liteFM fixes

This commit is contained in:
Frank Harris 2026-06-10 18:59:12 -04:00
parent b9727fdfa7
commit 751874ea8c
5 changed files with 280 additions and 84 deletions

View file

@ -24,6 +24,74 @@
require_once('includes/lib_remote.php');
function litefm_decode_name_param($value)
{
return rawurldecode((string)$value);
}
function litefm_escape_html($value)
{
return htmlspecialchars((string)$value, ENT_QUOTES, 'UTF-8');
}
function litefm_is_valid_path_component($name)
{
if (!is_string($name) || $name === '' || $name === '.' || $name === '..') {
return false;
}
if (strpos($name, "\0") !== false || strpos($name, '/') !== false || strpos($name, '\\') !== false) {
return false;
}
return true;
}
function litefm_normalize_relative_path($relativePath)
{
$relativePath = str_replace('\\', '/', (string)$relativePath);
$relativePath = preg_replace('#/+#', '/', $relativePath);
$relativePath = trim($relativePath, '/');
if ($relativePath === '') {
return '';
}
if (strpos($relativePath, "\0") !== false) {
return false;
}
if (preg_match('#(^|/)\.{1,2}(/|$)#', $relativePath)) {
return false;
}
foreach (explode('/', $relativePath) as $segment) {
if (!litefm_is_valid_path_component($segment)) {
return false;
}
}
return $relativePath;
}
function litefm_path_within_home($homePath, $candidatePath)
{
$homeNorm = str_replace('\\', '/', clean_path((string)$homePath));
$candidateNorm = str_replace('\\', '/', clean_path((string)$candidatePath));
$homeCmp = strtolower(rtrim($homeNorm, '/'));
$candidateCmp = strtolower($candidateNorm);
if ($candidateCmp === $homeCmp) {
return true;
}
return strpos($candidateCmp, $homeCmp . '/') === 0;
}
function litefm_safe_join_home_path($homePath, $relativePath)
{
$normalizedRel = litefm_normalize_relative_path($relativePath);
if ($normalizedRel === false) {
return false;
}
$fullPath = clean_path(rtrim((string)$homePath, '/') . '/' . $normalizedRel);
if (!litefm_path_within_home($homePath, $fullPath)) {
return false;
}
return $fullPath;
}
function do_progress($kbytes,$totalsize)
{
if( $totalsize != 0 )
@ -54,7 +122,12 @@ function litefm_check($home_id)
{
if (isset($_GET['item']) and !isset($_GET['upload']) and !isset( $_POST['delete'] ) and !isset( $_POST['create_folder'] ) and !isset( $_POST['secureButton'] ) and !isset( $_POST['delete_check'] ) and !isset( $_POST['secure_check'] ))
{
$fileName = !empty($_POST['name']) ? urldecode($_POST['name']) : urldecode($_GET['name']);
$fileName = !empty($_POST['name']) ? litefm_decode_name_param($_POST['name']) : litefm_decode_name_param(isset($_GET['name']) ? $_GET['name'] : '');
if (!litefm_is_valid_path_component($fileName))
{
print_failure("Path decode failed");
return FALSE;
}
if(isset($_GET['type'])){
$type = $_GET['type'];
}else{
@ -66,23 +139,29 @@ function litefm_check($home_id)
$path = $_SESSION['fm_files_'.$home_id][$_GET['item']];
if($path == $fileName){
// Make sure nobody tries to get outside thier game server by referencing the .. directory
if(preg_match("/\/\.\.\/|\||;/", $path))
{
print_failure(get_lang("unallowed_char"));
$_SESSION['fm_cwd_'.$home_id] = NULL;
return FALSE;
}
else
{
if($type != "file"){
$_SESSION['fm_cwd_'.$home_id] = @$_SESSION['fm_cwd_'.$home_id] . "/" . $path;
$_SESSION['fm_cwd_'.$home_id] = clean_path($_SESSION['fm_cwd_'.$home_id]);
}else{
if((isset($_SESSION['fm_cwd_'.$home_id]) and !endsWith($_SESSION['fm_cwd_'.$home_id], $path)) or !isset($_SESSION['fm_cwd_'.$home_id])){
$_SESSION['fm_cwd_'.$home_id] = @$_SESSION['fm_cwd_'.$home_id] . "/" . $path;
$_SESSION['fm_cwd_'.$home_id] = clean_path($_SESSION['fm_cwd_'.$home_id]);
if($type != "file"){
$nextPath = trim((string)@$_SESSION['fm_cwd_'.$home_id], '/');
$nextPath = $nextPath === '' ? $path : $nextPath . '/' . $path;
$normalizedNext = litefm_normalize_relative_path($nextPath);
if($normalizedNext === false)
{
print_failure(get_lang("unallowed_char"));
$_SESSION['fm_cwd_'.$home_id] = NULL;
return FALSE;
}
$_SESSION['fm_cwd_'.$home_id] = $normalizedNext;
}else{
if((isset($_SESSION['fm_cwd_'.$home_id]) and !endsWith($_SESSION['fm_cwd_'.$home_id], $path)) or !isset($_SESSION['fm_cwd_'.$home_id])){
$nextPath = trim((string)@$_SESSION['fm_cwd_'.$home_id], '/');
$nextPath = $nextPath === '' ? $path : $nextPath . '/' . $path;
$normalizedNext = litefm_normalize_relative_path($nextPath);
if($normalizedNext === false)
{
print_failure(get_lang("unallowed_char"));
$_SESSION['fm_cwd_'.$home_id] = NULL;
return FALSE;
}
$_SESSION['fm_cwd_'.$home_id] = $normalizedNext;
}
}
}