$tmpl->setvar('dir', $dir);
$tmpl->setvar('_REN_FILE', $cfg['_REN_FILE']);
$tmpl->setvar('_REN_STRING', $cfg['_REN_STRING']);
} else {
$file = tfb_getRequestVar('fileFrom');
$fileTo = tfb_getRequestVar('fileTo');
$dir = tfb_getRequestVar('dir');
$sourceDir = $cfg["path"] . $dir;
$targetDir = $cfg["path"] . $dir . $fileTo;
// Add slashes if magic_quotes off:
if (get_magic_quotes_gpc() !== 1) {
$targetDir = addslashes($targetDir);
$sourceDir = addslashes($sourceDir);
}
// only valid dirs + entries with permission
if (!(tfb_isValidPath($sourceDir) && tfb_isValidPath($sourceDir . $file) && tfb_isValidPath($targetDir) && isValidEntry($file) && isValidEntry($fileTo) && hasPermission($dir, $cfg["user"], 'w'))) {
AuditAction($cfg["constants"]["error"], "ILLEGAL RENAME: " . $cfg["user"] . " tried to rename " . $file . " in " . $dir . " to " . $fileTo);
@error("Illegal rename. Action has been logged.", "", "");
}
// Use single quote to escape mv args:
$cmd = "mv '" . $sourceDir . $file . "' '" . $targetDir . "'";
$cmd .= ' 2>&1';
$handle = popen($cmd, 'r');
$gotError = -1;
$buff = fgets($handle);
$gotError = $gotError + 1;
pclose($handle);
// template
$tmpl->setvar('is_start', 0);
$tmpl->setvar('messages', nl2br($buff));
if ($gotError <= 0) {
array_push($target_list, array('name' => $targetName, 'selected' => $target == $targetName ? 1 : 0));
}
}
@closedir($dirHandle);
}
// stop here if no targets found
if (empty($target_list)) {
$tmpl->setvar('content', "<br><p><strong>No Targets found.</strong></p>");
break;
}
// set target-list
$tmpl->setloop('target_list', $target_list);
// target-content
$targetFile = _MRTG_DIR_INPUT . "/" . $target . ".inc";
// check target
if (!(tfb_isValidPath($targetFile) === true && preg_match('/^[0-9a-zA-Z_]+$/D', $target) && @is_file($targetFile))) {
AuditAction($cfg["constants"]["error"], "ILLEGAL MRTG-TARGET: " . $cfg["user"] . " tried to access " . $target);
@error("Invalid Target", "", "", array($target));
}
$content = @file_get_contents($targetFile);
// we are only interested in the "real" content
$tempAry = explode("_CONTENT_BEGIN_", $content);
if (is_array($tempAry)) {
$tempVar = array_pop($tempAry);
$tempAry = explode("_CONTENT_END_", $tempVar);
if (is_array($tempAry)) {
$content = array_shift($tempAry);
// rewrite image-links
$content = preg_replace('/(.*")(.*)(png".*)/i', '${1}' . _IMAGE_URL . _IMAGE_PREFIX_MRTG . '${2}${3}', $content);
// set var
$tmpl->setvar('content', $content);
/**
* deletes data of a transfer
*
* @param $transfer name of the transfer
* @return array
*/
function deleteTransferData($transfer)
{
global $cfg, $transfers;
$msgs = array();
$isTransmissionTorrent = false;
if ($cfg["transmission_rpc_enable"] == 2 && isHash($transfer)) {
require_once 'inc/classes/Transmission.class.php';
$trans = new Transmission();
require_once 'inc/functions/functions.rpc.transmission.php';
$theTorrent = getTransmissionTransfer($transfer, array('hashString', 'id', 'name'));
$isTransmissionTorrent = is_array($theTorrent);
}
if ($isTransmissionTorrent) {
$response = $trans->remove($theTorrent['id'], true);
if ($response[result] != "success") {
@error("Delete of torrent failed", "", "", $response[result]);
}
} else {
if ($cfg['isAdmin'] || IsOwner($cfg["user"], getOwner($transfer))) {
// only torrent
if (substr($transfer, -8) != ".torrent") {
return $msgs;
}
// delete data
$datapath = getTransferDatapath($transfer);
if ($datapath != "" && $datapath != ".") {
$targetPath = getTransferSavepath($transfer) . $datapath;
if (tfb_isValidPath($targetPath)) {
if (@is_dir($targetPath) || @is_file($targetPath)) {
avddelete($targetPath);
AuditAction($cfg["constants"]["fm_delete"], $targetPath);
}
} else {
$msg = "ILLEGAL DELETE: " . $cfg["user"] . " attempted to delete data of " . $transfer;
AuditAction($cfg["constants"]["error"], $msg);
array_push($msgs, $msg);
}
}
} else {
$msg = "ILLEGAL DELETE: " . $cfg["user"] . " attempted to delete data of " . $transfer;
AuditAction($cfg["constants"]["error"], $msg);
array_push($msgs, $msg);
}
}
return $msgs;
}
@error("Required binary could not be found", "", "", $cfg['isAdmin'] ? array('cksfv is required for sfv-checking', 'Specified cksfv-binary does not exist: ' . $cfg['bin_cksfv'], 'Check Settings on Admin-Server-Settings Page') : array('Please contact an Admin'));
}
// target
$dir = tfb_getRequestVar('dir');
$file = tfb_getRequestVar('file');
// validate dir + file
if (!empty($dir)) {
$dirS = str_replace($cfg["path"], '', $dir);
if (!(tfb_isValidPath($dir) && hasPermission($dirS, $cfg["user"], 'r'))) {
AuditAction($cfg["constants"]["error"], "ILLEGAL SFV-ACCESS: " . $cfg["user"] . " tried to check " . $dirS);
@error("Illegal access. Action has been logged.", "", "");
}
}
if (!empty($file)) {
$fileS = str_replace($cfg["path"], '', $file);
if (!(tfb_isValidPath($file) && isValidEntry(basename($file)) && hasPermission($fileS, $cfg["user"], 'r'))) {
AuditAction($cfg["constants"]["error"], "ILLEGAL SFV-ACCESS: " . $cfg["user"] . " tried to check " . $fileS);
@error("Illegal access. Action has been logged.", "", "");
}
}
// init template-instance
tmplInitializeInstance($cfg["theme"], "page.checkSFV.tmpl");
// process
$cmd = $cfg['bin_cksfv'] . ' -C ' . tfb_shellencode($dir) . ' -f ' . tfb_shellencode($file);
$handle = popen($cmd . ' 2>&1', 'r');
$buff = isset($cfg["debuglevel"]) && $cfg["debuglevel"] == 2 ? "<strong>Debug:</strong> Evaluating command:<br/><br/><pre>" . tfb_htmlencode($cmd) . "</pre><br/>Output follows below:<br/>" : "";
$buff .= "<pre>";
while (!feof($handle)) {
$buff .= tfb_htmlencode(@fgets($handle, 30));
}
$tmpl->setvar('buff', $buff);
}
} else {
$file = $_POST['file'];
$targetDir = "";
if (isset($_POST['dest'])) {
$tempDir = trim(rawurldecode($_POST['dest']));
if (strlen($tempDir) > 0) {
$targetDir = $tempDir;
} else {
if (isset($_POST['selector'])) {
$targetDir = trim(urldecode($_POST['selector']));
}
}
}
// only valid dirs + entries with permission
if (!(tfb_isValidPath($cfg["path"] . $file) && tfb_isValidPath($targetDir) && isValidEntry(basename($cfg["path"] . $file)) && hasPermission($file, $cfg["user"], 'w'))) {
AuditAction($cfg["constants"]["error"], "ILLEGAL MOVE: " . $cfg["user"] . " tried to move " . $file . " to " . $targetDir);
@error("Illegal move. Action has been logged.", "", "");
}
// we need absolute paths or stuff will end up in docroot
// inform user .. don't move it into a fallback-dir which may be a hassle
$dirValid = true;
if (strlen($targetDir) <= 0) {
$dirValid = false;
} else {
if ($targetDir[0] != '/') {
$tmpl->setvar('not_absolute', 1);
$dirValid = false;
} else {
$tmpl->setvar('not_absolute', 0);
}
/**
* mrtg
*/
function image_mrtg()
{
global $cfg;
// filename
$fileName = tfb_getRequestVar('f');
if (empty($fileName)) {
Image::paintNoOp();
}
$targetFile = $cfg["path"] . '.mrtg/' . $fileName;
// validate file
if (!(tfb_isValidPath($targetFile) === true && preg_match('/^[0-9a-zA-Z_]+(-day|-week|-month|-year)(.png)$/D', $fileName) && @is_file($targetFile))) {
AuditAction($cfg["constants"]["error"], "ILLEGAL MRTG-IMAGE: " . $cfg["user"] . " tried to access " . $fileName);
Image::paintNoOp();
}
// send content
@header('Accept-Ranges: bytes');
@header('Content-Length: ' . filesize($targetFile));
@header('Content-Type: image/png');
@fpassthru(fopen($targetFile, 'rb'));
exit;
}
/**
* downloads as archive.
*
* @param $down
* @return string with current
*/
function downloadArchive($down)
{
global $cfg;
$current = "";
if (tfb_isValidPath($down)) {
// This prevents the script from getting killed off when running lengthy tar jobs.
@ini_set("max_execution_time", 3600);
$down = $cfg["path"] . $down;
$arTemp = explode("/", $down);
if (count($arTemp) > 1) {
array_pop($arTemp);
$current = implode("/", $arTemp);
}
// Find out if we're really trying to access a file within the
// proper directory structure. Sadly, this way requires that $cfg["path"]
// is a REAL path, not a symlinked one. Also check if $cfg["path"] is part
// of the REAL path.
if (is_dir($down)) {
$sendname = basename($down);
switch ($cfg["package_type"]) {
case "tar":
$command = "tar cf - \"" . addslashes($sendname) . "\"";
break;
case "zip":
$command = "zip -0r - \"" . addslashes($sendname) . "\"";
break;
default:
$cfg["package_type"] = "tar";
$command = "tar cf - \"" . addslashes($sendname) . "\"";
break;
}
// filenames in IE containing dots will screw up the filename
$headerName = strstr($_SERVER['HTTP_USER_AGENT'], "MSIE") ? preg_replace('/\\./', '%2e', $sendname, substr_count($sendname, '.') - 1) : $sendname;
@header("Cache-Control: no-cache");
@header("Pragma: no-cache");
@header("Content-Description: File Transfer");
@header("Content-Type: application/force-download");
@header('Content-Disposition: attachment; filename="' . $headerName . '.' . $cfg["package_type"] . '"');
// write the session to close so you can continue to browse on the site.
@session_write_close();
// Make it a bit easier for tar/zip.
chdir(dirname($down));
passthru($command);
AuditAction($cfg["constants"]["fm_download"], $sendname . "." . $cfg["package_type"]);
exit;
} else {
AuditAction($cfg["constants"]["error"], "Illegal download: " . $cfg["user"] . " tried to download " . $down);
}
} else {
AuditAction($cfg["constants"]["error"], "ILLEGAL TAR DOWNLOAD: " . $cfg["user"] . " tried to download " . $down);
}
return $current;
}
/**
* deletes data of a transfer
*
* @param $transfer name of the transfer
* @return array
*/
function deleteTransferData($transfer)
{
global $cfg, $transfers;
$msgs = array();
if ($cfg['isAdmin'] || IsOwner($cfg["user"], getOwner($transfer))) {
// only torrent
if (substr($transfer, -8) != ".torrent") {
return $msgs;
}
// delete data
$datapath = getTransferDatapath($transfer);
if ($datapath != "" && $datapath != ".") {
$targetPath = getTransferSavepath($transfer) . $datapath;
if (tfb_isValidPath($targetPath)) {
if (@is_dir($targetPath) || @is_file($targetPath)) {
avddelete($targetPath);
AuditAction($cfg["constants"]["fm_delete"], $targetPath);
}
} else {
$msg = "ILLEGAL DELETE: " . $cfg["user"] . " attempted to delete data of " . $transfer;
AuditAction($cfg["constants"]["error"], $msg);
array_push($msgs, $msg);
}
}
} else {
$msg = "ILLEGAL DELETE: " . $cfg["user"] . " attempted to delete data of " . $transfer;
AuditAction($cfg["constants"]["error"], $msg);
array_push($msgs, $msg);
}
return $msgs;
}
}
/******************************************************************************/
// common functions
require_once 'inc/functions/functions.common.php';
// dir functions
require_once 'inc/functions/functions.dir.php';
// is enabled ?
if ($cfg["enable_view_nfo"] != 1) {
AuditAction($cfg["constants"]["error"], "ILLEGAL ACCESS: " . $cfg["user"] . " tried to use nfo-viewer");
@error("nfo-viewer is disabled. Action has been logged.", "", "");
}
// target
$file = UrlHTMLSlashesDecode(tfb_getRequestVar("path"));
$path = $cfg["path"] . $file;
// only valid dirs + entries with permission
if (!((tfb_isValidPath($path, ".nfo") || tfb_isValidPath($path, ".txt") || tfb_isValidPath($path, ".log")) && isValidEntry($file) && hasPermission($file, $cfg["user"], 'r'))) {
AuditAction($cfg["constants"]["error"], "ILLEGAL NFO-ACCESS: " . $cfg["user"] . " tried to view " . $file);
@error("Illegal access. Action has been logged.", "", "");
}
// init template-instance
tmplInitializeInstance($cfg["theme"], "page.viewnfo.tmpl");
// set vars
$tmpl->setvar('file', $file);
$folder = htmlspecialchars(substr($file, 0, strrpos($file, "/")));
$tmpl->setvar('folder', $folder);
if ($fileHandle = @fopen($path, 'r')) {
$output = "";
while (!@feof($fileHandle)) {
$output .= @fgets($fileHandle, 4096);
}
@fclose($fileHandle);
* download as archive
******************************************************************************/
if ($tar != "") {
// is enabled ?
if ($cfg["enable_file_download"] != 1) {
AuditAction($cfg["constants"]["error"], "ILLEGAL ACCESS: " . $cfg["user"] . " tried to use download (" . $tar . ")");
@error("download is disabled", "index.php?iid=index", "");
}
// only valid entry with permission
if (isValidEntry(basename($tar)) && hasPermission($tar, $cfg["user"], 'r')) {
@ini_set("zlib.output_compression", "Off");
$current = downloadArchive($tar);
} else {
AuditAction($cfg["constants"]["error"], "ILLEGAL TAR DOWNLOAD: " . $cfg["user"] . " tried to download " . $tar);
$current = $tar;
if (tfb_isValidPath($tar)) {
$arTemp = explode("/", $tar);
if (count($arTemp) > 1) {
array_pop($arTemp);
$current = implode("/", $arTemp);
}
}
}
@header("Location: index.php?iid=dir&dir=" . UrlHTMLSlashesEncode($current));
exit;
}
/*******************************************************************************
* wget
******************************************************************************/
function _dir_cleanFileName($inName)
{
@error("Required binary could not be found", "", "", $cfg['isAdmin'] ? array('python is required for maketorrent', 'Specified python-binary does not exist: ' . $cfg['pythonCmd'], 'Check Settings on Admin-Server-Settings Page') : array('Please contact an Admin'));
}
/*******************************************************************************
* create + page
******************************************************************************/
// file + torrent vars
$path = tfb_getRequestVarRaw('path');
$torrent = "";
if (!empty($path)) {
$torrent = tfb_cleanFileName(StripFolders($path) . ".torrent");
if ($torrent === false) {
@error("Invalid torrent-name", "", "", array($path));
}
}
// only valid dirs + entries with permission
if (!(tfb_isValidPath($cfg["path"] . $path) && hasPermission($path, $cfg["user"], 'w'))) {
AuditAction($cfg["constants"]["error"], "ILLEGAL MAKETORRENT: " . $cfg["user"] . " tried to maketorrent with " . $path);
@error("Illegal maketorrent. Action has been logged.", "", "");
}
// check if there is a var sent for client, if not use default
$client = isset($_REQUEST["client"]) ? tfb_getRequestVar('client') : $cfg["dir_maketorrent_default"];
// client-generic vars
$tfile = tfb_getRequestVar('torrent');
$comment = tfb_getRequestVar('comments');
$alert = isset($_POST["alert"]) ? 1 : 0;
// client-switch
switch ($client) {
default:
case "tornado":
$announce = isset($_POST['announce']) ? $_POST['announce'] : "http://";
$ancelist = tfb_getRequestVar('announcelist');
$buff = "";
while (!feof($handle)) {
$buff .= fgets($handle, 30);
}
$tmpl->setvar('buff', nl2br($buff));
pclose($handle);
}
// set vars
if (isset($_REQUEST['file']) && $_REQUEST['file'] != "") {
$file = tfb_getRequestVar('file');
$dir = tfb_getRequestVar('dir');
$file = str_replace($cfg["path"], '', $file);
$dir = str_replace($cfg["path"], '', $dir);
$targetFile = $cfg["path"] . $file;
// only valid dirs + entries with permission
if (!(tfb_isValidPath($targetFile) && isValidEntry(basename($targetFile)) && hasPermission($file, $cfg["user"], 'r') && hasPermission($dir, $cfg["user"], 'w'))) {
AuditAction($cfg["constants"]["error"], "ILLEGAL UNCOMPRESS-ACCESS: " . $cfg["user"] . " tried to uncompress " . $file);
@error("Illegal access. Action has been logged.", "", "");
}
//
$tmpl->setvar('is_file', 1);
$tmpl->setvar('url_file', str_replace('%2F', '/', urlencode($cfg["path"] . $file)));
$tmpl->setvar('url_dir', str_replace('%2F', '/', urlencode($cfg["path"] . $dir)));
$tmpl->setvar('type', tfb_getRequestVar('type'));
} else {
$tmpl->setvar('is_file', 0);
}
//
tmplSetTitleBar('Uncompress File', false);
tmplSetIidVars();
// parse template
