From cd42a2c72e327f3b9ed4d2f941c8a1321608dcca Mon Sep 17 00:00:00 2001 From: Marco Dickert Date: Fri, 7 Jul 2017 16:47:44 +0200 Subject: [PATCH] fixed some bugs which were found during a comprehensive test; ready to merge into master --- build/ifmlib.php | 23 ++++++++++++++++------- ifm.php | 23 ++++++++++++++++------- src/ifm.js | 2 +- src/main.php | 17 +++++++++++++---- src/templates/filetable.html | 4 ++-- 5 files changed, 48 insertions(+), 21 deletions(-) diff --git a/build/ifmlib.php b/build/ifmlib.php index 490afa9..daf1659 100644 --- a/build/ifmlib.php +++ b/build/ifmlib.php @@ -55,7 +55,8 @@ class IFM { public $mode = ""; public function __construct( $config=array() ) { - session_start(); + if( session_status() !== PHP_SESSION_ACTIVE ) + session_start(); $this->config = array_merge( $this->defaultconfig, $config ); } @@ -422,7 +423,7 @@ function IFM( params ) { icon: "icon icon-pencil", title: "edit" }); - else + if( self.config.extract && item.name.toLowerCase().substr(-4) == ".zip" ) item.button.push({ action: "extract", icon: "icon icon-archive", @@ -1750,6 +1751,10 @@ function IFM( params ) { // creates a directory private function createDir($w, $dn) { + if( $this->config['createDir'] != 1 ) { + echo json_encode( array( "status" => "ERROR", "message" => "No permission to create directories.") ); + exit( 1 ); + } if( $dn == "" ) { echo json_encode( array( "status" => "ERROR", "message" => "No valid directory name") ); } elseif( strpos( $dn, '/' ) !== false ) echo json_encode( array( "status" => "ERROR", "message" => "No slashes allowed in directory names" ) ); @@ -1764,7 +1769,11 @@ function IFM( params ) { } // save a file - private function saveFile(array $d) { + private function saveFile( $d ) { + if( ( file_exists( $this->pathCombine( $d['dir'], $d['filename'] ) ) && $this->config['edit'] != 1 ) || ( ! file_exists( $this->pathCombine( $d['dir'], $d['filename'] ) ) && $this->config['createfile'] != 1 ) ) { + echo json_encode( array( "status" => "ERROR", "message" => "You are not allowed to edit/create this file." ) ); + exit( 1 ); + } if( isset( $d['filename'] ) && $d['filename'] != "" ) { // if you are not allowed to see .ht-docs you can't save one if( $this->config['showhtdocs'] != 1 && substr( $d['filename'], 0, 3 ) == ".ht" ) { @@ -1798,7 +1807,7 @@ function IFM( params ) { // gets the content of a file // notice: if the content is not JSON encodable it returns an error private function getContent( array $d ) { - if( $this->config['edit'] != 1 ) echo json_encode( array( "status" => "ERROR", "message" => "No permission to edit files" ) ); + if( $this->config['edit'] != 1 ) echo json_encode( array( "status" => "ERROR", "message" => "You are not allowed to edit files." ) ); else { $this->chDirIfNecessary( $d['dir'] ); if( file_exists( $d['filename'] ) ) { @@ -1836,7 +1845,7 @@ function IFM( params ) { // deletes a bunch of files or directories private function deleteMultipleFiles( array $d ) { - if( $this->config['delete'] != 1 ) echo json_encode( array( "status" => "ERROR", "message" => "No permission to delete multiple files" ) ); + if( $this->config['delete'] != 1 ) echo json_encode( array( "status" => "ERROR", "message" => "No permission to delete files" ) ); else { $this->chDirIfNecessary( $d['dir'] ); $err = array(); $errFLAG = -1; // -1 -> no files deleted; 0 -> at least some files deleted; 1 -> all files deleted @@ -2486,8 +2495,8 @@ f00bar; {{linkname}} + {{#config.download}} - {{#download.allowed}}
@@ -2496,8 +2505,8 @@ f00bar; - {{/download.allowed}} + {{/config.download}} {{#config.showlastmodified}} {{lastmodified}} {{/config.showlastmodified}} diff --git a/ifm.php b/ifm.php index 79515e8..901b55e 100644 --- a/ifm.php +++ b/ifm.php @@ -55,7 +55,8 @@ class IFM { public $mode = ""; public function __construct( $config=array() ) { - session_start(); + if( session_status() !== PHP_SESSION_ACTIVE ) + session_start(); $this->config = array_merge( $this->defaultconfig, $config ); } @@ -422,7 +423,7 @@ function IFM( params ) { icon: "icon icon-pencil", title: "edit" }); - else + if( self.config.extract && item.name.toLowerCase().substr(-4) == ".zip" ) item.button.push({ action: "extract", icon: "icon icon-archive", @@ -1750,6 +1751,10 @@ function IFM( params ) { // creates a directory private function createDir($w, $dn) { + if( $this->config['createDir'] != 1 ) { + echo json_encode( array( "status" => "ERROR", "message" => "No permission to create directories.") ); + exit( 1 ); + } if( $dn == "" ) { echo json_encode( array( "status" => "ERROR", "message" => "No valid directory name") ); } elseif( strpos( $dn, '/' ) !== false ) echo json_encode( array( "status" => "ERROR", "message" => "No slashes allowed in directory names" ) ); @@ -1764,7 +1769,11 @@ function IFM( params ) { } // save a file - private function saveFile(array $d) { + private function saveFile( $d ) { + if( ( file_exists( $this->pathCombine( $d['dir'], $d['filename'] ) ) && $this->config['edit'] != 1 ) || ( ! file_exists( $this->pathCombine( $d['dir'], $d['filename'] ) ) && $this->config['createfile'] != 1 ) ) { + echo json_encode( array( "status" => "ERROR", "message" => "You are not allowed to edit/create this file." ) ); + exit( 1 ); + } if( isset( $d['filename'] ) && $d['filename'] != "" ) { // if you are not allowed to see .ht-docs you can't save one if( $this->config['showhtdocs'] != 1 && substr( $d['filename'], 0, 3 ) == ".ht" ) { @@ -1798,7 +1807,7 @@ function IFM( params ) { // gets the content of a file // notice: if the content is not JSON encodable it returns an error private function getContent( array $d ) { - if( $this->config['edit'] != 1 ) echo json_encode( array( "status" => "ERROR", "message" => "No permission to edit files" ) ); + if( $this->config['edit'] != 1 ) echo json_encode( array( "status" => "ERROR", "message" => "You are not allowed to edit files." ) ); else { $this->chDirIfNecessary( $d['dir'] ); if( file_exists( $d['filename'] ) ) { @@ -1836,7 +1845,7 @@ function IFM( params ) { // deletes a bunch of files or directories private function deleteMultipleFiles( array $d ) { - if( $this->config['delete'] != 1 ) echo json_encode( array( "status" => "ERROR", "message" => "No permission to delete multiple files" ) ); + if( $this->config['delete'] != 1 ) echo json_encode( array( "status" => "ERROR", "message" => "No permission to delete files" ) ); else { $this->chDirIfNecessary( $d['dir'] ); $err = array(); $errFLAG = -1; // -1 -> no files deleted; 0 -> at least some files deleted; 1 -> all files deleted @@ -2486,8 +2495,8 @@ f00bar; {{linkname}} + {{#config.download}} - {{#download.allowed}} @@ -2496,8 +2505,8 @@ f00bar; - {{/download.allowed}} + {{/config.download}} {{#config.showlastmodified}} {{lastmodified}} {{/config.showlastmodified}} diff --git a/src/ifm.js b/src/ifm.js index 0631a4c..bc7b632 100644 --- a/src/ifm.js +++ b/src/ifm.js @@ -111,7 +111,7 @@ function IFM( params ) { icon: "icon icon-pencil", title: "edit" }); - else + if( self.config.extract && item.name.toLowerCase().substr(-4) == ".zip" ) item.button.push({ action: "extract", icon: "icon icon-archive", diff --git a/src/main.php b/src/main.php index 0ce07c5..518f1fa 100644 --- a/src/main.php +++ b/src/main.php @@ -55,7 +55,8 @@ class IFM { public $mode = ""; public function __construct( $config=array() ) { - session_start(); + if( session_status() !== PHP_SESSION_ACTIVE ) + session_start(); $this->config = array_merge( $this->defaultconfig, $config ); } @@ -306,6 +307,10 @@ class IFM { // creates a directory private function createDir($w, $dn) { + if( $this->config['createDir'] != 1 ) { + echo json_encode( array( "status" => "ERROR", "message" => "No permission to create directories.") ); + exit( 1 ); + } if( $dn == "" ) { echo json_encode( array( "status" => "ERROR", "message" => "No valid directory name") ); } elseif( strpos( $dn, '/' ) !== false ) echo json_encode( array( "status" => "ERROR", "message" => "No slashes allowed in directory names" ) ); @@ -320,7 +325,11 @@ class IFM { } // save a file - private function saveFile(array $d) { + private function saveFile( $d ) { + if( ( file_exists( $this->pathCombine( $d['dir'], $d['filename'] ) ) && $this->config['edit'] != 1 ) || ( ! file_exists( $this->pathCombine( $d['dir'], $d['filename'] ) ) && $this->config['createfile'] != 1 ) ) { + echo json_encode( array( "status" => "ERROR", "message" => "You are not allowed to edit/create this file." ) ); + exit( 1 ); + } if( isset( $d['filename'] ) && $d['filename'] != "" ) { // if you are not allowed to see .ht-docs you can't save one if( $this->config['showhtdocs'] != 1 && substr( $d['filename'], 0, 3 ) == ".ht" ) { @@ -354,7 +363,7 @@ class IFM { // gets the content of a file // notice: if the content is not JSON encodable it returns an error private function getContent( array $d ) { - if( $this->config['edit'] != 1 ) echo json_encode( array( "status" => "ERROR", "message" => "No permission to edit files" ) ); + if( $this->config['edit'] != 1 ) echo json_encode( array( "status" => "ERROR", "message" => "You are not allowed to edit files." ) ); else { $this->chDirIfNecessary( $d['dir'] ); if( file_exists( $d['filename'] ) ) { @@ -392,7 +401,7 @@ class IFM { // deletes a bunch of files or directories private function deleteMultipleFiles( array $d ) { - if( $this->config['delete'] != 1 ) echo json_encode( array( "status" => "ERROR", "message" => "No permission to delete multiple files" ) ); + if( $this->config['delete'] != 1 ) echo json_encode( array( "status" => "ERROR", "message" => "No permission to delete files" ) ); else { $this->chDirIfNecessary( $d['dir'] ); $err = array(); $errFLAG = -1; // -1 -> no files deleted; 0 -> at least some files deleted; 1 -> all files deleted diff --git a/src/templates/filetable.html b/src/templates/filetable.html index 1f8eb29..301f29f 100644 --- a/src/templates/filetable.html +++ b/src/templates/filetable.html @@ -7,8 +7,8 @@ {{linkname}} + {{#config.download}} - {{#download.allowed}} @@ -17,8 +17,8 @@ - {{/download.allowed}} + {{/config.download}} {{#config.showlastmodified}} {{lastmodified}} {{/config.showlastmodified}}