if (!is_dir($targetFolder)) { __error("target folder {$targetfolder} does not exist"); return 1; } _debug("target folder is {$targetFolder}"); $tempFile = $_FILES['Filedata']['tmp_name']; $targetFile = rtrim($targetFolder, '/') . "/" . $_FILES['Filedata']['name']; // you may want to do some additional checks on the uploaded files // here. if (file_exists($targetFile)) { __error("target file {$targetFile} already exists!"); return 1; } // We do not allow to upload files matching the // global $no_access pattern. See _config/conf.php for details. if (matches_noaccess_pattern($targetFile)) { __error("file {$targetFile} matches \$no_access pattern ({$no_access})"); return 1; } move_uploaded_file($tempFile, $targetFile); echo '1'; /** TODO: - currently, the implementation only works if the user has configured the same home directory like given in the global configuration as "home_dir", since we have no access to the session for authenticating the user. Notes: - We don't want to pass the absolute directory to the home directory by a post variable. This enables everybody to move a file from a random location on the server to any other
/** Check if user is allowed to access $file in $directory */ function get_show_item($directory, $file) { // no relative paths are allowed in directories if (preg_match("/\\.\\./", $directory)) { return false; } if (isset($file)) { // file name must not contain any path separators if (preg_match("/[\\/\\\\]/", $file)) { return false; } // dont display own and parent directory if ($file == "." || $file == "..") { return false; } // determine full path to the file $full_path = get_abs_item($directory, $file); _debug("full_path: {$full_path}"); if (!str_startswith($full_path, path_f())) { return false; } } // check if user is allowed to acces shidden files global $show_hidden; if (!$show_hidden) { if ($file[0] == '.') { return false; } // no part of the path may be hidden $directory_parts = explode("/", $directory); foreach ($directory_parts as $directory_part) { if ($directory_part[0] == '.') { return false; } } } if (matches_noaccess_pattern($file)) { return false; } return true; }