/branches/2.8.x/wb/admin/media/rename2.php - Diff - WB 2.08.x - Tracking

« Previous | Next »

Revision 1475

Added by Dietmar over 13 years ago

+ add SecureForm.mtab.php under mantennance by WebsiteBaker Community
! security fixes media, groups, users, sections

change lang variable to remove upgrade-script
! reworked add sections in pages
! fix set empty href in show_menu2
! set show_menu2 version to 4.9.6
! reworked Droplet LoginBox, add redirect query
- remove unneeded folder js
! set Droplet to version 1.1.0
+ add checkboxes to change frontend absolute url to relative urls
! set output_filter version to 0.2

     // Include the WB functions file
     require_once(WB_PATH.'/framework/functions.php');
     // Get list of file types to which we're supposed to append 'txt'
     $get_result = $database->query("SELECT value FROM ".TABLE_PREFIX."settings WHERE name='rename_files_on_upload' LIMIT 1");
     $file_extension_string = '';
     if ($get_result->numRows()>0) {
     	$fetch_result = $get_result->fetchRow();
     	$file_extension_string = $fetch_result['value'];
+    }
     $file_extensions=explode(",",$file_extension_string);
     // Get the current dir
     // $directory = $admin->get_post('dir');
     // Target location
     $requestMethod = '_'.strtoupper($_SERVER['REQUEST_METHOD']);
     $directory = (isset(${$requestMethod}['dir'])) ? ${$requestMethod}['dir'] : '';
     if($directory == '/') {
     	$directory = '';
+    }
     $directory = ($directory == '/') ?  '' : $directory;
     // Check to see if it contains ..
     $dirlink = 'browse.php?dir='.$directory;
     $rootlink = 'browse.php?dir=';
     // $file_id = intval($admin->get_post('id'));
     // first Check to see if it contains ..
     if (!check_media_path($directory)) {
     	$admin->print_header();
     	$admin->print_error($MESSAGE['MEDIA']['DIR_DOT_DOT_SLASH']);
     	$admin->print_error($MESSAGE['MEDIA']['DIR_DOT_DOT_SLASH'],$rootlink, false);
+    }
     // Get the temp id
     $file_id = $admin->checkIDKEY('id', false, 'POST');
     $file_id = intval($admin->checkIDKEY('id', false, $_SERVER['REQUEST_METHOD']));
     if (!$file_id) {
     	$admin->print_error($MESSAGE['GENERIC_SECURITY_ACCESS']);
     	$admin->print_error($MESSAGE['GENERIC_SECURITY_ACCESS'],$dirlink, false);
+    }
     // Check for potentially malicious files and append 'txt' to their name
     $rename_file_types  = str_replace(',','|',RENAME_FILES_ON_UPLOAD);
     // hardcodet forbidden filetypes
     $forbidden_file_types = 'phtml|php5|php4|php|cgi|pl|exe|com|bat|src|'.$rename_file_types;
     // Get home folder not to show
     $home_folders = get_home_folders();
-...
     if($handle = opendir(WB_PATH.MEDIA_DIRECTORY.'/'.$directory)) {
     	// Loop through the files and dirs an add to list
        while (false !== ($file = readdir($handle))) {
     		$info = pathinfo($file);
     		$ext = isset($info['extension']) ? $info['extension'] : '';
     		if(substr($file, 0, 1) != '.' AND $file != '.svn' AND $file != 'index.php') {
     			if(is_dir(WB_PATH.MEDIA_DIRECTORY.$directory.'/'.$file)) {
     				if(!isset($home_folders[$directory.'/'.$file])) {
     					$DIR[] = $file;
     			if( !preg_match('/'.$forbidden_file_types.'$/i', $ext) ) {
     				if(is_dir(WB_PATH.MEDIA_DIRECTORY.$directory.'/'.$file)) {
     					if(!isset($home_folders[$directory.'/'.$file])) {
     						$DIR[] = $file;
+    					}
     				} else {
     					$FILE[] = $file;
+    				}
     			} else {
     				$FILE[] = $file;
+    			}
+    		}
+    	}
-...
+    		}
+    	}
+    }
     $file_id = $admin->getIDKEY($file_id);
     if(!isset($rename_file)) {
     	$admin->print_error($MESSAGE['MEDIA']['FILE_NOT_FOUND'], "browse.php?dir=$directory", false);
     	$admin->print_error($MESSAGE['MEDIA']['FILE_NOT_FOUND'], $dirlink, false);
+    }
     // Check if they entered a new name
-...
     // Join new name and extension
     $name = $new_name.$extension;
     $info = pathinfo(WB_PATH.MEDIA_DIRECTORY.$directory.'/'.$name);
     $ext = isset($info['extension']) ? $info['extension'] : '';
     $dots = (substr($info['basename'], 0, 1) == '.') || (substr($info['basename'], -1, 1) == '.');
     if( preg_match('/'.$forbidden_file_types.'$/i', $ext) || $dots == '.' ) {
     	$admin->print_error($MESSAGE['MEDIA']['CANNOT_RENAME'], "rename.php?dir=$directory&id=$file_id", false);
+    }
     // Check if the name contains ..
     if(strstr($name, '..')) {
     	$admin->print_error($MESSAGE['MEDIA']['NAME_DOT_DOT_SLASH'], "rename.php?dir=$directory&id=$file_id", false);
-...
     	$admin->print_error($MESSAGE['MEDIA']['BLANK_NAME'], "rename.php?dir=$directory&id=$file_id", false);
+    }
     // Check for potentially malicious files and append 'txt' to their name
     foreach($file_extensions as $file_ext) {
     	$file_ext_len=strlen($file_ext);
     	if (substr($name,-$file_ext_len)==$file_ext) {
     		$name.='.txt';
+    	}
+    }
     $info = pathinfo(WB_PATH.MEDIA_DIRECTORY.$directory.'/'.$rename_file);
     $ext = isset($info['extension']) ? $info['extension'] : '';
     $dots = (substr($info['basename'], 0, 1) == '.') || (substr($info['basename'], -1, 1) == '.');
     if( preg_match('/'.$forbidden_file_types.'$/i', $ext) || $dots == '.' ) {
     	$admin->print_error($MESSAGE['MEDIA']['CANNOT_RENAME'], "rename.php?dir=$directory&id=$file_id", false);
+    }
     // Check if we should overwrite or not
     if($admin->get_post('overwrite') != 'yes' AND file_exists(WB_PATH.MEDIA_DIRECTORY.$directory.'/'.$name) == true) {
-...
         // feature freeze
     	// require_once(ADMIN_PATH.'/media/dse.php');
     	$admin->print_success($MESSAGE['MEDIA']['RENAMED'], "browse.php?dir=$directory");
     	$admin->print_success($MESSAGE['MEDIA']['RENAMED'], $dirlink);
     } else {
     	$admin->print_error($MESSAGE['MEDIA']['CANNOT_RENAME'], "rename.php?dir=$directory&id=$file_id", false);
+    }

Also available in: Unified diff

Project

General

Profile

WB 2.08.x

Revision 1475

Added by Dietmar over 13 years ago