deblan-mirror/tinyfilemanager
deblan-mirror/tinyfilemanager
1
0
Fork 0
mirror of https://github.com/prasathmani/tinyfilemanager synced 2024-04-27 19:42:55 +02:00
Code Issues Projects Releases Wiki Activity

Fix for path traversal vulnerability, reported by - @hhc0null/Hiroki MATSUKUMA

Browse source
This commit is contained in:
Prasath Mani 2019-04-03 17:20:23 +05:30
parent b546ac168e
commit ae971c8b99
3 changed files with 28 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
README.md
View file

@ -55,7 +55,7 @@ To enable/disable authentication set `$use_auth` to true or false.
- :cd: Open Source, light and extremely simple
- :iphone: Mobile friendly view for touch devices
- :information_source: Basic features likes Create, Delete, Modify, View, Download, Copy and Move files
- :information_source: Basic features likes Create, Delete, Modify, View, Quick View, Download, Copy and Move files
- :arrow_double_up: Ajax Upload, Ability to drag & drop, upload from URL, multiple files upload and file extensions filter
- :file_folder: Ability to create folders and files
- :gift: Ability to compress, extract files (`zip`, `tar`)
@ -74,10 +74,7 @@ To enable/disable authentication set `$use_auth` to true or false.
- Available under the [GNU license](https://github.com/prasathmani/tinyfilemanager/blob/master/LICENSE)
- Original concept and development by github.com/alexantr/filemanager
- CDN Used - _jQuery, Bootstrap, Font Awesome, Highlight js, ace js, DropZone js, DataTable js_
- CDN Used - _jQuery, Bootstrap, Font Awesome, Highlight js, ace js, DropZone js, ekko-lightbox js, and DataTable js_
- To report a bug or request a feature, please file an [issue](https://github.com/prasathmani/tinyfilemanager/issues)
- We hope our tools will be helpful for you. If you find Tiny File Manager useful for your personal or commercial projects, Help me out for a couple of
[![Beerpay](https://beerpay.io/prasathmani/tinyfilemanager/badge.svg?style=flat-square)](https://beerpay.io/prasathmani/tinyfilemanager)

28
tinyfilemanager.php
View file

@ -3,13 +3,13 @@
$CONFIG = '{"lang":"en","error_reporting":false,"show_hidden":false}';
/**
* H3K | Tiny File Manager V2.3.4
* H3K | Tiny File Manager V2.3.5
* CCP Programmers | ccpprogrammers@gmail.com
* https://tinyfilemanager.github.io
*/
//TFM version
define('VERSION', '2.3.4');
define('VERSION', '2.3.5');
// Auth with login/password (set true/false to enable/disable it)
$use_auth = true;
@ -1958,6 +1958,27 @@ function fm_redirect($url, $code = 302)
exit;
}
/**
* Path traversal prevention and clean the url
* It replaces (consecutive) occurrences of / and \\ with whatever is in DIRECTORY_SEPARATOR, and processes /. and /.. fine.
* @param $path
* @return string
*/
function get_absolute_path($path) {
$path = str_replace(array('/', '\\'), DIRECTORY_SEPARATOR, $path);
$parts = array_filter(explode(DIRECTORY_SEPARATOR, $path), 'strlen');
$absolutes = array();
foreach ($parts as $part) {
if ('.' == $part) continue;
if ('..' == $part) {
array_pop($absolutes);
} else {
$absolutes[] = $part;
}
}
return implode(DIRECTORY_SEPARATOR, $absolutes);
}
/**
* Clean path
* @param string $path
@ -1968,6 +1989,7 @@ function fm_clean_path($path)
$path = trim($path);
$path = trim($path, '\\/');
$path = str_replace(array('../', '..\\'), '', $path);
$path = get_absolute_path($path);
if ($path == '..') {
$path = '';
}
@ -3237,7 +3259,7 @@ $isStickyNavBar = $sticky_navbar ? 'navbar-fixed' : 'navbar-normal';
<script>
$(document).on('click', '[data-toggle="lightbox"]', function(event) {
event.preventDefault();
var reInitHighlight = function() { if(typeof isHighlightingEnabled !== "undefined" && isHighlightingEnabled) { setTimeout(function () { $('.ekko-lightbox-container pre code').each(function (i, e) { hljs.highlightBlock(e) }); }, 111); } };
var reInitHighlight = function() { if(typeof isHighlightingEnabled !== "undefined" && isHighlightingEnabled) { setTimeout(function () { $('.ekko-lightbox-container pre code').each(function (i, e) { hljs.highlightBlock(e) }); }, 555); } };
$(this).ekkoLightbox({
alwaysShowClose: true,
showArrows: true,

2
translation.json
View file

@ -1,6 +1,6 @@
{
"appName": "Tiny File Manager",
"version": "2.3.4",
"version": "2.3.5",
"language": [
{
"name": "русский",