require './config.php'; require './util.php'; require './io.php'; require './commands.php'; require './phpcompat.php'; require_once './SafeFN.class.php'; require_once 'input_utils.php'; function SendError($number, $text) { SendUploadResults($number, '', '', $text); } // Check if this uploader has been enabled. if (!$Config['Enabled']) { SendUploadResults('1', '', '', 'This file uploader is disabled. Please check the "editor/filemanager/connectors/php/config.php" file'); } $sCommand = 'QuickUpload'; // The file type (from the QueryString, by default 'File'). $sType = input_strval('Type'); if (!$sType) { $sType = 'File'; } $sCurrentFolder = "/"; // Is enabled the upload? if (!IsAllowedCommand($sCommand)) { SendUploadResults('1', '', '', 'The ""' . $sCommand . '"" command isn\'t allowed'); } // Check if it is an allowed type. if (!IsAllowedType($sType)) { SendUploadResults(1, '', '', 'Invalid type specified'); } FileUpload($sType, $sCurrentFolder, $sCommand);
function CreateFolder($resourceType, $currentFolder) { global $_FolderClass; global $Config; if (!isset($_GET)) { global $_GET; } $sErrorNumber = '0'; $sErrorMsg = ''; if (!has_permission($currentFolder, $resourceType) || $_FolderClass < 8) { if (!has_open_access()) { $sErrorNumber = 103; echo '<Error number="' . $sErrorNumber . '" />'; return; } } $sNewFolderName = input_strval('NewFolderName'); if (isset($sNewFolderName)) { $sess_id = session_id(); if (!isset($sess_id) || $sess_id != $_COOKIE['FCK_NmSp_acl']) { session_id($_COOKIE['FCK_NmSp_acl']); session_start(); } global $Dwfck_conf_values; global $dwfck_conf; $dwfck_conf = $_SESSION['dwfck_conf']; if (empty($dwfck_conf)) { $dwfck_conf['deaccent'] = isset($Dwfck_conf_values['deaccent']) ? $Dwfck_conf_values['deaccent'] : 1; $dwfck_conf['useslash'] = isset($Dwfck_conf_values['useslash']) ? $Dwfck_conf_values['useslash'] : 0; $dwfck_conf['sepchar'] = isset($Dwfck_conf_values['sepchar']) ? $Dwfck_conf_values['sepchar'] : '_'; } $sNewFolderName = input_strval('NewFolderName'); $sNewFolderName = str_replace(' ', $dwfck_conf['sepchar'], $sNewFolderName); $sNewFolderName = Dwfck_sanitize($sNewFolderName); if (strpos($sNewFolderName, '..') !== FALSE) { $sErrorNumber = '102'; } else { // Map the virtual path to the local server path of the current folder. $sServerDir = ServerMapFolder($resourceType, $currentFolder, 'CreateFolder'); if ($Dwfck_conf_values['fnencode'] == 'url' || $Config['osWindows'] && !isset($Dwfck_conf_values['fnencode'])) { $sServerDir = encode_dir($sServerDir); } if ($Config['osWindows']) { $sServerDir = normalizeWIN($sServerDir); } if (is_writable($sServerDir)) { $sServerDir .= $sNewFolderName; $sErrorMsg = CreateServerFolder($sServerDir); switch ($sErrorMsg) { case '': $sErrorNumber = '0'; break; case 'Invalid argument': case 'No such file or directory': $sErrorNumber = '102'; // Path too long. break; default: $sErrorNumber = '110'; break; } } else { $sErrorNumber = '103'; } } } else { $sErrorNumber = '102'; } // Create the "Error" node. echo '<Error number="' . $sErrorNumber . '" />'; }
function GetCurrentFolder() { $sCurrentFolder = input_strval('CurrentFolder'); if (!$sCurrentFolder) { $sCurrentFolder = '/'; } // Check the current folder syntax (must begin and start with a slash). if (!preg_match('|/$|', $sCurrentFolder)) { $sCurrentFolder .= '/'; } if (strpos($sCurrentFolder, '/') !== 0) { $sCurrentFolder = '/' . $sCurrentFolder; } // Ensure the folder path has no double-slashes while (strpos($sCurrentFolder, '//') !== false) { $sCurrentFolder = str_replace('//', '/', $sCurrentFolder); } // Check for invalid folder paths (..) // if ( $sCurrentFolder == '..' ) SendError( 102, '' ) ; if (preg_match(",(/\\.)|(//)|(\\\\)|([\\:\\*\\?\"\\<\\>\\|]),", $sCurrentFolder)) { SendError(102, ''); } return $sCurrentFolder; }
function DoResponse() { if (!isset($_GET)) { global $_GET; } if (!isset($_GET['Command']) || !isset($_GET['Type']) || !isset($_GET['CurrentFolder'])) { return; } // Get the main request informaiton. $sCommand = urlencode($_GET['Command']); $sResourceType = urlencode($_GET['Type']); $sCurrentFolder = GetCurrentFolder(); // Check if it is an allowed command if (!IsAllowedCommand($sCommand)) { SendError(1, 'FileBrowserError_Command' . ';;' . $sCommand); } // Check if it is an allowed type. if (!IsAllowedType($sResourceType)) { SendError(1, 'FileBrowserError_Type' . ';;' . $sResourceType); } // File Upload doesn't have to Return XML, so it must be intercepted before anything. if ($sCommand == 'FileUpload') { FileUpload($sResourceType, $sCurrentFolder, $sCommand); return; } if ($sCommand == 'GetDwfckNs') { GetDwfckNs(); return; } CreateXmlHeader($sCommand, $sResourceType, $sCurrentFolder); // Execute the required command. switch ($sCommand) { case 'GetFolders': GetFolders($sResourceType, $sCurrentFolder); break; case 'GetFoldersAndFiles': GetFoldersAndFiles($sResourceType, $sCurrentFolder); break; case 'CreateFolder': CreateFolder($sResourceType, $sCurrentFolder); break; case 'UnlinkFile': UnlinkFile($sResourceType, $sCurrentFolder, $sCommand, input_strval('file')); break; } CreateXmlFooter(); exit; }