<?php /** * * Delete current backup archives * */ $btn_delete = getPOSTparam4IdOrNumber('btn_delete'); if ($do == 'delete' && !empty($btn_delete)) { echo 'style="display: block;" '; if (!empty($_POST['file'])) { // Only if current user has the rights if ($perm->is_level_okay('manageModBackup', $_SESSION['ccms_userLevel'])) { echo 'class="notice center-text">'; foreach ($_POST['file'] as $value) { $value = filterParam4Filename($value); // strips any slashes as well, so attacks like '../../../../../../../../../etc/passwords' won't pass if (!empty($value)) { unlink('../../../../media/files/' . $value); echo ucfirst($value) . ' ' . $ccms['lang']['backend']['statusremoved'] . '.<br/>'; } else { echo $ccms['lang']['auth']['featnotallowed']; } } } else { echo 'class="error center-text">' . $ccms['lang']['auth']['featnotallowed']; } } else { echo 'class="error center-text">' . $ccms['lang']['system']['error_selection']; } } else {
} /** * * Save the menu order, individual templating & menu allocation preferences * */ if ($target_form == 'menuorder' && $_SERVER['REQUEST_METHOD'] == 'POST' && checkAuth()) { $error = null; // are you allowed to run this action? if ($perm->is_level_okay('manageMenu', $_SESSION['ccms_userLevel'])) { if (!empty($_POST['page_id'])) { foreach ($_POST['page_id'] as $page_id) { $page_id = filterParam4Number($page_id); $toplevel = filterParam4Number($_POST['toplevel'][$page_id]); $sublevel = filterParam4Number($_POST['sublevel'][$page_id]); $templatename = filterParam4Filename($_POST['template'][$page_id]); $menu_id = filterParam4Number($_POST['menuid'][$page_id]); if (!$page_id || !$toplevel || empty($templatename)) { $error = $ccms['lang']['system']['error_forged'] . ' (' . __FILE__ . ', ' . __LINE__ . ')'; break; } $values = array(); // [i_a] make sure $values is an empty array to start with here $values['toplevel'] = MySQL::SQLValue($toplevel, MySQL::SQLVALUE_NUMBER); $values['sublevel'] = MySQL::SQLValue($sublevel, MySQL::SQLVALUE_NUMBER); $values['variant'] = MySQL::SQLValue($templatename, MySQL::SQLVALUE_TEXT); $values['menu_id'] = MySQL::SQLValue($menu_id, MySQL::SQLVALUE_NUMBER); // Execute the update if (!$db->UpdateRow($cfg['db_prefix'] . 'pages', $values, array('page_id' => MySQL::SQLValue($page_id, MySQL::SQLVALUE_NUMBER)))) { $error = $db->Error(); }
if (!is_dir($dest)) { $error = $ccms['lang']['system']['error_write']; $error_code = $dest; } } // Validation $size = false; // init to prevent PHP errors about unknown vars further down $overwrite_existing = getGETparam4Boolean('overwrite_existing'); // get the local (temporary) filename: $uploadedfile = isset($_FILES['Filedata']) && !empty($_FILES['Filedata']['tmp_name']) ? $_FILES['Filedata']['tmp_name'] : null; // RAW is okay: it's generated locally (server-side) and contains a temp filename // and what it's supposed to be named (as specced by the uploader): $target_filename = isset($_FILES['Filedata']) && !empty($_FILES['Filedata']['name']) ? $_FILES['Filedata']['name'] : null; // make filename safe but try to keep it unique at the same time! $target_filename = filterParam4Filename($target_filename, null, true); // Set file and get file extension $extension = strtolower(pathinfo($target_filename, PATHINFO_EXTENSION)); if (empty($error) && (empty($extension) || empty($target_filename) || empty($uploadedfile) || !is_uploaded_file($uploadedfile))) { $error = 'Invalid file or no file at all uploaded'; $error_code = $uploadedfile . ' : ' . $extension . ' : ' . $target_filename; } if (empty($error) && is_file($target_filename) && !$overwrite_existing) { $error = 'File already exists on server'; $error_code = $uploadedfile . ' : ' . $extension . ' : ' . $target_filename; } if (empty($error) && !($size = @getimagesize($uploadedfile))) { $error = 'Please upload only images, no other files are supported.'; $error_code = $uploadedfile . ' : ' . $extension . ' : ' . $target_filename; } if (empty($error) && !in_array($size[2], array(IMAGETYPE_GIF, IMAGETYPE_JPEG, IMAGETYPE_PNG, IMAGETYPE_TIFF_II, IMAGETYPE_TIFF_MM))) {
/** * As filterParam4Filename(), but also accepts '/' directory separators * * When $accept_parent_dotdot is TRUE, only then does this filter * accept '../' directory parts anywhere in the path. * * WARNING: setting $accept_parent_dotdot = TRUE can be VERY DANGEROUS * without further checking the result whether it's trying to * go places we don't them to go! * * Be vewey vewey caweful! * * Just to give you an idea: * ../../../../../../../../../../../../etc/passwords * would be LEGAL *AND* VERY DANGEROUS if the accepted path is not * validated further upon return from this function! */ function filterParam4FullFilePath($value, $def = null, $accept_parent_dotdot = false) { if (!isset($value)) { return $def; } $fns = explode('/', strval($value)); if (!is_array($fns)) { return $def; } for ($i = count($fns); $i-- > 0;) { $fns[$i] = filterParam4Filename($fns[$i], ''); if ($i > 0 && $i < count($fns) - 1 && empty($fns[$i])) { return $def; // illegal path specified! } if ($fns[$i] == ".." && !$accept_parent_dotdot) { return $def; // illegal path specified! } } return implode('/', $fns); }