diff --git a/plugins/box/filesmanager/filesmanager.admin.php b/plugins/box/filesmanager/filesmanager.admin.php
old mode 100644
new mode 100755
index d9b994d..16c408e
--- a/plugins/box/filesmanager/filesmanager.admin.php
+++ b/plugins/box/filesmanager/filesmanager.admin.php
@@ -75,31 +75,42 @@
// Delete file
// -------------------------------------
- if (Request::get('id') == 'filesmanager') {
- if (Request::get('delete_file')) {
+ if (Request::get('id') == 'filesmanager' && Request::get('delete_file')) {
+
+ if (Security::check(Request::get('token'))) {
+
File::delete($files_path.Request::get('delete_file'));
Request::redirect($site_url.'admin/index.php?id=filesmanager&path='.$path);
- }
+
+ } else { die('csrf detected!'); }
}
// Delete dir
// -------------------------------------
- if (Request::get('id') == 'filesmanager') {
- if (Request::get('delete_dir')) {
+ if (Request::get('id') == 'filesmanager' && Request::get('delete_dir')) {
+
+ if (Security::check(Request::get('token'))) {
+
Dir::delete($files_path.Request::get('delete_dir'));
Request::redirect($site_url.'admin/index.php?id=filesmanager&path='.$path);
- }
+
+ } else { die('csrf detected!'); }
}
// Upload file
// -------------------------------------
if (Request::post('upload_file')) {
- if ($_FILES['file']) {
- if ( ! in_array(File::ext($_FILES['file']['name']), $forbidden_types)) {
- move_uploaded_file($_FILES['file']['tmp_name'], $files_path.Security::safeName(basename($_FILES['file']['name'], File::ext($_FILES['file']['name'])), '-', true).'.'.File::ext($_FILES['file']['name']));
- Request::redirect($site_url.'admin/index.php?id=filesmanager&path='.$path);
+
+ if (Security::check(Request::post('csrf'))) {
+
+ if ($_FILES['file']) {
+ if ( ! in_array(File::ext($_FILES['file']['name']), $forbidden_types)) {
+ move_uploaded_file($_FILES['file']['tmp_name'], $files_path.Security::safeName(basename($_FILES['file']['name'], File::ext($_FILES['file']['name'])), '-', true).'.'.File::ext($_FILES['file']['name']));
+ Request::redirect($site_url.'admin/index.php?id=filesmanager&path='.$path);
+ }
}
- }
+
+ } else { die('csrf detected!'); }
}
// Display view
diff --git a/plugins/box/filesmanager/views/backend/index.view.php b/plugins/box/filesmanager/views/backend/index.view.php
old mode 100644
new mode 100755
index 8e5fb49..5844b41
--- a/plugins/box/filesmanager/views/backend/index.view.php
+++ b/plugins/box/filesmanager/views/backend/index.view.php
@@ -5,6 +5,7 @@
'multipart/form-data')).
+ Form::hidden('csrf', Security::token()).
Form::input('file', null, array('type' => 'file', 'size' => '25')).Html::br().
Form::submit('upload_file', __('Upload', 'filesmanager'), array('class' => 'btn default btn-small')).
Form::close()
@@ -50,7 +51,7 @@
|
'btn', 'onclick' => "return confirmDelete('".__('Delete directory: :dir', 'filesmanager', array(':dir' => $dir))."')"));
?>
|
@@ -70,7 +71,7 @@
'btn btn-actions', 'onclick' => "return confirmDelete('".__('Delete file: :file', 'filesmanager', array(':file' => $file))."')"));
?>
|