||||||
$zipper = new FM_Zipper();
|
$zipper = new FM_Zipper();
|
||||||
$res = $zipper->unzip($zip_path, $path);
|
$res = $zipper->unzip($zip_path, $path);
|
||||||
} elseif ($ext == "tar") {
|
} elseif ($ext == "tar") {
|
||||||
$gzipper = new PharData($zip_path);
|
try {
|
||||||
$res = $gzipper->extractTo($path);
|
$gzipper = new PharData($zip_path);
|
||||||
|
if (@$gzipper->extractTo($path,null, true)) {
|
||||||
|
$res = true;
|
||||||
|
} else {
|
||||||
|
$res = false;
|
||||||
|
}
|
||||||
|
} catch (Exception $e) {
|
||||||
|
//TODO:: need to handle the error
|
||||||
|
$res = true;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($res) {
|
if ($res) {
|
||||||
|
@ -1137,7 +1145,7 @@ if (isset($_GET['upload']) && !FM_READONLY) {
|
||||||
<?php echo lng('DestinationFolder') ?>: <?php echo fm_enc(fm_convert_win(FM_ROOT_PATH . '/' . FM_PATH)) ?>
|
<?php echo lng('DestinationFolder') ?>: <?php echo fm_enc(fm_convert_win(FM_ROOT_PATH . '/' . FM_PATH)) ?>
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
<form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]) . '?p=' . fm_enc(FM_PATH) ?>" class="dropzone card-tabs-container" id="fileUploader" enctype="multipart/form-data">
|
<form action="<?php echo htmlspecialchars(FM_SELF_URL) . '?p=' . fm_enc(FM_PATH) ?>" class="dropzone card-tabs-container" id="fileUploader" enctype="multipart/form-data">
|
||||||
<input type="hidden" name="p" value="<?php echo fm_enc(FM_PATH) ?>">
|
<input type="hidden" name="p" value="<?php echo fm_enc(FM_PATH) ?>">
|
||||||
<input type="hidden" name="fullpath" id="fullpath" value="<?php echo fm_enc(FM_PATH) ?>">
|
<input type="hidden" name="fullpath" id="fullpath" value="<?php echo fm_enc(FM_PATH) ?>">
|
||||||
<div class="fallback">
|
<div class="fallback">
|
||||||
|
@ -1707,7 +1715,7 @@ if (isset($_GET['edit'])) {
|
||||||
</div>
|
</div>
|
||||||
<div class="edit-file-actions col-xs-12 col-sm-7 col-lg-6 text-right pt-1">
|
<div class="edit-file-actions col-xs-12 col-sm-7 col-lg-6 text-right pt-1">
|
||||||
<a title="Back" class="btn btn-sm btn-outline-primary" href="?p=<?php echo urlencode(trim(FM_PATH)) ?>&view=<?php echo urlencode($file) ?>"><i class="fa fa-reply-all"></i> <?php echo lng('Back') ?></a>
|
<a title="Back" class="btn btn-sm btn-outline-primary" href="?p=<?php echo urlencode(trim(FM_PATH)) ?>&view=<?php echo urlencode($file) ?>"><i class="fa fa-reply-all"></i> <?php echo lng('Back') ?></a>
|
||||||
<a title="Backup" class="btn btn-sm btn-outline-primary" href="javascript:backup('<?php echo urlencode($path) ?>','<?php echo urlencode($file) ?>')"><i class="fa fa-database"></i> <?php echo lng('BackUp') ?></a>
|
<a title="Backup" class="btn btn-sm btn-outline-primary" href="javascript:void(0);" onclick="backup('<?php echo urlencode(trim(FM_PATH)) ?>','<?php echo urlencode($file) ?>')"><i class="fa fa-database"></i> <?php echo lng('BackUp') ?></a>
|
||||||
<?php if ($is_text) { ?>
|
<?php if ($is_text) { ?>
|
||||||
<?php if ($isNormalEditor) { ?>
|
<?php if ($isNormalEditor) { ?>
|
||||||
<a title="Advanced" class="btn btn-sm btn-outline-primary" href="?p=<?php echo urlencode(trim(FM_PATH)) ?>&edit=<?php echo urlencode($file) ?>&env=ace"><i class="fa fa-pencil-square-o"></i> <?php echo lng('AdvancedEditor') ?></a>
|
<a title="Advanced" class="btn btn-sm btn-outline-primary" href="?p=<?php echo urlencode(trim(FM_PATH)) ?>&edit=<?php echo urlencode($file) ?>&env=ace"><i class="fa fa-pencil-square-o"></i> <?php echo lng('AdvancedEditor') ?></a>
|
||||||
|
@ -2809,29 +2817,142 @@ function fm_get_onlineViewer_exts()
|
||||||
return array('doc', 'docx', 'xls', 'xlsx', 'pdf', 'ppt', 'pptx', 'ai', 'psd', 'dxf', 'xps', 'rar', 'odt', 'ods');
|
return array('doc', 'docx', 'xls', 'xlsx', 'pdf', 'ppt', 'pptx', 'ai', 'psd', 'dxf', 'xps', 'rar', 'odt', 'ods');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function fm_get_file_mimes($extension)
|
||||||
|
{
|
||||||
|
$fileTypes['swf'] = 'application/x-shockwave-flash';
|
||||||
|
$fileTypes['pdf'] = 'application/pdf';
|
||||||
|
$fileTypes['exe'] = 'application/octet-stream';
|
||||||
|
$fileTypes['zip'] = 'application/zip';
|
||||||
|
$fileTypes['doc'] = 'application/msword';
|
||||||
|
$fileTypes['xls'] = 'application/vnd.ms-excel';
|
||||||
|
$fileTypes['ppt'] = 'application/vnd.ms-powerpoint';
|
||||||
|
$fileTypes['gif'] = 'image/gif';
|
||||||
|
$fileTypes['png'] = 'image/png';
|
||||||
|
$fileTypes['jpeg'] = 'image/jpg';
|
||||||
|
$fileTypes['jpg'] = 'image/jpg';
|
||||||
|
$fileTypes['rar'] = 'application/rar';
|
||||||
|
|
||||||
|
$fileTypes['ra'] = 'audio/x-pn-realaudio';
|
||||||
|
$fileTypes['ram'] = 'audio/x-pn-realaudio';
|
||||||
|
$fileTypes['ogg'] = 'audio/x-pn-realaudio';
|
||||||
|
|
||||||
|
$fileTypes['wav'] = 'video/x-msvideo';
|
||||||
|
$fileTypes['wmv'] = 'video/x-msvideo';
|
||||||
|
$fileTypes['avi'] = 'video/x-msvideo';
|
||||||
|
$fileTypes['asf'] = 'video/x-msvideo';
|
||||||
|
$fileTypes['divx'] = 'video/x-msvideo';
|
||||||
|
|
||||||
|
$fileTypes['mp3'] = 'audio/mpeg';
|
||||||
|
$fileTypes['mp4'] = 'audio/mpeg';
|
||||||
|
$fileTypes['mpeg'] = 'video/mpeg';
|
||||||
|
$fileTypes['mpg'] = 'video/mpeg';
|
||||||
|
$fileTypes['mpe'] = 'video/mpeg';
|
||||||
|
$fileTypes['mov'] = 'video/quicktime';
|
||||||
|
$fileTypes['swf'] = 'video/quicktime';
|
||||||
|
$fileTypes['3gp'] = 'video/quicktime';
|
||||||
|
$fileTypes['m4a'] = 'video/quicktime';
|
||||||
|
$fileTypes['aac'] = 'video/quicktime';
|
||||||
|
$fileTypes['m3u'] = 'video/quicktime';
|
||||||
|
|
||||||
|
$fileTypes['php'] = ['application/x-php'];
|
||||||
|
$fileTypes['html'] = ['text/html'];
|
||||||
|
$fileTypes['txt'] = ['text/plain'];
|
||||||
|
return $fileTypes[$extension];
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* This function scans the files and folder recursively, and return matching files
|
* This function scans the files and folder recursively, and return matching files
|
||||||
* @param string $dir
|
* @param string $dir
|
||||||
|
* @param string $filter
|
||||||
* @return json
|
* @return json
|
||||||
*/
|
*/
|
||||||
function scan($dir, $filter = '') {
|
function scan($dir, $filter = '') {
|
||||||
$path = FM_ROOT_PATH.'/'.$dir;
|
$path = FM_ROOT_PATH.'/'.$dir;
|
||||||
$ite = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($path));
|
if($dir) {
|
||||||
$rii = new RegexIterator($ite, "/(".$filter.")/i");
|
$ite = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($path));
|
||||||
|
$rii = new RegexIterator($ite, "/(" . $filter . ")/i");
|
||||||
|
|
||||||
$files = array();
|
$files = array();
|
||||||
foreach ($rii as $file) {
|
foreach ($rii as $file) {
|
||||||
if (!$file->isDir()) {
|
if (!$file->isDir()) {
|
||||||
$fileName = $file->getFilename();
|
$fileName = $file->getFilename();
|
||||||
$location = str_replace(FM_ROOT_PATH, '', $file->getPath());
|
$location = str_replace(FM_ROOT_PATH, '', $file->getPath());
|
||||||
$files[] = array(
|
$files[] = array(
|
||||||
"name" => $fileName,
|
"name" => $fileName,
|
||||||
"type" => "file",
|
"type" => "file",
|
||||||
"path" => $location,
|
"path" => $location,
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
return $files;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
Parameters: downloadFile(File Location, File Name,
|
||||||
|
max speed, is streaming
|
||||||
|
If streaming - videos will show as videos, images as images
|
||||||
|
instead of download prompt
|
||||||
|
https://stackoverflow.com/a/13821992/1164642
|
||||||
|
*/
|
||||||
|
|
||||||
|
function fm_download_file($fileLocation, $fileName, $chunkSize = 1024)
|
||||||
|
{
|
||||||
|
if (connection_status() != 0)
|
||||||
|
return (false);
|
||||||
|
$extension = pathinfo($fileName, PATHINFO_EXTENSION);
|
||||||
|
|
||||||
|
$contentType = fm_get_file_mimes($extension);
|
||||||
|
header("Cache-Control: public");
|
||||||
|
header("Content-Transfer-Encoding: binary\n");
|
||||||
|
header('Content-Type: $contentType');
|
||||||
|
|
||||||
|
$contentDisposition = 'attachment';
|
||||||
|
|
||||||
|
|
||||||
|
if (strstr($_SERVER['HTTP_USER_AGENT'], "MSIE")) {
|
||||||
|
$fileName = preg_replace('/\./', '%2e', $fileName, substr_count($fileName, '.') - 1);
|
||||||
|
header("Content-Disposition: $contentDisposition;filename=\"$fileName\"");
|
||||||
|
} else {
|
||||||
|
header("Content-Disposition: $contentDisposition;filename=\"$fileName\"");
|
||||||
}
|
}
|
||||||
return $files;
|
|
||||||
|
header("Accept-Ranges: bytes");
|
||||||
|
$range = 0;
|
||||||
|
$size = filesize($fileLocation);
|
||||||
|
|
||||||
|
if (isset($_SERVER['HTTP_RANGE'])) {
|
||||||
|
list($a, $range) = explode("=", $_SERVER['HTTP_RANGE']);
|
||||||
|
str_replace($range, "-", $range);
|
||||||
|
$size2 = $size - 1;
|
||||||
|
$new_length = $size - $range;
|
||||||
|
header("HTTP/1.1 206 Partial Content");
|
||||||
|
header("Content-Length: $new_length");
|
||||||
|
header("Content-Range: bytes $range$size2/$size");
|
||||||
|
} else {
|
||||||
|
$size2 = $size - 1;
|
||||||
|
header("Content-Range: bytes 0-$size2/$size");
|
||||||
|
header("Content-Length: " . $size);
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($size == 0) {
|
||||||
|
die('Zero byte file! Aborting download');
|
||||||
|
}
|
||||||
|
@ini_set('magic_quotes_runtime', 0);
|
||||||
|
$fp = fopen("$fileLocation", "rb");
|
||||||
|
|
||||||
|
fseek($fp, $range);
|
||||||
|
|
||||||
|
while (!feof($fp) and (connection_status() == 0)) {
|
||||||
|
set_time_limit(0);
|
||||||
|
print(@fread($fp, 1024*$chunkSize));
|
||||||
|
flush();
|
||||||
|
ob_flush();
|
||||||
|
sleep(1);
|
||||||
|
}
|
||||||
|
fclose($fp);
|
||||||
|
|
||||||
|
return ((connection_status() == 0) and !connection_aborted());
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
{
|
{
|
||||||
"appName": "Tiny File Manager",
|
"appName": "Tiny File Manager",
|
||||||
"version": "2.4.1",
|
"version": "2.4.2",
|
||||||
"language": [
|
"language": [
|
||||||
{
|
{
|
||||||
"name": "فارسی",
|
"name": "فارسی",
|
||||||
|
|
Loading…
Reference in a new issue