function IsFileUnsafe($name) { static $arFiles = false; if($arFiles === false) { $fileList = COption::GetOptionString("main", "~unsafe_files", ".htaccess,.htpasswd,web.config,global.asax"); $arFiles = explode(",", strtolower($fileList)); } $name = GetFileName($name); return in_array(strtolower(TrimUnsafe($name)), $arFiles); }
$currentPath = rtrim($currentPath, "/"); if (strlen($currentPath) <= 0) { $accessFile = "/.access.php"; $name = "/"; } else { //Find file or folder name $position = strrpos($currentPath, "/"); if ($position === false) break; $name = substr($currentPath, $position+1); $name = TrimUnsafe($name); //security fix: under Windows "my." == "my" //Find parent folder $currentPath = substr($currentPath, 0, $position + 1); $accessFile = $currentPath.".access.php"; } $PERM = Array(); if ($io->FileExists($documentRoot.$accessFile)) include($io->GetPhysicalName($documentRoot.$accessFile)); if ($assignFileName == "") { $assignFileName = $name; $assignFolderName = ($name == "/" ? "/" : $currentPath); }
function GetFileAccessPermissionByUser($intUserID, $path, $groups = false, $task_mode = false) { $intUserIDTmp = intval($intUserID); if ($intUserIDTmp . '|' != $intUserID . '|') { return !$task_mode ? 'D' : array(CTask::GetIdByLetter('D', 'main', 'file')); } $intUserID = $intUserIDTmp; if ($groups === false) { $groups = CUser::GetUserGroup($intUserID); foreach ($groups as $key => $val) { $groups[$key] = "G" . $val; } } elseif (is_array($groups) && !empty($groups)) { $bNumbers = preg_match('/^[0-9]+$/', $groups[0]); if ($bNumbers) { foreach ($groups as $key => $val) { $groups[$key] = "G" . $val; } } } CMain::InitPathVars($site, $path); $DOC_ROOT = CSite::GetSiteDocRoot($site); $bWin = strncasecmp(PHP_OS, "WIN", 3) == 0; if ($bWin) { $path = strtolower($path); } if (trim($path, "/") != "") { $path = Rel2Abs("/", $path); if ($path == "") { return !$task_mode ? 'D' : array(CTask::GetIdByLetter('D', 'main', 'file')); } } $bAdminM = in_array("G1", $groups); if ($bAdminM) { return !$task_mode ? 'X' : array(CTask::GetIdByLetter('X', 'main', 'file')); } if (substr($path, -12) == "/.access.php" && !$bAdminM) { return !$task_mode ? 'D' : array(CTask::GetIdByLetter('D', 'main', 'file')); } if (substr($path, -10) == "/.htaccess" && !$bAdminM) { return !$task_mode ? 'D' : array(CTask::GetIdByLetter('D', 'main', 'file')); } $max_perm = "D"; $arGroupTask = array(); $io = CBXVirtualIo::GetInstance(); $groups[] = "*"; while (true) { $path = rtrim($path, ""); $path = rtrim($path, "/"); if ($path == '') { $access_file_name = "/.access.php"; $Dir = "/"; } else { $pos = strrpos($path, "/"); if ($pos === false) { break; } $Dir = substr($path, $pos + 1); $Dir = TrimUnsafe($Dir); $path = substr($path, 0, $pos + 1); $access_file_name = $path . ".access.php"; } if (array_key_exists($site . "|" . $access_file_name, $this->FILE_PERMISSION_CACHE)) { $PERM = $this->FILE_PERMISSION_CACHE[$site . "|" . $access_file_name]; } else { $PERM = array(); if ($io->FileExists($DOC_ROOT . $access_file_name)) { include $io->GetPhysicalName($DOC_ROOT . $access_file_name); } if ($bWin && !empty($PERM)) { $PERM_TMP = array(); foreach ($PERM as $key => $val) { $PERM_TMP[strtolower($key)] = $val; } $PERM = $PERM_TMP; } $this->FILE_PERMISSION_CACHE[$site . "|" . $access_file_name] = $PERM; } if ($PERM[$Dir] && is_array($PERM[$Dir])) { $dir_perm = $PERM[$Dir]; foreach ($groups as $key => $group_id) { if (isset($dir_perm[$group_id])) { $perm = $dir_perm[$group_id]; } elseif (preg_match('/^G[0-9]+$/', $group_id)) { //compatibility with group id $perm = $dir_perm[substr($group_id, 1)]; } else { continue; } if ($task_mode) { if (substr($perm, 0, 2) == 'T_') { $tid = intval(substr($perm, 2)); } elseif (($tid = CTask::GetIdByLetter($perm, 'main', 'file')) === false) { continue; } $arGroupTask[$group_id] = $tid; } else { if (substr($perm, 0, 2) == 'T_') { $tid = intval(substr($perm, 2)); $perm = CTask::GetLetter($tid); if (strlen($perm) == 0) { $perm = 'D'; } } if ($max_perm == "" || $perm > $max_perm) { $max_perm = $perm; if ($perm == "W") { break 2; } } } if ($group_id == "*") { break 2; } unset($groups[$key]); if (count($groups) == 1 && in_array("*", $groups)) { break 2; } } if (count($groups) <= 1) { break; } } if ($path == '') { break; } } if ($task_mode) { $arTasks = array_unique(array_values($arGroupTask)); if (empty($arTasks)) { return array(CTask::GetIdByLetter('D', 'main', 'file')); } sort($arTasks); return $arTasks; } else { return $max_perm; } }
$assignFolderName = ""; $currentPath = $path; while (true) { //Cut / from the end $currentPath = rtrim($currentPath, "/"); if (strlen($currentPath) <= 0) { $accessFile = "/.access.php"; $name = "/"; } else { //Find file or folder name $position = strrpos($currentPath, "/"); if ($position === false) { break; } $name = substr($currentPath, $position + 1); $name = TrimUnsafe($name); //security fix: under Windows "my." == "my" //Find parent folder $currentPath = substr($currentPath, 0, $position + 1); $accessFile = $currentPath . ".access.php"; } $PERM = array(); if ($io->FileExists($documentRoot . $accessFile)) { include $io->GetPhysicalName($documentRoot . $accessFile); } if ($assignFileName == "") { $assignFileName = $name; $assignFolderName = $name == "/" ? "/" : $currentPath; } if (isset($PERM[$name]) && is_array($PERM[$name])) { $arUserGroupsID = array_merge($arUserGroupsID, array_keys($PERM[$name]));