$result = "ok";
for ($i = 0; $i < count($files); $i++) {
// Work out the real path for a file
$files[$i] = realpath($_SERVER['DOCUMENT_ROOT'] . $files[$i]);
// If we can't find that file or it doesn't start with the doc root, it's an error
if (!file_exists($files[$i]) || strpos(str_replace("\\", "/", $files[$i]), $_SERVER['DOCUMENT_ROOT']) !== 0) {
$result = "error";
} else {
$filesSizesSeen[$i] = filesize($files[$i]);
}
}
if ($result != "error") {
$filesWithNewBugs = 0;
for ($i = 0; $i < count($files); $i++) {
// If we have set a filesize value previously and it's different to now, there's new bugs
$fileSizesSeenArray = explode(",", xssClean($_GET['filesSizesSeen'], "html"));
if ($fileSizesSeenArray[$i] != "null" && $fileSizesSeenArray[$i] != $filesSizesSeen[$i]) {
$result = "bugs";
$filesWithNewBugs++;
$filename = $files[$i];
$chars = $filesSizesSeen[$i] - $fileSizesSeenArray[$i];
$buffer = 4096;
$lines = $maxLines + 1 + 1;
// 1 (possibly) for end of file and 1 for partial lines
// Open the file
$f = fopen($filename, "rb");
// Jump to last character
fseek($f, 0, SEEK_END);
// If we don't have a line at end, deduct 1 from $lines to get
if (fread($f, 1) != "\n") {
$lines -= 1;
<?php
include_once "settings-common.php";
$text = $_SESSION['text'];
$t = $text['settings-update'];
// Update this config file?
if (!$demoMode && isset($_SESSION['loggedIn']) && $_SESSION['loggedIn'] && isset($_POST["theme"]) && $_POST["theme"]) {
$settingsContents = file_get_contents($settingsFile, false, $context);
// Replace our settings vars
$repPosStart = strpos($settingsContents, '"root"');
$repPosEnd = strpos($settingsContents, '"plugins"');
// Has there been a language change?
$languageUserChanged = $ICEcoder['languageUser'] != $_POST['languageUser'];
// Prepare all our vars
$ICEcoder["root"] = xssClean($_POST['root'], "html");
$ICEcoder["checkUpdates"] = isset($_POST['checkUpdates']) && $_POST['checkUpdates'] ? "true" : "false";
$ICEcoder["openLastFiles"] = isset($_POST['openLastFiles']) && $_POST['openLastFiles'] ? "true" : "false";
$ICEcoder["updateDiffOnSave"] = isset($_POST['updateDiffOnSave']) && $_POST['updateDiffOnSave'] ? "true" : "false";
$ICEcoder["languageUser"] = strClean($_POST['languageUser']);
$ICEcoder["findFilesExclude"] = 'array("' . str_replace(',', '","', str_replace(" ", "", strClean($_POST['findFilesExclude']))) . '")';
$ICEcoder["codeAssist"] = isset($_POST['codeAssist']) && $_POST['codeAssist'] ? "true" : "false";
$ICEcoder["visibleTabs"] = isset($_POST['visibleTabs']) && $_POST['visibleTabs'] ? "true" : "false";
$ICEcoder["lockedNav"] = isset($_POST['lockedNav']) && $_POST['lockedNav'] ? "true" : "false";
$ICEcoder["tagWrapperCommand"] = strClean($_POST['tagWrapperCommand']);
$ICEcoder["autoComplete"] = strClean($_POST['autoComplete']);
if ($_POST['password'] != "") {
$ICEcoder["password"] = generateHash(strClean($_POST['password']));
}
$ICEcoder["bannedFiles"] = 'array("' . str_replace(',', '","', str_replace(" ", "", strClean($_POST['bannedFiles']))) . '")';
$ICEcoder["bannedPaths"] = 'array("' . str_replace(',', '","', str_replace(" ", "", strClean($_POST['bannedPaths']))) . '")';
$ICEcoder["allowedIPs"] = 'array("' . str_replace(',', '","', str_replace(" ", "", strClean($_POST['allowedIPs']))) . '")';
for ($i = 0; $i < count($finalArray); $i++) {
$fileFolderName = str_replace("\\", "/", $finalArray[$i]);
$type = is_dir($docRoot . $iceRoot . $fileFolderName) ? "folder" : "file";
if ($type == "file") {
// Get extension (prefix 'ext-' to prevent invalid classes from extensions that begin with numbers)
$ext = "ext-" . pathinfo($docRoot . $iceRoot . $fileFolderName, PATHINFO_EXTENSION);
}
if ($i == 0) {
echo "<ul style=\"display: block\">\n";
}
if ($i == count($finalArray) - 1 && isset($_GET['location'])) {
echo "</ul>\n";
}
$type == "folder" ? $class = 'pft-directory' : ($class = 'pft-file ' . strtolower($ext));
$loadParam = $type == "folder" ? "true" : "false";
echo "<li class=\"" . $class . "\" draggable=\"true\" ondrag=\"top.ICEcoder.draggingWithKeyTest(event);if(top.ICEcoder.getcMInstance()){top.ICEcoder.getcMInstance().focus()}\" ondragend=\"top.ICEcoder.dropFile(this)\"><a nohref title=\"{$fileFolderName}\" onMouseOver=\"top.ICEcoder.overFileFolder('{$type}',this.childNodes[1].id)\" onMouseOut=\"top.ICEcoder.overFileFolder('{$type}','')\" onClick=\"if(!event.ctrlKey && !top.ICEcoder.cmdKey) {top.ICEcoder.openCloseDir(this,{$loadParam}); if (/Android|webOS|iPhone|iPad|iPod|BlackBerry/i.test(navigator.userAgent)) {top.ICEcoder.openFile()}}\" style=\"position: relative; left:-22px\"> <span id=\"" . str_replace($docRoot, "", str_replace("/", "|", $fileFolderName)) . "\">" . xssClean(basename($fileFolderName), "html") . "</span> ";
echo '<span style="color: #888; font-size: 8px" id="' . str_replace($docRoot, "", str_replace("/", "|", $fileFolderName)) . '_perms">';
echo $serverType == "Linux" ? substr(sprintf('%o', fileperms($docRoot . $iceRoot . $fileFolderName)), -3) : '';
echo "</span></a></li>\n";
}
if (isset($_GET['location'])) {
?>
</div>
<script>
targetElem = top.ICEcoder.filesFrame.contentWindow.document.getElementById('<?php
echo $_GET['location'];
?>
');
newUL = document.createElement("ul");
newUL.style = "display: block";
locNest = targetElem.parentNode.parentNode;
} else {
// There was an error, display HTTP error code and response message
top.ICEcoder.message('<?php
echo $t['Sorry, there was...'];
?>
'+err.error+'\n\n'+err.request.response);
top.ICEcoder.showHide('hide',top.get('loadingMask'));
}
});
</script>
<?php
}
?>
<script>
targetElem = top.ICEcoder.filesFrame.contentWindow.document.getElementById('<?php
echo xssClean($_GET['location'], "html");
?>
');
newUL = document.createElement("ul");
newUL.style = "display: block";
locNest = targetElem.parentNode.parentNode;
if(locNest.nextSibling && locNest.nextSibling.tagName=="UL") {
x = locNest.nextSibling;
x.parentNode.removeChild(x);
}
folderContent = document.getElementById('branch').innerHTML;
folderItems = folderContent.split("\n");
showFiles = function() {
// Now display folders & files
<br><br> <span class="heading"><?php echo $t['Date & time']; ?> </span><br> <span id="serverDT"></span><br><br> <h2><?php echo $t['your device']; ?> </h2> <span class="heading"><?php echo $t['Browser']; ?> </span><br> <?php echo xssClean($_SERVER['HTTP_USER_AGENT'], "html"); ?> <br><br> <span class="heading"><?php echo $t['Your IP']; ?> </span><br> <?php echo $_SERVER['REMOTE_ADDR']; ?> <br><br> </div> <div style="float: left"> <h2><?php echo $t['files'];
} else {
$type = $ftpItems[basename($fileFolderName)]['type'] == "directory" ? "folder" : "file";
}
if ($type == "file") {
// Get extension (prefix 'ext-' to prevent invalid classes from extensions that begin with numbers)
$ext = "ext-" . pathinfo($docRoot . $iceRoot . $fileFolderName, PATHINFO_EXTENSION);
}
if ($i == 0) {
echo "<ul style=\"display: block\">\n";
}
if ($i == count($finalArray) - 1 && isset($_GET['location'])) {
echo "</ul>\n";
}
$type == "folder" ? $class = 'pft-directory' : ($class = 'pft-file ' . strtolower($ext));
$loadParam = $type == "folder" ? "true" : "false";
echo "<li class=\"" . $class . "\" draggable=\"false\" ondrag=\"top.ICEcoder.draggingWithKeyTest(event);if(top.ICEcoder.getcMInstance()){top.ICEcoder.editorFocusInstance.indexOf('diff') == -1 ? top.ICEcoder.getcMInstance().focus() : top.ICEcoder.getcMdiffInstance().focus()}\" ondragend=\"top.ICEcoder.dropFile(this)\"><a nohref title=\"{$fileFolderName}\" onMouseOver=\"parentNode.draggable=true;top.ICEcoder.overFileFolder('{$type}',this.childNodes[1].id)\" onMouseOut=\"parentNode.draggable=false;top.ICEcoder.overFileFolder('{$type}','')\" " . ($type == "folder" ? "ondragover=\"if(parentNode.nextSibling && parentNode.nextSibling.tagName != 'UL' && top.ICEcoder.thisFileFolderLink != this.childNodes[1].id) {top.ICEcoder.openCloseDir(this,true);}\"" : "") . " onClick=\"if(!event.ctrlKey && !top.ICEcoder.cmdKey) {" . ($type == "folder" ? " top.ICEcoder.openCloseDir(this,{$loadParam});" : "") . " if (/Android|webOS|iPhone|iPad|iPod|BlackBerry/i.test(navigator.userAgent)) {top.ICEcoder.openFile()}}\" style=\"position: relative; left:-22px\"> <span id=\"" . str_replace($docRoot, "", str_replace("/", "|", $fileFolderName)) . "\">" . xssClean(basename($fileFolderName), "html") . "</span> ";
if (!isset($ftpSite)) {
$thisPermVal = $serverType == "Linux" ? substr(sprintf('%o', fileperms($docRoot . $iceRoot . $fileFolderName)), -3) : '';
} else {
// Work out perms value
$thisPermVal = 0;
$r = $ftpItems[basename($fileFolderName)]['rights'];
// Owner
$thisPermVal += substr($r, 1, 1) == "r" ? 400 : 0;
$thisPermVal += substr($r, 2, 1) == "w" ? 200 : 0;
$thisPermVal += substr($r, 3, 1) == "x" ? 100 : 0;
// Group
$thisPermVal += substr($r, 4, 1) == "r" ? 40 : 0;
$thisPermVal += substr($r, 5, 1) == "w" ? 20 : 0;
$thisPermVal += substr($r, 6, 1) == "x" ? 10 : 0;
// Public
<?php
// Stop if we're running an old version in the tmp dir
if (strpos(str_replace("\\", "/", dirname(__FILE__)), "tmp/oldVersion") !== false) {
die("This is an old version of ICEcoder. Won't run from tmp/oldVersion/ dir.");
}
// Load common functions
include_once dirname(__FILE__) . "/settings-common.php";
$text = $_SESSION['text'];
$t = $text['headers'];
// CSRF synchronizer token pattern, 32 chars
if (!isset($_SESSION["csrf"])) {
$_SESSION["csrf"] = md5(uniqid(mt_rand(), true));
}
if (($_GET || $_POST) && (!isset($_REQUEST["csrf"]) || $_REQUEST["csrf"] !== $_SESSION["csrf"])) {
$req = isset($_REQUEST["csrf"]) ? xssClean($_REQUEST["csrf"], "html") : "";
die($t['Bad CSRF token...'] . "<br><br>\r\n\t\tCSRF issue:<br>\r\n\t\tREQUEST: " . $req . "<br>\r\n\t\tSESSION: " . xssClean($_SESSION["csrf"], "html") . "<br>\r\n\t\tFILE: " . xssClean($_SERVER["SCRIPT_NAME"], "html") . "<br>\r\n\t\tGET: " . xssClean(var_export($_GET, true), "html") . "<br>\r\n\t\tPOST: " . xssClean(var_export($_POST, true), "html"));
}
if (!headers_sent()) {
// Set our security related headers
header("X-Frame-Options: SAMEORIGIN");
// Only frames of same origin
header("X-XSS-Protection: 1; mode=block");
// Turn on IE8-9 XSS prevention tools
// header("X-Content-Security-Policy: allow 'self'"); // Only allows JS on same domain & not inline to run
header("X-Content-Type-Options: nosniff");
// Prevent MIME based attacks
}
$settingsNew = '"githubLocalPaths" => array(';
// Redo the arrays using the form data
for ($i = 0; $i < count($oldLocal); $i++) {
if ($_POST['githubLocalPath' . $i] != "") {
$settingsNew .= '"' . xssClean($_POST['githubLocalPath' . $i], "html") . '",';
}
}
// Rtrim off the last comma
$settingsNew = rtrim($settingsNew, ',');
$settingsNew .= '),' . PHP_EOL;
// Now do the same for the remote paths
$settingsNew .= '"githubRemotePaths" => array(';
// Redo the arrays using the form data
for ($i = 0; $i < count($oldRemote); $i++) {
if ($_POST['githubRemotePath' . $i] != "") {
$settingsNew .= '"' . xssClean($_POST['githubRemotePath' . $i], "html") . '",';
}
}
// Rtrim off the last comma
$settingsNew = rtrim($settingsNew, ',');
$settingsNew .= '),' . PHP_EOL;
}
if ($_GET['action'] != "choose") {
// Now we have a new settingsNew string to use
// we can update the path arrays in the settings file
// Identify the bit to replace
$repPosStart = strpos($settingsContents, '"githubLocalPaths"');
$repPosEnd = strpos($settingsContents, '"previousFiles"');
// Compile our new settings
$settingsContents = substr($settingsContents, 0, $repPosStart) . $settingsNew . substr($settingsContents, $repPosEnd, strlen($settingsContents));
// Now update the config file
<?php
// Load common functions
include_once dirname(__FILE__) . "/settings-common.php";
// CSRF synchronizer token pattern, 32 chars
if (!isset($_SESSION["csrf"])) {
$_SESSION["csrf"] = md5(uniqid(mt_rand(), true));
}
if (($_GET || $_POST) && (!isset($_REQUEST["csrf"]) || $_REQUEST["csrf"] !== $_SESSION["csrf"])) {
$req = isset($_REQUEST["csrf"]) ? xssClean($_REQUEST["csrf"], "html") : "";
die("Bad CSRF token. Please report the error info at https://github.com/mattpass/ICEcoder so it can be fixed.<br><br>\n\t\tCSRF issue:<br>\n\t\tREQUEST: " . $req . "<br>\n\t\tSESSION: " . xssClean($_SESSION["csrf"], "html") . "<br>\n\t\tFILE: " . xssClean($_SERVER["SCRIPT_NAME"], "html") . "<br>\n\t\tGET: " . xssClean(var_export($_GET, true), "html") . "<br>\n\t\tPOST: " . xssClean(var_export($_POST, true), "html") . "<br>\n\t\t<br>Many thanks!");
}
// Set our security related headers
header("X-Frame-Options: SAMEORIGIN");
// Only frames of same origin
header("X-XSS-Protection: 1; mode=block");
// Turn on IE8-9 XSS prevention tools
// header("X-Content-Security-Policy: allow 'self'"); // Only allows JS on same domain & not inline to run
header("X-Content-Type-Options: nosniff");
// Prevent MIME based attacks
echo $action == "commit" ? "Commit files" : "Pull files";
?>
</h1>
<form name="commitDetails">
Title:<br><input type="text" name="commitTitle" id="commitTitle" value="" style="width: 300px; margin: 5px 0 15px 0"><br>
Message:<br><textarea name="commitMessage" id="commitMessage" style="width: 300px; height: 118px; margin: 5px 0 15px 0"></textarea>
</form>
<div style="display: inline-block; padding: 5px; background: #2187e7; color: #fff; font-size: 12px; cursor: pointer" onclick="commitFiles()">Commit</div>
<br><br>
<?php
// Get file contents for selected files
$selectedFiles = xssClean($_GET['selectedFiles'], "html");
$selectedFiles = explode(";", $selectedFiles);
for ($i = 0; $i < count($selectedFiles); $i++) {
// Replace pipes with slashes
$file = str_replace("|", "/", $selectedFiles[$i]);
// Trim any +'s or spaces from the end of file and clear any ../'s
$file = str_replace("../", "", rtrim(rtrim($file, '+'), ' '));
// Make $file a full path
if (strpos($file, $docRoot) === false) {
$file = str_replace("|", "/", $docRoot . $iceRoot . $file);
}
if (file_exists($file)) {
$loadedFile = toUTF8noBOM(file_get_contents($file, false, $context), true);
echo '<textarea name="loadedFile' . $i . '" id="loadedFile' . $i . '" style="display: none">' . str_replace("</textarea>", "<ICEcoder:/:textarea>", str_replace("&", "&", $loadedFile)) . '</textarea><br><br>' . PHP_EOL . PHP_EOL;
}
}
<?php
// Load common functions
include "headers.php";
include "settings.php";
$file = str_replace("|", "/", xssClean($_GET['file'], 'html'));
$loadedFile = toUTF8noBOM(file_get_contents("../backups/" . $file, false, $context), true);
$encoding = ini_get("default_charset");
if ($encoding == "") {
$encoding = "UTF-8";
}
echo '<textarea name="loadedFile" id="loadedFile">' . htmlentities($loadedFile, ENT_COMPAT, $encoding) . '</textarea>';
echo "<script>parent.document.getElementById('buttonsContainer').style.display = 'inline-block';parent.editor.setValue(document.getElementById('loadedFile').value)</script>";
function getDetails($fileArr)
{
foreach ($fileArr['name'] as $keyee => $info) {
$uploads[$keyee]->name = xssClean($fileArr['name'][$keyee], "html");
$uploads[$keyee]->type = $fileArr['type'][$keyee];
$uploads[$keyee]->tmp_name = $fileArr['tmp_name'][$keyee];
$uploads[$keyee]->error = $fileArr['error'][$keyee];
}
return $uploads;
}
