version 9.13.4

- fix Directory Traversal Allows to Read Any File (thanks to Simon Uvarov for reporting)
- fix Path Traversal While Upacking Archives (thanks to Simon Uvarov for reporting)
- Fix foreach warning on URL upload
- Fix http https URL upload
- add toggle on config for extract_files
- prevent image creation for broken links in URL upload (thanks to davodavodavo3)
- Migrate to yarn on development (thanks to mklkj)
- code refactoring

Author: trippo

changelog.txt

@@ -1,5 +1,19 @@
 Responsive Filemanager Changelog 
 
+*********************************************************
+*  RFM 9.13.4
+*********************************************************
+- fix Directory Traversal Allows to Read Any File (thanks to Simon Uvarov for reporting)
+- fix Path Traversal While Upacking Archives (thanks to Simon Uvarov for reporting)
+- Fix foreach warning on URL upload
+- Fix http https URL upload
+- add toggle on config for extract_files
+- prevent image creation for broken links in URL upload (thanks to davodavodavo3)
+- Migrate to yarn on development (thanks to mklkj)
+- code refactoring
+
+
+
 *********************************************************
 *  RFM 9.13.3
 *********************************************************

filemanager/ajax_calls.php

@@ -23,6 +23,21 @@
 	response(trans('Lang_Not_Found').AddErrorLocation())->send();
 	exit;
 }
+
+
+//check $_GET['file']
+if(isset($_GET['file']) && !checkRelativePath($_GET['file'])) {
+    response(trans('wrong path'))->send();
+    exit;
+}
+
+//check $_GET['file']
+if(isset($_GET['path']) && !checkRelativePath($_GET['path'])) {
+    response(trans('wrong path'))->send();
+    exit;
+}
+
+
 $ftp = ftp_con($config);
 
 if(isset($_GET['action']))
@@ -83,12 +98,7 @@
 		case 'save_img':
 			$info = pathinfo($_POST['name']);
 
-			if (
-				strpos($_POST['path'], '/') === 0
-				|| strpos($_POST['path'], '../') !== false
-				|| strpos($_POST['path'], '..\\') !== false
-				|| strpos($_POST['path'], './') === 0
-				|| (strpos($_POST['url'], 'http://s3.amazonaws.com/feather') !== 0 && strpos($_POST['url'], 'https://s3.amazonaws.com/feather') !== 0)
+			if ((strpos($_POST['url'], 'http://s3.amazonaws.com/feather') !== 0 && strpos($_POST['url'], 'https://s3.amazonaws.com/feather') !== 0)
 				|| $_POST['name'] != fix_filename($_POST['name'], $config)
 				|| ! in_array(strtolower($info['extension']), array( 'jpg', 'jpeg', 'png' ))
 			)
@@ -135,15 +145,9 @@
 			}
 			break;
 		case 'extract':
-			if (	strpos($_POST['path'], '/') === 0 
-				|| strpos($_POST['path'], '../') !== false 
-				|| strpos($_POST['path'], '..\\') !== false 
-				|| strpos($_POST['path'], './') === 0)
-			{
-				response(trans('wrong path'.AddErrorLocation()))->send();
-				exit;
+			if(!$config['extract_files']){
+				response(trans('wrong action'))->send();
 			}
-
 			if($ftp){
 				$path = $config['ftp_base_url'].$config['upload_dir'] . $_POST['path'];
 				$base_folder = $config['ftp_base_url'].$config['upload_dir'] . fix_dirname($_POST['path']) . "/";
@@ -186,28 +190,24 @@
 							exit;
 						}
 
-						//make all the folders
-						for ($i = 0; $i < $zip->numFiles; $i++)
-						{
-							$OnlyFileName = $zip->getNameIndex($i);
-							$FullFileName = $zip->statIndex($i);
-							if (substr($FullFileName['name'], -1, 1) == "/")
-							{
-								create_folder($base_folder . $FullFileName['name']);
-							}
-						}
-						//unzip into the folders
+						//make all the folders and unzip into the folders
 						for ($i = 0; $i < $zip->numFiles; $i++)
 						{
-							$OnlyFileName = $zip->getNameIndex($i);
 							$FullFileName = $zip->statIndex($i);
 
-							if ( ! (substr($FullFileName['name'], -1, 1) == "/"))
-							{
-								$fileinfo = pathinfo($OnlyFileName);
-								if (in_array(strtolower($fileinfo['extension']), $config['ext']))
+							if(checkRelativePath($FullFileName['name'])){
+								if (substr($FullFileName['name'], -1, 1) == "/")
 								{
-									copy('zip://' . $path . '#' . $OnlyFileName, $base_folder . $FullFileName['name']);
+									create_folder($base_folder . $FullFileName['name']);
+								}
+
+								if ( ! (substr($FullFileName['name'], -1, 1) == "/"))
+								{
+									$fileinfo = pathinfo($FullFileName['name']);
+									if (in_array(strtolower($fileinfo['extension']), $config['ext']))
+									{
+										copy('zip://' . $path . '#' . $FullFileName['name'], $base_folder . $FullFileName['name']);
+									}
 								}
 							}
 						}
@@ -232,7 +232,7 @@
 					$phar = new PharData($path);
 					$phar->decompressFiles();
 					$files = array();
-					check_files_extensions_on_phar($phar, $files, '', $config['ext']);
+					check_files_extensions_on_phar($phar, $files, '', $config);
 					$phar->extractTo($base_folder, $files, true);
 
 					break;
@@ -365,16 +365,7 @@
 		case 'copy_cut':
 			if ($_POST['sub_action'] != 'copy' && $_POST['sub_action'] != 'cut')
 			{
-				response(trans('wrong sub-action').AddErrorLocation())->send();
-				exit;
-			}
-
-			if (strpos($_POST['path'],'../') !== FALSE
-				|| strpos($_POST['path'],'./') !== FALSE 
-				|| strpos($_POST['path'],'..\\') !== FALSE
-				|| strpos($_POST['path'],'.\\') !== FALSE )
-			{
-				response(trans('wrong path'.AddErrorLocation()))->send();
+				response(trans('wrong sub-action'))->send();
 				exit;
 			}
 
@@ -611,7 +602,7 @@
 
 			if ($sub_action != 'preview' && $sub_action != 'edit')
 			{
-				response(trans('wrong action').AddErrorLocation())->send();
+				response(trans('wrong action'))->send();
 				exit;
 			}
 

filemanager/config/config.php

@@ -329,6 +329,7 @@
 	'rename_files'                            => true,
 	'rename_folders'                          => true,
 	'duplicate_files'                         => true,
+	'extract_files'                           => true,
 	'copy_cut_files'                          => true, // for copy/cut files
 	'copy_cut_dirs'                           => true, // for copy/cut directories
 	'chmod_files'                             => true, // change file permissions

filemanager/dialog.php

@@ -47,15 +47,8 @@
 }elseif(isset($_SESSION['RF']['fldr']) && !empty($_SESSION['RF']['fldr'])){
 	$subdir_path = rawurldecode(trim(strip_tags($_SESSION['RF']['fldr']),"/"));
 }
-$subdir_path_decoded = urldecode($subdir_path);
-if (strpos($subdir_path,'../') === FALSE
-	&& strpos($subdir_path,'./') === FALSE
-	&& strpos($subdir_path,'..\\') === FALSE
-	&& strpos($subdir_path,'.\\') === FALSE
-	&& strpos($subdir_path_decoded,'../') === FALSE
-	&& strpos($subdir_path_decoded,'./') === FALSE
-	&& strpos($subdir_path_decoded,'..\\') === FALSE
-	&& strpos($subdir_path_decoded,'.\\') === FALSE)
+
+if ( checkRelativePath($subdir_path))
 {
 	$subdir = strip_tags($subdir_path) ."/";
 	$_SESSION['RF']['fldr'] = $subdir_path;
@@ -99,9 +92,10 @@
 }
 $rfm_subfolder = '';
 
-if (!empty($_SESSION['RF']["subfolder"]) && strpos($_SESSION['RF']["subfolder"],'../') === FALSE && strpos($_SESSION['RF']["subfolder"],'..\\') === FALSE
-&& strpos($_SESSION['RF']["subfolder"],'./') === FALSE && strpos($_SESSION['RF']["subfolder"],"/") !== 0
-&& strpos($_SESSION['RF']["subfolder"],'.') === FALSE)
+if (!empty($_SESSION['RF']["subfolder"]) 
+	&& strpos($_SESSION['RF']["subfolder"],"/") !== 0
+	&& strpos($_SESSION['RF']["subfolder"],'.') === FALSE
+)
 {
 	$rfm_subfolder = $_SESSION['RF']['subfolder'];
 }
@@ -257,7 +251,7 @@
 	$ext_tmp = array();
 	foreach($extensions as $extension){
 		$extension = fix_strtolower($extension);
-		if(in_array( $extension, $config['ext'])){
+		if(check_file_extension( $extension, $config)){
 			$ext_tmp[]=$extension;
 		}
 	}
@@ -482,6 +476,7 @@
 	<input type="hidden" id="lang_error_upload" value="<?php echo trans('Error_Upload');?>" />
 	<input type="hidden" id="lang_select" value="<?php echo trans('Select');?>" />
 	<input type="hidden" id="lang_extract" value="<?php echo trans('Extract');?>" />
+	<input type="hidden" id="extract_files" value="<?php if($config['extract_files']) echo 1; else echo 0;?>" />
 	<input type="hidden" id="transliteration" value="<?php echo $config['transliteration']?"true":"false";?>" />
 	<input type="hidden" id="convert_spaces" value="<?php echo $config['convert_spaces']?"true":"false";?>" />
 	<input type="hidden" id="replace_with" value="<?php echo $config['convert_spaces']? $config['replace_with'] : "";?>" />

filemanager/execute.php

@@ -9,13 +9,9 @@
 	exit;
 }
 
-if (strpos($_POST['path'],'/')===0
-	|| strpos($_POST['path'],'../')!==FALSE
-	|| strpos($_POST['path'],'./')===0
-	|| strpos($_POST['path'],'..\\')!==FALSE
-	|| strpos($_POST['path'],'.\\')===0)
+if (!checkRelativePath($_POST['path']))
 {
-	response(trans('wrong path'.AddErrorLocation()))->send();
+	response(trans('wrong path'))->send();
 	exit;
 }
 
@@ -373,7 +369,7 @@ function returnPaths($_path,$_name,$config){
 
 			// something terribly gone wrong
 			if ($action != 'copy' && $action != 'cut'){
-				response(trans('wrong action').AddErrorLocation())->send();
+				response(trans('wrong action'))->send();
 				exit;
 			}
 			if($ftp){
@@ -514,7 +510,7 @@ function returnPaths($_path,$_name,$config){
 
 			break;
 		default:
-			response(trans('wrong action').AddErrorLocation())->send();
+			response(trans('wrong action'))->send();
 			exit;
 	}
 }

filemanager/force_download.php

@@ -12,20 +12,16 @@
 }
 
 
-if (
+if (!checkRelativePath($_POST['path']) ||
     strpos($_POST['path'], '/') === 0
-    || strpos($_POST['path'], '../') !== false
-    || strpos($_POST['path'], './') === 0
-    || strpos($_POST['path'], '..\\') !== false
-    || strpos($_POST['path'], '.\\') === 0
 ) {
-    response(trans('wrong path' . AddErrorLocation()), 400)->send();
+    response(trans('wrong path'), 400)->send();
     exit;
 }
 
 
 if (strpos($_POST['name'], '/') !== false) {
-    response(trans('wrong path' . AddErrorLocation()), 400)->send();
+    response(trans('wrong path' ), 400)->send();
     exit;
 }
 

filemanager/include/utils.php

@@ -94,6 +94,32 @@ function trans($var)
 	}
 }
 
+
+
+
+/**
+* Check relative path
+*
+* @param  string  $path
+*
+* @return boolean is it correct?
+*/
+function checkRelativePath($path){
+	$path_correct = true;
+	$path_decoded = rawurldecode($path);
+	if (strpos($path, '../') !== false
+        || strpos($path, './') !== false
+        || strpos($path, '..\\') !== false
+        || strpos($path, '.\\') !== false
+    	|| strpos($path_decoded, '../') !== false
+        || strpos($path_decoded, './') !== false
+        || strpos($path_decoded, '..\\') !== false
+        || strpos($path_decoded, '.\\') !== false) {
+        $path_correct = false;
+    }
+    return $path_correct;
+}
+
 /**
 * Delete file
 *
@@ -567,6 +593,34 @@ function check_files_extensions_on_path($path, $ext)
 	}
 }
 
+
+/**
+* Check file extension 
+*
+* @param  string  $extension
+* @param  array   $config
+*/
+
+function check_file_extension($extension,$config){
+	$check = false;
+	if (!$config['ext_blacklist']) {
+		if(in_array(mb_strtolower($extension), $conf['ext'])){
+			$check = true;
+		}
+    } else {
+    	if(!in_array(mb_strtolower($extension), $conf['ext_blacklist'])){
+			$check = true;
+		}
+    }
+
+	if($config['files_without_extension'] && $extension == ''){
+		$check = true;
+	}
+
+	return $check;
+}
+
+
 /**
 * Get file extension present in PHAR file
 *
@@ -575,13 +629,13 @@ function check_files_extensions_on_path($path, $ext)
 * @param  string  $basepath
 * @param  string  $ext
 */
-function check_files_extensions_on_phar($phar, &$files, $basepath, $ext)
+function check_files_extensions_on_phar($phar, &$files, $basepath, $config)
 {
 	foreach ($phar as $file)
 	{
 		if ($file->isFile())
 		{
-			if (in_array(mb_strtolower($file->getExtension()), $ext))
+			if (check_file_extension($file->getExtension()))
 			{
 				$files[] = $basepath . $file->getFileName();
 			}
@@ -591,7 +645,7 @@ function check_files_extensions_on_phar($phar, &$files, $basepath, $ext)
 			if ($file->isDir())
 			{
 				$iterator = new DirectoryIterator($file);
-				check_files_extensions_on_phar($iterator, $files, $basepath . $file->getFileName() . '/', $ext);
+				check_files_extensions_on_phar($iterator, $files, $basepath . $file->getFileName() . '/', $config);
 			}
 		}
 	}

filemanager/upload.php

@@ -34,11 +34,8 @@
 
     $fldr = rawurldecode(trim(strip_tags($_POST['fldr']), "/") . "/");
 
-    if (strpos($fldr, '../') !== false
-        || strpos($fldr, './') !== false
-        || strpos($fldr, '..\\') !== false
-        || strpos($fldr, '.\\') !== false) {
-        response(trans('wrong path' . AddErrorLocation()))->send();
+    if (!checkRelativePath($fldr)) {
+        response(trans('wrong path'))->send();
         exit;
     }
 

gulpfile.js

@@ -88,9 +88,4 @@ elixir(function (mix) {
         ['modernizr.custom.js'],
         'filemanager/js/modernizr.custom.js'
     );
-
-    mix.scripts(
-        ['load_more.js'],
-        'filemanager/js/load_more.js'
-    );
 });