diff --git a/Panel/modules/litefm/fm_dir.php b/Panel/modules/litefm/fm_dir.php index 724b5945..4b48847a 100644 --- a/Panel/modules/litefm/fm_dir.php +++ b/Panel/modules/litefm/fm_dir.php @@ -481,9 +481,9 @@ function exec_ogp_module() echo empty($home_cfg['home_name']) ? get_lang("not_available") : htmlentities($home_cfg['home_name']); echo ""; $_SESSION['fm_files_'.$home_id] = array(); - $show_path = (isset($_SESSION['fm_cwd_'.$home_id])) ? clean_path($_SESSION['fm_cwd_'.$home_id]) : "/"; - if($isAdmin) - $show_path = clean_path($home_cfg['home_path'].$show_path); + $show_path = litefm_display_home_path($home_cfg['home_path'], isset($_SESSION['fm_cwd_'.$home_id]) ? $_SESSION['fm_cwd_'.$home_id] : ''); + if ($show_path === false) + $show_path = clean_path($home_cfg['home_path']); echo "
<< ". get_lang("back") ."
"; if ($remote->rfile_exists($path)) { diff --git a/Panel/modules/litefm/fm_read.php b/Panel/modules/litefm/fm_read.php index b22398cf..b028b530 100644 --- a/Panel/modules/litefm/fm_read.php +++ b/Panel/modules/litefm/fm_read.php @@ -60,9 +60,9 @@ function exec_ogp_module() if (litefm_check($home_id) === FALSE) return; - $show_path = (isset($_SESSION['fm_cwd_'.$home_id])) ? clean_path($_SESSION['fm_cwd_'.$home_id]) : "/"; - if($isAdmin) - $show_path = clean_path($home_cfg['home_path'].$show_path); + $show_path = litefm_display_home_path($home_cfg['home_path'], isset($_SESSION['fm_cwd_'.$home_id]) ? $_SESSION['fm_cwd_'.$home_id] : ''); + if ($show_path === false) + $show_path = clean_path($home_cfg['home_path']); echo "".show_back($home_id)."
"; echo "\n". "". @@ -71,7 +71,12 @@ function exec_ogp_module() $remote = new OGPRemoteLibrary($home_cfg['agent_ip'], $home_cfg['agent_port'], $home_cfg['encryption_key'], $home_cfg['timeout']); $data = ""; $rel_path = isset($_SESSION['fm_cwd_'.$home_id]) ? $_SESSION['fm_cwd_'.$home_id]:''; - $filepath = clean_path($home_cfg['home_path']."/".$rel_path); + $filepath = litefm_safe_join_home_path($home_cfg['home_path'], $rel_path); + if ($filepath === false) + { + print_failure(get_lang('unallowed_char')); + return; + } $file_info = $remote->remote_readfile($filepath ,$data); if ( $file_info === 0 ) { @@ -101,7 +106,7 @@ function exec_ogp_module() editor.setTheme("ace/theme/tomorrow"); (function () { var modelist = ace.require("ace/ext/modelist"); - var filePath = ""; + var filePath = ""; var mode = modelist.getModeForPath(filePath).mode; console.log(mode); editor.session.setMode(mode); diff --git a/Panel/modules/litefm/fm_write.php b/Panel/modules/litefm/fm_write.php index 2714f182..9bbd5668 100644 --- a/Panel/modules/litefm/fm_write.php +++ b/Panel/modules/litefm/fm_write.php @@ -60,11 +60,17 @@ function exec_ogp_module() $_REQUEST['file_content'] = strip_real_escape_string($_REQUEST['file_content']); $remote = new OGPRemoteLibrary($home_cfg['agent_ip'], $home_cfg['agent_port'], $home_cfg['encryption_key'], $home_cfg['timeout']); - $file_info = $remote->remote_writefile($home_cfg['home_path']."/".$_SESSION['fm_cwd_'.$home_id], $_REQUEST['file_content']); + $target_path = litefm_safe_join_home_path($home_cfg['home_path'], isset($_SESSION['fm_cwd_'.$home_id]) ? $_SESSION['fm_cwd_'.$home_id] : ''); + if ($target_path === false) + { + print_failure(get_lang('unallowed_char')); + return; + } + $file_info = $remote->remote_writefile($target_path, $_REQUEST['file_content']); if ( $file_info === 1 ) { print_success(get_lang('wrote_changes')); - $db->logger(get_lang('wrote_changes')." ( ".$home_cfg['home_name']." - ".$home_cfg['home_path'].$_SESSION['fm_cwd_'.$home_id]." )"); + $db->logger(get_lang('wrote_changes')." ( ".$home_cfg['home_name']." - ".litefm_display_home_path($home_cfg['home_path'], isset($_SESSION['fm_cwd_'.$home_id]) ? $_SESSION['fm_cwd_'.$home_id] : '')." )"); } else if ( $file_info === 0 ) print_failure(get_lang('failed_write')); diff --git a/Panel/modules/litefm/get_file.php b/Panel/modules/litefm/get_file.php index 8a926136..b5aadf4e 100644 --- a/Panel/modules/litefm/get_file.php +++ b/Panel/modules/litefm/get_file.php @@ -75,7 +75,7 @@ function exec_ogp_module() if (litefm_check($home_id) === FALSE) return; $_SESSION['download'][$did]['fileph'] = $_SESSION['fm_cwd_'.$home_id]; - $_SESSION['fm_cwd_'.$home_id] = dirname($_SESSION['fm_cwd_'.$home_id]); + $_SESSION['fm_cwd_'.$home_id] = litefm_parent_relative_path(isset($_SESSION['fm_cwd_'.$home_id]) ? $_SESSION['fm_cwd_'.$home_id] : ''); $_SESSION['download'][$did]['offset'] = 0; } diff --git a/Panel/modules/litefm/litefm.php b/Panel/modules/litefm/litefm.php index 96312dc8..62b0742f 100644 --- a/Panel/modules/litefm/litefm.php +++ b/Panel/modules/litefm/litefm.php @@ -92,6 +92,31 @@ function litefm_safe_join_home_path($homePath, $relativePath) return $fullPath; } +function litefm_display_home_path($homePath, $relativePath) +{ + $normalizedRel = litefm_normalize_relative_path($relativePath); + if ($normalizedRel === false) { + return false; + } + if ($normalizedRel === '') { + return clean_path((string)$homePath); + } + return clean_path(rtrim((string)$homePath, '/') . '/' . $normalizedRel); +} + +function litefm_parent_relative_path($relativePath) +{ + $normalizedRel = litefm_normalize_relative_path($relativePath); + if ($normalizedRel === false || $normalizedRel === '') { + return ''; + } + $lastSlash = strrpos($normalizedRel, '/'); + if ($lastSlash === false) { + return ''; + } + return substr($normalizedRel, 0, $lastSlash); +} + function do_progress($kbytes,$totalsize) { if( $totalsize != 0 ) @@ -170,7 +195,7 @@ function litefm_check($home_id) // To go back a dir, we just use dirname to strip the last directory or file off the path if (isset($_GET['back']) and !isset($_GET['upload']) and !isset( $_POST['delete'] ) and !isset( $_POST['create_folder'] ) and !isset( $_POST['secureButton'] ) and !isset( $_POST['delete_check'] ) and !isset( $_POST['secure_check'] )) { - $_SESSION['fm_cwd_'.$home_id] = dirname( $_SESSION['fm_cwd_'.$home_id] ); + $_SESSION['fm_cwd_'.$home_id] = litefm_parent_relative_path(isset($_SESSION['fm_cwd_'.$home_id]) ? $_SESSION['fm_cwd_'.$home_id] : ''); } return TRUE;

$show_path