diff --git a/Panel/modules/litefm/fm_dir.php b/Panel/modules/litefm/fm_dir.php index 4b48847a..b10b9ab8 100644 --- a/Panel/modules/litefm/fm_dir.php +++ b/Panel/modules/litefm/fm_dir.php @@ -68,12 +68,32 @@ function exec_ogp_module() if (!isset($_SESSION[$cwd_session_key]) || !is_string($_SESSION[$cwd_session_key])) { $_SESSION[$cwd_session_key] = ''; } + + // Validate cached path and recover from bad cached paths $path = litefm_safe_join_home_path($home_cfg['home_path'], $_SESSION[$cwd_session_key]); if ($path === false) { - print_failure(get_lang("unallowed_char")); - echo "
<< ".get_lang('back')."
"; - return; + // If we had a cached path and it's invalid, reset it and try again with root + if ($_SESSION[$cwd_session_key] !== '') + { + print_success("Invalid saved path was reset to the server root."); + $_SESSION[$cwd_session_key] = ''; + $path = litefm_safe_join_home_path($home_cfg['home_path'], ''); + // If even root is invalid, that's a real error + if ($path === false) + { + print_failure("Could not access server home directory"); + echo "
<< ".get_lang('back')."
"; + return; + } + } + else + { + // Empty path but still invalid - real error + print_failure(get_lang("unallowed_char")); + echo "
<< ".get_lang('back')."
"; + return; + } } $home_root = clean_path($home_cfg['home_path']); diff --git a/Panel/modules/litefm/fm_read.php b/Panel/modules/litefm/fm_read.php index b028b530..74f3c5cc 100644 --- a/Panel/modules/litefm/fm_read.php +++ b/Panel/modules/litefm/fm_read.php @@ -60,7 +60,19 @@ function exec_ogp_module() if (litefm_check($home_id) === FALSE) return; - $show_path = litefm_display_home_path($home_cfg['home_path'], isset($_SESSION['fm_cwd_'.$home_id]) ? $_SESSION['fm_cwd_'.$home_id] : ''); + // Validate and recover from bad cached paths + $cwd_session_key = 'fm_cwd_' . $home_id; + if (isset($_SESSION[$cwd_session_key]) && $_SESSION[$cwd_session_key] !== '') + { + $testPath = litefm_safe_join_home_path($home_cfg['home_path'], $_SESSION[$cwd_session_key]); + if ($testPath === false) + { + print_success("Invalid saved path was reset to the server root."); + $_SESSION[$cwd_session_key] = ''; + } + } + + $show_path = litefm_display_home_path($home_cfg['home_path'], isset($_SESSION[$cwd_session_key]) ? $_SESSION[$cwd_session_key] : ''); if ($show_path === false) $show_path = clean_path($home_cfg['home_path']); echo "".show_back($home_id)."
"; @@ -70,7 +82,7 @@ function exec_ogp_module() //Logic to open the file we're editing $remote = new OGPRemoteLibrary($home_cfg['agent_ip'], $home_cfg['agent_port'], $home_cfg['encryption_key'], $home_cfg['timeout']); $data = ""; - $rel_path = isset($_SESSION['fm_cwd_'.$home_id]) ? $_SESSION['fm_cwd_'.$home_id]:''; + $rel_path = isset($_SESSION[$cwd_session_key]) ? $_SESSION[$cwd_session_key]:''; $filepath = litefm_safe_join_home_path($home_cfg['home_path'], $rel_path); if ($filepath === false) { diff --git a/Panel/modules/litefm/fm_write.php b/Panel/modules/litefm/fm_write.php index 9bbd5668..fe27bfea 100644 --- a/Panel/modules/litefm/fm_write.php +++ b/Panel/modules/litefm/fm_write.php @@ -55,12 +55,26 @@ function exec_ogp_module() return; } + $home_id = $home_cfg['home_id']; + + // Validate and recover from bad cached paths early + $cwd_session_key = 'fm_cwd_' . $home_id; + if (isset($_SESSION[$cwd_session_key]) && $_SESSION[$cwd_session_key] !== '') + { + $testPath = litefm_safe_join_home_path($home_cfg['home_path'], $_SESSION[$cwd_session_key]); + if ($testPath === false) + { + print_success("Invalid saved path was reset to the server root."); + $_SESSION[$cwd_session_key] = ''; + } + } + if ( isset($_REQUEST['save_file']) ) { $_REQUEST['file_content'] = strip_real_escape_string($_REQUEST['file_content']); $remote = new OGPRemoteLibrary($home_cfg['agent_ip'], $home_cfg['agent_port'], $home_cfg['encryption_key'], $home_cfg['timeout']); - $target_path = litefm_safe_join_home_path($home_cfg['home_path'], isset($_SESSION['fm_cwd_'.$home_id]) ? $_SESSION['fm_cwd_'.$home_id] : ''); + $target_path = litefm_safe_join_home_path($home_cfg['home_path'], isset($_SESSION[$cwd_session_key]) ? $_SESSION[$cwd_session_key] : ''); if ($target_path === false) { print_failure(get_lang('unallowed_char')); @@ -70,7 +84,7 @@ function exec_ogp_module() if ( $file_info === 1 ) { print_success(get_lang('wrote_changes')); - $db->logger(get_lang('wrote_changes')." ( ".$home_cfg['home_name']." - ".litefm_display_home_path($home_cfg['home_path'], isset($_SESSION['fm_cwd_'.$home_id]) ? $_SESSION['fm_cwd_'.$home_id] : '')." )"); + $db->logger(get_lang('wrote_changes')." ( ".$home_cfg['home_name']." - ".litefm_display_home_path($home_cfg['home_path'], isset($_SESSION[$cwd_session_key]) ? $_SESSION[$cwd_session_key] : '')." )"); } else if ( $file_info === 0 ) print_failure(get_lang('failed_write')); diff --git a/Panel/modules/litefm/get_file.php b/Panel/modules/litefm/get_file.php index b5aadf4e..79eb2e8d 100644 --- a/Panel/modules/litefm/get_file.php +++ b/Panel/modules/litefm/get_file.php @@ -45,6 +45,17 @@ function exec_ogp_module() if ( preg_match("/f/",$home_cfg['access_rights']) != 1 ) return; + // Validate and recover from bad cached paths early + $cwd_session_key = 'fm_cwd_' . $home_id; + if (isset($_SESSION[$cwd_session_key]) && $_SESSION[$cwd_session_key] !== '') + { + $testPath = litefm_safe_join_home_path($home_cfg['home_path'], $_SESSION[$cwd_session_key]); + if ($testPath === false) + { + $_SESSION[$cwd_session_key] = ''; + } + } + $downloads_folder = "modules/litefm/downloads"; if(isset($_GET['remove_did'])) @@ -82,7 +93,13 @@ function exec_ogp_module() set_time_limit(0); $remote = new OGPRemoteLibrary($home_cfg['agent_ip'], $home_cfg['agent_port'], $home_cfg['encryption_key'], $home_cfg['timeout']); $fp = fopen("$downloads_folder/$did", "w"); - $_SESSION['download'][$did]['offset'] = $remote->remote_get_file_part($home_cfg['home_path']."/".$_SESSION['download'][$did]['fileph'], $_SESSION['download'][$did]['offset'], $data); + $filePath = litefm_safe_join_home_path($home_cfg['home_path'], isset($_SESSION['download'][$did]['fileph']) ? $_SESSION['download'][$did]['fileph'] : ''); + if ($filePath === false) + { + print_failure("Invalid file path"); + return; + } + $_SESSION['download'][$did]['offset'] = $remote->remote_get_file_part($filePath, $_SESSION['download'][$did]['offset'], $data); if($_SESSION['download'][$did]['offset'] != -1) fwrite($fp,$data); fclose($fp);