Skip to content

Commit

Permalink
Fix security issues
Browse files Browse the repository at this point in the history
  • Loading branch information
@hamidsamak
hamidsamak committed Oct 1, 2021
1 parent b030f62 commit 69a79e3
Showing 1 changed file with 33 additions and 15 deletions.
48 changes: 33 additions & 15 deletions pheditor.php
View file
Expand Up @@ -186,9 +186,9 @@
if (isset($_GET['path'])) {
header('Content-Type: application/json');

$dir = rtrim(MAIN_DIR . DS . trim($_GET['path'], '/'), '/');
$dir = realpath(rtrim(MAIN_DIR . DS . trim($_GET['path'], '/'), '/'));

if (file_exists($dir) === false || is_dir($dir) === false) {
if (file_exists($dir) === false || is_dir($dir) === false || strpos($dir, MAIN_DIR) !== 0) {
die('[]');
}

Expand Down Expand Up @@ -253,6 +253,13 @@
} else if (isset($_POST['action'])) {
header('Content-Type: application/json');

$post_token = $_POST['token'] ?? null;
$session_token = $_SESSION['pheditor_token'] ?? null;

if (empty($post_token) || $post_token != $session_token) {
die(json_error('Invalid token. Please reload the page.'));
}

if (isset($_POST['file']) && empty($_POST['file']) === false) {
$_POST['file'] = urldecode($_POST['file']);

Expand Down Expand Up @@ -546,7 +553,7 @@
function redirect($address = null)
{
if (empty($address)) {
$address = $_SERVER['PHP_SELF'];
$address = $_SERVER['SCRIPT_NAME'];
}

header('Location: ' . $address);
Expand Down Expand Up @@ -607,6 +614,8 @@ function json_success($message, $params = [])
], $params), JSON_UNESCAPED_UNICODE);
}

$_SESSION['pheditor_token'] = bin2hex(random_bytes(32));

?>
<!DOCTYPE html>
<html>
Expand Down Expand Up @@ -878,7 +887,8 @@ function json_success($message, $params = [])
last_keyup_press = false,
last_keyup_double = false,
terminal_history = 1,
jstree_hashchange = true;
jstree_hashchange = true,
token = "<?= $_SESSION['pheditor_token'] ?>";

function alertBox(title, message, color) {
iziToast.show({
Expand Down Expand Up @@ -948,7 +958,7 @@ function getCookie(name) {
core: {
data: {
url: function(node) {
return node.id == "#" ? "<?= $_SERVER['PHP_SELF'] ?>?path=" : "<?= $_SERVER['PHP_SELF'] ?>?path=" + node.a_attr["data-dir"];
return node.id == "#" ? "<?= $_SERVER['SCRIPT_NAME'] ?>?path=" : "<?= $_SERVER['SCRIPT_NAME'] ?>?path=" + node.a_attr["data-dir"];
}
}
},
Expand Down Expand Up @@ -981,7 +991,7 @@ function getCookie(name) {
var password = prompt("Please enter new password:");

if (password != null && password.length > 0) {
$.post("<?= $_SERVER['PHP_SELF'] ?>", {
$.post("<?= $_SERVER['SCRIPT_NAME'] ?>", {
action: "password",
password: password
}, function(data) {
Expand All @@ -1005,8 +1015,9 @@ function getCookie(name) {
file = path.substring(0, path.lastIndexOf("/") + 1) + name;
}

$.post("<?= $_SERVER['PHP_SELF'] ?>", {
$.post("<?= $_SERVER['SCRIPT_NAME'] ?>", {
action: "save",
token: token,
file: file,
data: ""
}, function(data) {
Expand Down Expand Up @@ -1041,8 +1052,9 @@ function getCookie(name) {
dir = path.substring(0, path.lastIndexOf("/") + 1) + name;
}

$.post("<?= $_SERVER['PHP_SELF'] ?>", {
$.post("<?= $_SERVER['SCRIPT_NAME'] ?>", {
action: "make-dir",
token: token,
dir: dir
}, function(data) {
alertBox(data.error ? "Error" : "Success", data.message, data.error ? "red" : "green");
Expand All @@ -1068,8 +1080,9 @@ function getCookie(name) {
if (path.length > 0) {
$("#digest").val(sha512(data));

$.post("<?= $_SERVER['PHP_SELF'] ?>", {
$.post("<?= $_SERVER['SCRIPT_NAME'] ?>", {
action: "save",
token: token,
file: path,
data: data
}, function(data) {
Expand All @@ -1091,8 +1104,9 @@ function getCookie(name) {

if (path.length > 0) {
if (confirm("Are you sure to delete this file?")) {
$.post("<?= $_SERVER['PHP_SELF'] ?>", {
$.post("<?= $_SERVER['SCRIPT_NAME'] ?>", {
action: "delete",
token: token,
path: path
}, function(data) {
alertBox(data.error ? "Error" : "Success", data.message, data.error ? "red" : "green");
Expand Down Expand Up @@ -1126,8 +1140,9 @@ function getCookie(name) {
var name = prompt("Please enter new name:", new_file_name);

if (name != null && name.length > 0) {
$.post("<?= $_SERVER['PHP_SELF'] ?>", {
$.post("<?= $_SERVER['SCRIPT_NAME'] ?>", {
action: "rename",
token: token,
path: path,
name: name
}, function(data) {
Expand Down Expand Up @@ -1247,8 +1262,9 @@ function getCookie(name) {
if (file.length > 0) {
$("#loading").fadeIn(250);

$.post("<?= $_SERVER['PHP_SELF'] ?>", {
$.post("<?= $_SERVER['SCRIPT_NAME'] ?>", {
action: "open",
token: token,
file: encodeURIComponent(hash)
}, function(data) {
if (data.error == true) {
Expand Down Expand Up @@ -1348,7 +1364,7 @@ function getCookie(name) {
}

$.ajax({
url: "<?= $_SERVER['PHP_SELF'] ?>",
url: "<?= $_SERVER['SCRIPT_NAME'] ?>",
data: formdata ? formdata : form.serialize(),
cache: false,
contentType: false,
Expand Down Expand Up @@ -1399,8 +1415,9 @@ function getCookie(name) {

setCookie("terminal_commands", JSON.stringify(terminal_commands));

$.post("<?= $_SERVER['PHP_SELF'] ?>", {
$.post("<?= $_SERVER['SCRIPT_NAME'] ?>", {
action: "terminal",
token: token,
command: _val,
dir: terminal_dir
}, function(data) {
Expand Down Expand Up @@ -1621,7 +1638,7 @@ function getCookie(name) {
<label class="custom-control-label" for="dark_mode"><i class="far fa-moon"></i></label>
</div>

<?php if (in_array('changepassword', $permissions)) { ?><a href="javascript:void(0);" class="change-password btn btn-sm btn-primary"><i class="fas fa-key"></i></a> &nbsp; <?php } ?><a href="<?= $_SERVER['PHP_SELF'] ?>?logout=1" class="btn btn-sm btn-danger"><i class="fas fa-sign-out-alt"></i></a>
<?php if (in_array('changepassword', $permissions)) { ?><a href="javascript:void(0);" class="change-password btn btn-sm btn-primary"><i class="fas fa-key"></i></a> &nbsp; <?php } ?><a href="<?= $_SERVER['SCRIPT_NAME'] ?>?logout=1" class="btn btn-sm btn-danger"><i class="fas fa-sign-out-alt"></i></a>
</div>
</div>
</div>
Expand Down Expand Up @@ -1678,6 +1695,7 @@ function getCookie(name) {

<form method="post">
<input name="action" type="hidden" value="upload-file">
<input name="token" type="hidden" value="<?= $_SESSION['pheditor_token'] ?>">
<input name="destination" type="hidden" value="">

<div class="modal fade" id="uploadFileModal">
Expand Down

0 comments on commit 69a79e3

Please sign in to comment.