diff --git a/changelog.txt b/changelog.txt
index 53b4e96f..d0061a5a 100644
--- a/changelog.txt
+++ b/changelog.txt
@@ -1,5 +1,11 @@
Responsive Filemanager Changelog
+*********************************************************
+* RFM 9.12.2
+*********************************************************
+- fixed a security vulnerability (thanks to sashaptrw)
+- fixed other minor problems
+
*********************************************************
* RFM 9.12.1
*********************************************************
diff --git a/filemanager/dialog.php b/filemanager/dialog.php
index b5156fe2..3ee97b41 100644
--- a/filemanager/dialog.php
+++ b/filemanager/dialog.php
@@ -43,15 +43,14 @@
$subdir_path = '';
if (isset($_GET['fldr']) && !empty($_GET['fldr'])) {
- $subdir_path = rawurldecode(trim(strip_tags($_GET['fldr']),"/") ."/");
+ $subdir_path = rawurldecode(trim(strip_tags($_GET['fldr']),"/"));
}
-
if (strpos($subdir_path,'../') === FALSE
&& strpos($subdir_path,'./') === FALSE
&& strpos($subdir_path,'..\\') === FALSE
&& strpos($subdir_path,'.\\') === FALSE)
{
- $subdir = $subdir_path;
+ $subdir = strip_tags($subdir_path) ."/";
$_SESSION['RF']["filter"]='';
}
else { $subdir = ''; }
@@ -236,8 +235,15 @@
$extensions=null;
if (isset($_GET['extensions'])){
$extensions = json_decode(urldecode($_GET['extensions']));
+ $ext_tmp = array();
+ foreach($extensions as $extension){
+ $extension = fix_strtolower($extension);
+ if(in_array( $extension, $config['ext'])){
+ $ext_tmp[]=$extension;
+ }
+ }
if($extensions){
- $ext = $extensions;
+ $ext = $ext_tmp;
$show_filter_buttons = false;
}
}
@@ -978,8 +984,13 @@ function extensionSort($x, $y) {
foreach ($files as $nu=>$file_array) {
$file=$file_array['file'];
- if($file == '.' || $file == '..' || $file_array['extension']==trans('Type_dir') || in_array($file, $hidden_files) || !in_array(fix_strtolower($file_array['extension']), $ext) || ($filter!='' && $n_files>$file_number_limit_js && stripos($file,$filter)===false))
+ if($file == '.' || $file == '..' || $file_array['extension']==trans('Type_dir') || !in_array(fix_strtolower($file_array['extension']), $ext) || ($filter!='' && $n_files>$file_number_limit_js && stripos($file,$filter)===false))
continue;
+ foreach ( $hidden_files as $hidden_file ) {
+ if ( fnmatch($hidden_file, $file, FNM_PATHNAME) ) {
+ continue 2;
+ }
+ }
$filename=substr($file, 0, '-' . (strlen($file_array['extension']) + 1));
if(!$ftp){
@@ -1031,8 +1042,6 @@ function extensionSort($x, $y) {
if(!file_exists($src_thumb) ){
if(!create_img($file_path, $creation_thumb_path, 122, 91,'crop',$config)){
$src_thumb=$mini_src="";
- }else{
- new_thumbnails_creation($current_path.$rfm_subfolder.$subdir,$file_path,$file,$current_path,$config);
}
}
//check if is smaller than thumb
@@ -1129,7 +1138,7 @@ function extensionSort($x, $y) {
-
+
"
diff --git a/filemanager/lang/ca.php b/filemanager/lang/ca.php
index 350eca8e..3faf1370 100644
--- a/filemanager/lang/ca.php
+++ b/filemanager/lang/ca.php
@@ -23,9 +23,9 @@
'Preview' => 'Vista prèvia',
'Download' => 'Descarregar',
'Insert_Folder_Name' => 'Nom de la carpeta:',
- 'Root' => 'arrel',
+ 'Root' => 'Arrel',
'Rename' => 'Renombrar',
- 'Back' => 'enrere',
+ 'Back' => 'Tornar',
'View' => 'Vista',
'View_list' => 'Vista de llista',
'View_columns_list' => 'Vista de columnes',
@@ -38,30 +38,10 @@
'Text_filter' => 'filtre de text',
'Swipe_help' => 'Deslize el nom de l\'arxiu/carpeta per mostrar les opcions',
'Upload_base' => 'Pujada d\'arxius SIMPLE',
- 'Upload_base_help' => "Drag & Drop files(modern browsers) or click in upper button to Add the file(s) and click on Start upload. When the upload is complete, click the 'Return to files list' button.",
- 'Upload_add_files' => 'Add file(s)',
- 'Upload_start' => 'Start upload',
- 'Upload_error_messages' =>array(
- 1 => 'The uploaded file exceeds the upload_max_filesize directive in php.ini',
- 2 => 'The uploaded file exceeds the MAX_FILE_SIZE directive that was specified in the HTML form',
- 3 => 'The uploaded file was only partially uploaded',
- 4 => 'No file was uploaded',
- 6 => 'Missing a temporary folder',
- 7 => 'Failed to write file to disk',
- 8 => 'A PHP extension stopped the file upload',
- 'post_max_size' => 'The uploaded file exceeds the post_max_size directive in php.ini',
- 'max_file_size' => 'File is too big',
- 'min_file_size' => 'File is too small',
- 'accept_file_types' => 'Filetype not allowed',
- 'max_number_of_files' => 'Maximum number of files exceeded',
- 'max_width' => 'Image exceeds maximum width',
- 'min_width' => 'Image requires a minimum width',
- 'max_height' => 'Image exceeds maximum height',
- 'min_height' => 'Image requires a minimum height',
- 'abort' => 'File upload aborted',
- 'image_resize' => 'Failed to resize image'
- ),
- 'Upload_url' => 'From url',
+ 'Upload_java' => 'Pujada d\'arxius JAVA (para arxius pesats)',
+ 'Upload_url' => 'URL',
+ 'Upload_java_help' => "Si el applet no carrega: 1. Assegura't de tenir Java instal·lat; sinó descarrega-ho i instal·la-ho des d'aquí 2. Assegura't que el teu firewall no estigui bloquejant res.",
+ 'Upload_base_help' => "Arrossega i deixa anar els arxius dins d'aquesta àrea o faci clic en ella (per a navegadors moderns) en cas contrari, seleccioni l'arxiu i faci clic en el botó. Quan finalitzi la pujada, faci clic en el botó superior per tornar.",
'Type_dir' => 'Carpeta',
'Type' => 'Tipus',
'Dimension' => 'Dimensions',
@@ -78,45 +58,45 @@
'File_info' => 'Informació',
'Edit_image' => 'Editar imatge',
'Duplicate' => 'Duplicar',
- 'Folders' => 'Folders',
- 'Copy' => 'Copy',
- 'Cut' => 'Cut',
- 'Paste' => 'Paste',
+ 'Folders' => 'Carpetes',
+ 'Copy' => 'Copiar',
+ 'Cut' => 'Tallar',
+ 'Paste' => 'Enganxar',
'CB' => 'CB', // clipboard
- 'Paste_Here' => 'Paste to this directory',
- 'Paste_Confirm' => 'Are you sure you want to paste to this directory? This will overwrite existing files/folders if encountered any.',
- 'Paste_Failed' => 'Failed to paste file(s)',
- 'Clear_Clipboard' => 'Clear clipboard',
- 'Clear_Clipboard_Confirm' => 'Are you sure you want to clear the clipboard?',
- 'Files_ON_Clipboard' => 'There are files on the clipboard.',
- 'Copy_Cut_Size_Limit' => 'The selected files/folders are too big to %s. Limit: %d MB/operation', // %s = cut or copy
- 'Copy_Cut_Count_Limit' => 'You selected too many files/folders to %s. Limit: %d files/operation', // %s = cut or copy
- 'Copy_Cut_Not_Allowed' => 'You are not allowed to %s files.', // %s(1) = cut or copy, %s(2) = files or folders
- 'Aviary_No_Save' => 'Could not save image',
- 'Zip_No_Extract' => 'Could not extract. File might be corrupt.',
- 'Zip_Invalid' => 'This extension is not supported. Valid: zip, gz, tar.',
- 'Dir_No_Write' => 'The directory you selected is not writable.',
- 'Function_Disabled' => 'The %s function has been disabled by the server.', // %s = cut or copy
- 'File_Permission' => 'File permission',
- 'File_Permission_Not_Allowed' => 'Changing %s permissions are not allowed.', // %s = files or folders
- 'File_Permission_Recursive' => 'Apply recursively?',
- 'File_Permission_Wrong_Mode' => "The supplied permission mode is incorrect.",
- 'User' => 'User',
- 'Group' => 'Group',
- 'Yes' => 'Yes',
+ 'Paste_Here' => 'Enganxar en aquest directori',
+ 'Paste_Confirm' => 'Esteu segur que voleu enganxar en aquest directori? Això sobreescriurà arxius/carpetes existents si es troba cap igual.',
+ 'Paste_Failed' => 'No s’ha pogut enganxar els fitxers.',
+ 'Clear_Clipboard' => 'Netejar portapapers',
+ 'Clear_Clipboard_Confirm' => 'Esteu segur que voleu esborrar el portapapers?',
+ 'Files_ON_Clipboard' => 'Hi ha arxius al Portapapers.',
+ 'Copy_Cut_Size_Limit' => 'Els arxius/carpetes seleccionades són massa grans per %s. Limit: %d MB/operació', // %s = cut or copy
+ 'Copy_Cut_Count_Limit' => 'Heu seleccionat massa fitxers/carpetes a %s. Limit: %d arxiu/operació', // %s = cut or copy
+ 'Copy_Cut_Not_Allowed' => 'No te permisos per %s els arxius.', // %s(1) = cut or copy, %s(2) = files or folders
+ 'Aviary_No_Save' => 'No s’ha pogut desar la imatge.',
+ 'Zip_No_Extract' => 'No es pot extreure. L’Arxiu podria estar corrupte.',
+ 'Zip_Invalid' => 'Aquesta extensió no és suportada. Vàlid: zip, gz, tar.',
+ 'Dir_No_Write' => 'El directori seleccionat no te permisos d’escriptura.',
+ 'Function_Disabled' => 'La funció de %s no esta disponible al servidor.', // %s = cut or copy
+ 'File_Permission' => 'Permisos d’arxiu',
+ 'File_Permission_Not_Allowed' => 'La modificació dels permisos de %s no es permès.', // %s = files or folders
+ 'File_Permission_Recursive' => 'Aplicar recursivament?',
+ 'File_Permission_Wrong_Mode' => "El mode de permís subministrat és incorrecte..",
+ 'User' => 'Usuari',
+ 'Group' => 'Grup',
+ 'Yes' => 'Si',
'No' => 'No',
- 'Lang_Not_Found' => 'Could not find language.',
- 'Lang_Change' => 'Change the language',
- 'File_Not_Found' => 'Could not find the file.',
- 'File_Open_Edit_Not_Allowed' => 'You are not allowed to %s this file.', // %s = open or edit
- 'Edit' => 'Edit',
- 'Edit_File' => "Edit file's content",
- 'File_Save_OK' => "File successfully saved.",
- 'File_Save_Error' => "There was an error while saving the file.",
- 'New_File' => 'New File',
- 'No_Extension' => 'You have to add a file extension.',
- 'Valid_Extensions' => 'Valid extensions: %s', // %s = txt,log etc.
- 'Upload_message' => "Drop file here to upload",
+ 'Lang_Not_Found' => 'No es pot trobar l\'idioma.',
+ 'Lang_Change' => 'Modificar idioma',
+ 'File_Not_Found' => 'No s\'ha pogut trobar l\'arxiu.',
+ 'File_Open_Edit_Not_Allowed' => 'No tens permisos per obrir %s l\'arxiu.', // %s = open or edit
+ 'Edit' => 'Modificar',
+ 'Edit_File' => "Editar el contingut de l\'arxiu.",
+ 'File_Save_OK' => "Arxiu desat correctament.",
+ 'File_Save_Error' => "Hi ha hagut un error mentre es desava l\'arxiu.",
+ 'New_File' => 'Nou arxiu',
+ 'No_Extension' => 'Ha d\'afegir una extensió d\'arxiu.',
+ 'Valid_Extensions' => 'Extensions valides: %s', // %s = txt,log etc.
+ 'Upload_message' => "Arrossega arxiu aquí per carregar.",
'SERVER ERROR' => "SERVER ERROR",
'forbiden' => "Forbiden",
@@ -131,7 +111,7 @@
'no path' => "No path",
'no file' => "No file",
'view type number missing' => "View type number missing",
- 'Not enough Memory' => "Not enough Memory",
+ 'Not enought Memory' => "Not enought Memory",
'max_size_reached' => "Your image folder has reach its maximale size of %d MB.", //%d = max overall size
'B' => "B",
'KB' => "KB",
diff --git a/filemanager/upload.php b/filemanager/upload.php
index 565f5401..9b5db332 100755
--- a/filemanager/upload.php
+++ b/filemanager/upload.php
@@ -31,10 +31,12 @@
return;
}
-if (strpos($_POST["fldr"],'../') !== FALSE
- || strpos($_POST["fldr"],'./') !== FALSE
- || strpos($_POST["fldr"],'..\\') !== FALSE
- || strpos($_POST["fldr"],'.\\') !== FALSE )
+$fldr = rawurldecode(trim(strip_tags($_GET['fldr']),"/") ."/");
+
+if (strpos($fldr,'../') !== FALSE
+ || strpos($fldr,'./') !== FALSE
+ || strpos($fldr,'..\\') !== FALSE
+ || strpos($fldr,'.\\') !== FALSE )
{
response(trans('wrong path'.AddErrorLocation()))->send();
exit;
@@ -95,7 +97,8 @@
}
$extension = get_extension_from_mime($mime_type);
-if($extension=='so'){
+
+if($extension=='so' || $extension=='' || $mime_type == "text/troff"){
$extension = $info['extension'];
}
$_FILES['files']['name'][0] = fix_filename($info['filename'].".".$extension,$config);
diff --git a/package.json b/package.json
index a1268511..ac7adc3c 100755
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
{
"name": "ResponsiveFilemanager",
- "version": "9.12.0",
+ "version": "9.12.2",
"author": {
"name": "Alberto Peripolli",
"email": "info@albertoperipolli.com"