Merge pull request #513 from farisv/security-fix

Prevent upload dir deletion

filemanager/execute.php

@@ -123,27 +123,27 @@ function returnPaths($_path,$_name,$config){
 
 			break;
 		case 'delete_folder':
-			if ($config['delete_folders'] && !empty($path) && !empty($path_thumb)){
+			if ($config['delete_folders']){
 
 				if($ftp){
 					deleteDir($path,$ftp,$config);
 					deleteDir($path_thumb,$ftp,$config);
 				}else{
 					if (is_dir($path_thumb))
 					{
-						deleteDir($path_thumb);
+						deleteDir($path_thumb,NULL,$config);
 					}
 
 					if (is_dir($path))
 					{
-						deleteDir($path);
+						deleteDir($path,NULL,$config);
 						if ($config['fixed_image_creation'])
 						{
 							foreach($config['fixed_path_from_filemanager'] as $k=>$paths){
 								if ($paths!="" && $paths[strlen($paths)-1] != "/") $paths.="/";
 
 								$base_dir=$paths.substr_replace($path, '', 0, strlen($config['current_path']));
-								if (is_dir($base_dir)) deleteDir($base_dir);
+								if (is_dir($base_dir)) deleteDir($base_dir,NULL,$config);
 							}
 						}
 					}
@@ -164,7 +164,7 @@ function returnPaths($_path,$_name,$config){
 			}
 			break;
 		case 'rename_folder':
-			if ($config['rename_folders'] && !empty($path) && !empty($path_thumb)){
+			if ($config['rename_folders']){
                 if(!is_dir($path)) {
                     response(trans('wrong path').AddErrorLocation())->send();
                     exit;
@@ -258,7 +258,7 @@ function returnPaths($_path,$_name,$config){
 
 			break;
 		case 'rename_file':
-			if ($config['rename_files'] && !empty($path) && !empty($path_thumb)){
+			if ($config['rename_files']){
 				$name=fix_filename($name,$config);
 				if (!empty($name))
 				{

filemanager/include/utils.php

@@ -125,6 +125,24 @@ function checkRelativePath($path){
     return $path_correct;
 }
 
+/**
+* Check if the given path is an upload dir based on config
+*
+* @param  string  $path
+* @param  array $config
+*
+* @return boolean is it an upload dir?
+*/
+function isUploadDir($path, $config){
+	$upload_dir = $config['current_path'];
+	$thumbs_dir = $config['thumbs_base_path'];
+	if (realpath($path) === realpath($upload_dir) || realpath($path) === realpath($thumbs_dir))
+	{
+		return true;
+	}
+	return false;
+}
+
 /**
 * Delete file
 *
@@ -202,7 +220,7 @@ function deleteDir($dir,$ftp = null, $config = null)
 		}
 
 	}else{
-		if ( ! file_exists($dir))
+		if ( ! file_exists($dir) || isUploadDir($dir, $config))
 		{
 			return false;
 		}
@@ -250,7 +268,7 @@ function duplicate_file( $old_path, $name, $ftp = null, $config = null )
 			return null;
 		}
 	}else{
-		if (file_exists($old_path))
+		if (file_exists($old_path) && is_file($old_path))
 		{
 			if (file_exists($new_path) && $old_path == $new_path)
 			{
@@ -284,7 +302,7 @@ function rename_file($old_path, $name, $ftp = null, $config = null)
 			return false;
 		}
 	}else{
-		if (file_exists($old_path))
+		if (file_exists($old_path) && is_file($old_path))
 		{
 			$new_path = $info['dirname'] . "/" . $name . "." . $info['extension'];
 			if (file_exists($new_path) && $old_path == $new_path)
@@ -333,13 +351,12 @@ function rename_folder($old_path, $name, $ftp = null, $config = null)
 			return $ftp->rename("/".$old_path, "/".$new_path);
 		}
 	}else{
-		if (file_exists($old_path))
+		if (file_exists($old_path) && is_dir($old_path) && !isUploadDir($old_path, $config))
 		{
 			if (file_exists($new_path) && $old_path == $new_path)
 			{
 				return false;
 			}
-
 			return rename($old_path, $new_path);
 		}
 	}