From f8cedbcf5952471c813a5034a80144b3f82f6fd0 Mon Sep 17 00:00:00 2001 From: Prasath Mani Date: Sun, 20 Nov 2022 16:59:29 +0530 Subject: [PATCH] Fix Security related issues --- tinyfilemanager.php | 169 ++++++++++++++++++++++---------------------- translation.json | 2 +- 2 files changed, 84 insertions(+), 87 deletions(-) diff --git a/tinyfilemanager.php b/tinyfilemanager.php index 1c0f7f8..68be0e3 100644 --- a/tinyfilemanager.php +++ b/tinyfilemanager.php @@ -3,7 +3,7 @@ $CONFIG = '{"lang":"en","error_reporting":false,"show_hidden":false,"hide_Cols":false,"theme":"light"}'; /** - * H3K | Tiny File Manager V2.5.0 + * H3K | Tiny File Manager V2.5.1 * @author Prasath Mani | CCP Programmers * @email ccpprogrammers@gmail.com * @github https://github.com/prasathmani/tinyfilemanager @@ -11,7 +11,7 @@ $CONFIG = '{"lang":"en","error_reporting":false,"show_hidden":false,"hide_Cols": */ //TFM version -define('VERSION', '2.5.0'); +define('VERSION', '2.5.1'); //Application Title define('APP_TITLE', 'Tiny File Manager'); @@ -471,7 +471,7 @@ if (isset($_POST['ajax'], $_POST['token']) && !FM_READONLY) { // backup files if (isset($_POST['type']) && $_POST['type'] == "backup" && !empty($_POST['file'])) { - $fileName = $_POST['file']; + $fileName = fm_clean_path($_POST['file']); $fullPath = FM_ROOT_PATH . '/'; if (!empty($_POST['path'])) { $relativeDirPath = fm_clean_path($_POST['path']); @@ -795,6 +795,7 @@ if (isset($_POST['file'], $_POST['copy_to'], $_POST['finish'], $_POST['token']) if (is_array($files) && count($files)) { foreach ($files as $f) { if ($f != '') { + $f = fm_clean_path($f); // abs path from $from = $path . '/' . $f; // abs path to @@ -893,6 +894,7 @@ if (!empty($_FILES) && !FM_READONLY) { $override_file_name = false; $chunkIndex = $_POST['dzchunkindex']; $chunkTotal = $_POST['dztotalchunkcount']; + $fullPathInput = fm_clean_path($_REQUEST['fullpath']); $f = $_FILES; $path = FM_ROOT_PATH; @@ -914,7 +916,7 @@ if (!empty($_FILES) && !FM_READONLY) { $ext = pathinfo($filename, PATHINFO_FILENAME) != '' ? strtolower(pathinfo($filename, PATHINFO_EXTENSION)) : ''; $isFileAllowed = ($allowed) ? in_array($ext, $allowed) : true; - if(!fm_isvalid_filename($filename) && !fm_isvalid_filename($_REQUEST['fullpath'])) { + if(!fm_isvalid_filename($filename) && !fm_isvalid_filename($fullPathInput)) { $response = array ( 'status' => 'error', 'info' => "Invalid File name!", @@ -924,12 +926,12 @@ if (!empty($_FILES) && !FM_READONLY) { $targetPath = $path . $ds; if ( is_writable($targetPath) ) { - $fullPath = $path . '/' . basename($_REQUEST['fullpath']); + $fullPath = $path . '/' . basename($fullPathInput); $folder = substr($fullPath, 0, strrpos($fullPath, "/")); if(file_exists ($fullPath) && !$override_file_name && !$chunks) { $ext_1 = $ext ? '.'.$ext : ''; - $fullPath = $path . '/' . basename($_REQUEST['fullpath'], $ext_1) .'_'. date('ymdHis'). $ext_1; + $fullPath = $path . '/' . basename($fullPathInput, $ext_1) .'_'. date('ymdHis'). $ext_1; } if (!is_dir($folder)) { @@ -1025,7 +1027,7 @@ if (isset($_POST['group'], $_POST['delete'], $_POST['token']) && !FM_READONLY) { if (is_array($files) && count($files)) { foreach ($files as $f) { if ($f != '') { - $new_path = $path . '/' . $f; + $new_path = fm_clean_path($path . '/' . $f); if (!fm_rdelete($new_path)) { $errors++; } @@ -1590,7 +1592,6 @@ if (isset($_GET['help'])) { // file viewer if (isset($_GET['view'])) { $file = $_GET['view']; - $quickView = (isset($_GET['quickView']) && $_GET['quickView'] == 1) ? true : false; $file = fm_clean_path($file, false); $file = str_replace('/', '', $file); if ($file == '' || !is_file($path . '/' . $file) || in_array($file, $GLOBALS['exclude_items'])) { @@ -1598,10 +1599,8 @@ if (isset($_GET['view'])) { $FM_PATH=FM_PATH; fm_redirect(FM_SELF_URL . '?p=' . urlencode($FM_PATH)); } - if(!$quickView) { - fm_show_header(); // HEADER - fm_show_nav_path(FM_PATH); // current path - } + fm_show_header(); // HEADER + fm_show_nav_path(FM_PATH); // current path $file_url = FM_ROOT_URL . fm_convert_win((FM_PATH != '' ? '/' . FM_PATH : '') . '/' . $file); $file_path = $path . '/' . $file; @@ -1648,82 +1647,80 @@ if (isset($_GET['view'])) { ?>
- -

""

-

- Full path:
- File size:
- MIME-type:
- ""

+

+ Full path:
+ File size:
+ MIME-type:
+ - Files in archive:
- Total size:
- Size in archive:
- Compression: %
- '; - } - // Text info - if ($is_text) { - $is_utf8 = fm_is_utf8($content); - if (function_exists('iconv')) { - if (!$is_utf8) { - $content = iconv(FM_ICONV_INPUT_ENC, 'UTF-8//IGNORE', $content); - } - } - echo 'Charset: ' . ($is_utf8 ? 'utf-8' : '8 bit') . '
'; + $total_comp += $fn['compressed_size']; + $total_uncomp += $fn['filesize']; } ?> -

-
-   - + Files in archive:
+ Total size:
+ Size in archive:
+ Compression: %
-
- - - -
  -
- - - - -
  - '; + } + // Text info + if ($is_text) { + $is_utf8 = fm_is_utf8($content); + if (function_exists('iconv')) { + if (!$is_utf8) { + $content = iconv(FM_ICONV_INPUT_ENC, 'UTF-8//IGNORE', $content); + } } - if ($is_text && !FM_READONLY) { - ?> - -   - -   - - -
+ echo 'Charset: ' . ($is_utf8 ? 'utf-8' : '8 bit') . '
'; + } + ?> +

+
+   + +
+ + + +
  +
+ + + + +
  + + +   + +   + + +
+ '; @@ -1783,14 +1780,12 @@ if (isset($_GET['view'])) {
addFileOrDir($f)) { $this->zip->close(); return false; @@ -3277,6 +3273,7 @@ class FM_Zipper_Tar $this->tar = new PharData($filename); if (is_array($files)) { foreach ($files as $f) { + $f = fm_clean_path($f); if (!$this->addFileOrDir($f)) { return false; } @@ -4024,7 +4021,7 @@ $isStickyNavBar = $sticky_navbar ? 'navbar-fixed' : 'navbar-normal'; }); }); -