diff --git a/README b/README old mode 100755 new mode 100644 index 329db2e..c8cc7ac --- a/README +++ b/README @@ -1,13 +1,20 @@ --- SOFM --- -SOFM (Simple online file manager) is a file manager written in PHP. +SOFM (Simple online file manager) is a file manager written in PHP. This software is released under the GPLv3. --- Usage --- -*Extract SOFM anywhere and chmod 776 users/ +*Extract SOFM anywhere and chmod 776 users/ *Modify config.php to your standards. *Connect to SOFM from any web browser. --- Changelog --- +11/22/2020 - v1.2.1 +*CSS modifications +*Directory creation bug fixes +*Redirection fixes, navigation bar modifications +*Check for directory backspacing (..) +*Added file mimetypes for upload (extensions included) + 11/4/2020 - v1.1.0 *Other subtle CSS changes, W3S verified *Fixed some mimetypes, and added file extensions to database @@ -21,4 +28,4 @@ This software is released under the GPLv3. *Modified header / footer files from parsing text to parsing via php for usage of the server side functions --- Licensing and copyright: -(C) Copyright 2014 Chris Dorman - Some rights reserved +(C) Copyright 2014-2020 Chris Dorman - Some rights reserved diff --git a/config.php b/config.php index 8b6a83d..f25827d 100755 --- a/config.php +++ b/config.php @@ -1,18 +1,18 @@ diff --git a/ctrl.php b/ctrl.php index c77040c..7048ad4 100755 --- a/ctrl.php +++ b/ctrl.php @@ -22,6 +22,8 @@ if($password!=$user_password) header("Location: index.php"); } +$strlength = "60"; + // Check to see if someone is backtracking in pathfinder if(isset($_GET['p'])) { @@ -44,11 +46,11 @@ if(isset($_GET['f'])) if(isset($_GET['p'])) { $path = $_GET['p']; - header("Location: users/$username/$path/$file"); + header("Location: https://ho.st.us.to/$username/$path/$file"); } else { - header("Location: users/$username/$file"); + header("Location: https://ho.st.us.to/$username/$file"); } } @@ -312,15 +314,25 @@ EOD; $dirname = $_POST['dirname']; $badchars = array("*", "'", "\"", "(", ")", "[", "]", "#", "$", "@", "!", "%", "^", "|", "+", "&", "="); $dirname = stripslashes(htmlentities(str_replace($badchars, '', $dirname))); + + if(stristr($dirname, "..") == true) + { + header("Location: ctrl.php?action=backtracking_error"); + } + if(file_exists("users/$username/$path/$dirname")) { echo "Error: Directory exists."; } else { - mkdir("users/$username/$path/$dirname", 0777); - //file_put_contents("users/$username/$path/$dirname/index.html", ""); - header("Location: ctrl.php?p=$path"); + if(!preg_match("/^[A-Za-z0-9-_]+$/", $dirname)) { + echo "Only characters A-Z, 0-9, '_' and '-' in directory names"; + } else { + mkdir("users/$username/$path/$dirname", 0777); + //file_put_contents("users/$username/$path/$dirname/index.html", ""); + header("Location: ctrl.php?p=$path"); + } } } } @@ -335,9 +347,13 @@ EOD; } else { - mkdir("users/$username/$dirname", 0777); - //file_put_contents("users/$username/$dirname/index.html", ""); - header("Location: ctrl.php"); + if(!preg_match("/^[A-Za-z0-9-_]+$/", $dirname)) { + echo "Characters only A-Z, 0-9, '_' and '-' in directory names"; + } else { + mkdir("users/$username/$dirname", 0777); + //file_put_contents("users/$username/$dirname/index.html", ""); + header("Location: ctrl.php"); + } } } } @@ -361,7 +377,7 @@ EOD; if(is_dir("users/$username/$path")) { if(isset($_GET['rf'])) { - $file = $_GET['rf']; + $file = stripslashes(htmlentities($_GET['rf'])); if(stristr($file, "..") == true) { header("Location: ctrl.php?action=backtracking_error"); @@ -375,7 +391,7 @@ EOD; { file_put_contents("users/$username.usage", $usage); unlink("users/$username/$path/$file"); - header("Location: ctrl.php"); + header("refresh: 0,url=ctrl.php?p=$path"); } else { @@ -387,15 +403,15 @@ EOD; }// Close rf check // }// Close is_dir check // - header("Location: ctrl.php"); + header("refresh: 0,url=ctrl.php?p=$path"); } - header("Location: ctrl.php"); + header("refresh: 0,url=ctrl.php?p=$path"); } else { if(isset($_GET['rf'])) { - $file = $_GET['rf']; + $file = stripslashes(htmlentities($_GET['rf'])); if(stristr($file, "..") == true) { header("Location: ctrl.php?action=backtracking_error"); @@ -424,7 +440,7 @@ EOD; if($action=="removedir") { if(isset($_GET['d'])) { - $dir = $_GET['d']; + $dir = stripslashes(htmlentities($_GET['d']));; if(stristr($dir, "..") == true) { header("Location: ctrl.php?action=backtracking_error"); @@ -464,7 +480,7 @@ else echo "
+