* Fix the RCE vuln via Upload from URL
This commit attemps to fix the Remote Code Execution
(authenticated) via Upload from URL. Some notes about
the proposed solution:
* A new function (fm_is_file_allowed) has been created to
validate if the filename is allowed. This function gets the
the filename as parameter and returns true if it validates
as allowed. Otherwise returns false (the default).
* It's better to have such validatation(s) in one place
instead of spread all over the code. There are other places in
the application where the filename is validated and they should
all be refactored to call this function. Then we can focus
all needed validations in one place only!
NOTE: This refactoring was not done - the only goal was to fix
this security vulnerability only.
* The fm_is_file_allowed() function validates the filename
based on its extension only. No other validatation(s) have been
implemented in this commit.
* File extensions are assumed to be case-insensitive.
For example, php == PHP == Php == PhP, etc. This is consitent
with some web servers. Without this, the user will have to populate
the $allowed_extensions with all possible allowed combinations.
* Although, there is one drawback to the current solution, which
is that all files must have an extension to be uploaded. This is not
consitent with modern filesystems. Maybe a better solution would be
to automatically append an extension to the filename if no
extension has been found (e.g., .html or .txt which are generally
considered to be harmless). This must be decided by the
application's maintainers.
* Fix the RCE vulns via new/rename file
Sanitize the arguments to stat using escapeshellarg()
Co-authored-by: Jorge Morgado <jorge@morgado.ch>
Setting $hide_Cols=true while having FM_IS_WIN=false will lead to a "Type error" when setting up the dataTable. The desired page is generated, but the Search function does not work, as the dataTable is broken.
With this fix the dataTable is written accordingly, with either FM_IS_WIN or $hide_Cols set or unset.
FastCGI sent in stderr: "PHP message: PHP Warning: Use of undefined constant online_viewer - assumed 'online_viewer' (this will throw an Error in a future version of PHP) in /www/admin/index.php on line 1383
view file is insecure #187
Get files size (recursive) #186
There is no possibility for translation for some hints (title =) #185
View dirSize instead of word "Folder" #184
Document type detection #183
Stored Cross-site Scripting (XSS) Vulnerability detected in File Names #180
strings in code #177
Remove tracking #164
* Add Arabic Translation
* add some keywords and handling Fixed keywords [untranslated]
* add new translation words
* improve existing translation words
