mirror of
https://github.com/misterunknown/ifm.git
synced 2025-08-14 03:53:59 +02:00
Several fixes:
* Fixes bug with zipnload, when try to download the current directory (filename '.') * Fixes security flaw with zipnload: Don't include hidden or .ht* files if its forbidden in the config * Sane coding style for ifmarchive.php; adjusting the remaining code is TODO Signed-off-by: Marco Dickert <marco@misterunknown.de>
This commit is contained in:
Marco Dickert
@@ -3905,13 +3905,13 @@ f00bar;
|
||||
$this->jsonResponse( array( "status" => "ERROR", "message" => $this->l['folder_not_found'] ) );
|
||||
elseif (!$this->isPathValid($d['filename']))
|
||||
$this->jsonResponse( array( "status" => "ERROR", "message" => $this->l['invalid_dir'] ) );
|
||||
elseif (!$this->isFilenameValid($d['filename']))
|
||||
elseif ($d['filename'] != "." && !$this->isFilenameValid($d['filename']))
|
||||
$this->jsonResponse( array( "status" => "ERROR", "message" => $this->l['invalid_filename'] ) );
|
||||
else {
|
||||
unset( $zip );
|
||||
$dfile = $this->pathCombine( __DIR__, $this->config['tmp_dir'], uniqid( "ifm-tmp-" ) . ".zip" ); // temporary filename
|
||||
try {
|
||||
IFMArchive::createZip( realpath( $d['filename'] ), $dfile );
|
||||
IFMArchive::createZip(realpath($d['filename']), $dfile, array($this, 'isFilenameValid'));
|
||||
if( $d['filename'] == "." ) {
|
||||
if( getcwd() == $this->getScriptRoot() )
|
||||
$d['filename'] = "root";
|
||||
@@ -4340,7 +4340,7 @@ f00bar;
|
||||
}
|
||||
|
||||
// check if filename is allowed
|
||||
private function isFilenameValid( $f ) {
|
||||
public function isFilenameValid( $f ) {
|
||||
if( ! $this->isFilenameAllowed( $f ) )
|
||||
return false;
|
||||
if( strtoupper( substr( PHP_OS, 0, 3 ) ) == "WIN" ) {
|
||||
@@ -4440,7 +4440,7 @@ class IFMArchive {
|
||||
/**
|
||||
* Add a folder to an archive
|
||||
*/
|
||||
private static function addFolder( &$archive, $folder, $offset=0 ) {
|
||||
private static function addFolder(&$archive, $folder, $offset=0, $exclude_callback=null) {
|
||||
if ($offset == 0)
|
||||
$offset = strlen(dirname($folder)) + 1;
|
||||
$archive->addEmptyDir(substr($folder, $offset));
|
||||
@@ -4450,8 +4450,12 @@ class IFMArchive {
|
||||
$filePath = $folder . '/' . $f;
|
||||
if (file_exists($filePath) && is_readable($filePath))
|
||||
if (is_file($filePath))
|
||||
if (!is_callable($exclude_callback) || $exclude_callback($f))
|
||||
$archive->addFile( $filePath, substr( $filePath, $offset ) );
|
||||
elseif (is_dir($filePath))
|
||||
if (is_callable($exclude_callback))
|
||||
self::addFolder($archive, $filePath, $offset, $exclude_callback);
|
||||
else
|
||||
self::addFolder($archive, $filePath, $offset);
|
||||
}
|
||||
}
|
||||
@@ -4461,18 +4465,23 @@ class IFMArchive {
|
||||
/**
|
||||
* Create a zip file
|
||||
*/
|
||||
public static function createZip( $src, $out )
|
||||
{
|
||||
public static function createZip($src, $out, $exclude_callback=null) {
|
||||
$a = new ZipArchive();
|
||||
$a->open($out, ZIPARCHIVE::CREATE);
|
||||
|
||||
if (!is_array($src))
|
||||
$src = array($src);
|
||||
|
||||
file_put_contents("debug.ifm.log", var_export(is_callable($exclude_callback), true)."\n");
|
||||
|
||||
foreach ($src as $s)
|
||||
if (is_dir($s))
|
||||
if (is_callable($exclude_callback))
|
||||
self::addFolder( $a, $s, null, $exclude_callback );
|
||||
else
|
||||
self::addFolder( $a, $s );
|
||||
elseif (is_file($s))
|
||||
if (!is_callable($exclude_callback) || $exclude_callback($s))
|
||||
$a->addFile($s, substr($s, strlen(dirname($s)) + 1));
|
||||
|
||||
try {
|
||||
|
||||
21
ifm.php
21
ifm.php
@@ -3905,13 +3905,13 @@ f00bar;
|
||||
$this->jsonResponse( array( "status" => "ERROR", "message" => $this->l['folder_not_found'] ) );
|
||||
elseif (!$this->isPathValid($d['filename']))
|
||||
$this->jsonResponse( array( "status" => "ERROR", "message" => $this->l['invalid_dir'] ) );
|
||||
elseif (!$this->isFilenameValid($d['filename']))
|
||||
elseif ($d['filename'] != "." && !$this->isFilenameValid($d['filename']))
|
||||
$this->jsonResponse( array( "status" => "ERROR", "message" => $this->l['invalid_filename'] ) );
|
||||
else {
|
||||
unset( $zip );
|
||||
$dfile = $this->pathCombine( __DIR__, $this->config['tmp_dir'], uniqid( "ifm-tmp-" ) . ".zip" ); // temporary filename
|
||||
try {
|
||||
IFMArchive::createZip( realpath( $d['filename'] ), $dfile );
|
||||
IFMArchive::createZip(realpath($d['filename']), $dfile, array($this, 'isFilenameValid'));
|
||||
if( $d['filename'] == "." ) {
|
||||
if( getcwd() == $this->getScriptRoot() )
|
||||
$d['filename'] = "root";
|
||||
@@ -4340,7 +4340,7 @@ f00bar;
|
||||
}
|
||||
|
||||
// check if filename is allowed
|
||||
private function isFilenameValid( $f ) {
|
||||
public function isFilenameValid( $f ) {
|
||||
if( ! $this->isFilenameAllowed( $f ) )
|
||||
return false;
|
||||
if( strtoupper( substr( PHP_OS, 0, 3 ) ) == "WIN" ) {
|
||||
@@ -4440,7 +4440,7 @@ class IFMArchive {
|
||||
/**
|
||||
* Add a folder to an archive
|
||||
*/
|
||||
private static function addFolder( &$archive, $folder, $offset=0 ) {
|
||||
private static function addFolder(&$archive, $folder, $offset=0, $exclude_callback=null) {
|
||||
if ($offset == 0)
|
||||
$offset = strlen(dirname($folder)) + 1;
|
||||
$archive->addEmptyDir(substr($folder, $offset));
|
||||
@@ -4450,8 +4450,12 @@ class IFMArchive {
|
||||
$filePath = $folder . '/' . $f;
|
||||
if (file_exists($filePath) && is_readable($filePath))
|
||||
if (is_file($filePath))
|
||||
if (!is_callable($exclude_callback) || $exclude_callback($f))
|
||||
$archive->addFile( $filePath, substr( $filePath, $offset ) );
|
||||
elseif (is_dir($filePath))
|
||||
if (is_callable($exclude_callback))
|
||||
self::addFolder($archive, $filePath, $offset, $exclude_callback);
|
||||
else
|
||||
self::addFolder($archive, $filePath, $offset);
|
||||
}
|
||||
}
|
||||
@@ -4461,18 +4465,23 @@ class IFMArchive {
|
||||
/**
|
||||
* Create a zip file
|
||||
*/
|
||||
public static function createZip( $src, $out )
|
||||
{
|
||||
public static function createZip($src, $out, $exclude_callback=null) {
|
||||
$a = new ZipArchive();
|
||||
$a->open($out, ZIPARCHIVE::CREATE);
|
||||
|
||||
if (!is_array($src))
|
||||
$src = array($src);
|
||||
|
||||
file_put_contents("debug.ifm.log", var_export(is_callable($exclude_callback), true)."\n");
|
||||
|
||||
foreach ($src as $s)
|
||||
if (is_dir($s))
|
||||
if (is_callable($exclude_callback))
|
||||
self::addFolder( $a, $s, null, $exclude_callback );
|
||||
else
|
||||
self::addFolder( $a, $s );
|
||||
elseif (is_file($s))
|
||||
if (!is_callable($exclude_callback) || $exclude_callback($s))
|
||||
$a->addFile($s, substr($s, strlen(dirname($s)) + 1));
|
||||
|
||||
try {
|
||||
|
||||
@@ -23,7 +23,7 @@ class IFMArchive {
|
||||
/**
|
||||
* Add a folder to an archive
|
||||
*/
|
||||
private static function addFolder( &$archive, $folder, $offset=0 ) {
|
||||
private static function addFolder(&$archive, $folder, $offset=0, $exclude_callback=null) {
|
||||
if ($offset == 0)
|
||||
$offset = strlen(dirname($folder)) + 1;
|
||||
$archive->addEmptyDir(substr($folder, $offset));
|
||||
@@ -33,8 +33,12 @@ class IFMArchive {
|
||||
$filePath = $folder . '/' . $f;
|
||||
if (file_exists($filePath) && is_readable($filePath))
|
||||
if (is_file($filePath))
|
||||
if (!is_callable($exclude_callback) || $exclude_callback($f))
|
||||
$archive->addFile( $filePath, substr( $filePath, $offset ) );
|
||||
elseif (is_dir($filePath))
|
||||
if (is_callable($exclude_callback))
|
||||
self::addFolder($archive, $filePath, $offset, $exclude_callback);
|
||||
else
|
||||
self::addFolder($archive, $filePath, $offset);
|
||||
}
|
||||
}
|
||||
@@ -44,18 +48,23 @@ class IFMArchive {
|
||||
/**
|
||||
* Create a zip file
|
||||
*/
|
||||
public static function createZip( $src, $out )
|
||||
{
|
||||
public static function createZip($src, $out, $exclude_callback=null) {
|
||||
$a = new ZipArchive();
|
||||
$a->open($out, ZIPARCHIVE::CREATE);
|
||||
|
||||
if (!is_array($src))
|
||||
$src = array($src);
|
||||
|
||||
file_put_contents("debug.ifm.log", var_export(is_callable($exclude_callback), true)."\n");
|
||||
|
||||
foreach ($src as $s)
|
||||
if (is_dir($s))
|
||||
if (is_callable($exclude_callback))
|
||||
self::addFolder( $a, $s, null, $exclude_callback );
|
||||
else
|
||||
self::addFolder( $a, $s );
|
||||
elseif (is_file($s))
|
||||
if (!is_callable($exclude_callback) || $exclude_callback($s))
|
||||
$a->addFile($s, substr($s, strlen(dirname($s)) + 1));
|
||||
|
||||
try {
|
||||
|
||||
@@ -829,13 +829,13 @@ f00bar;
|
||||
$this->jsonResponse( array( "status" => "ERROR", "message" => $this->l['folder_not_found'] ) );
|
||||
elseif (!$this->isPathValid($d['filename']))
|
||||
$this->jsonResponse( array( "status" => "ERROR", "message" => $this->l['invalid_dir'] ) );
|
||||
elseif (!$this->isFilenameValid($d['filename']))
|
||||
elseif ($d['filename'] != "." && !$this->isFilenameValid($d['filename']))
|
||||
$this->jsonResponse( array( "status" => "ERROR", "message" => $this->l['invalid_filename'] ) );
|
||||
else {
|
||||
unset( $zip );
|
||||
$dfile = $this->pathCombine( __DIR__, $this->config['tmp_dir'], uniqid( "ifm-tmp-" ) . ".zip" ); // temporary filename
|
||||
try {
|
||||
IFMArchive::createZip( realpath( $d['filename'] ), $dfile );
|
||||
IFMArchive::createZip(realpath($d['filename']), $dfile, array($this, 'isFilenameValid'));
|
||||
if( $d['filename'] == "." ) {
|
||||
if( getcwd() == $this->getScriptRoot() )
|
||||
$d['filename'] = "root";
|
||||
@@ -1264,7 +1264,7 @@ f00bar;
|
||||
}
|
||||
|
||||
// check if filename is allowed
|
||||
private function isFilenameValid( $f ) {
|
||||
public function isFilenameValid( $f ) {
|
||||
if( ! $this->isFilenameAllowed( $f ) )
|
||||
return false;
|
||||
if( strtoupper( substr( PHP_OS, 0, 3 ) ) == "WIN" ) {
|
||||
|
||||
Reference in New Issue
Block a user