From bb95677c48144c212ca7abad52a04bbe0174ce8c Mon Sep 17 00:00:00 2001
From: Hamid <hamidreza.samak@gmail.com>
Date: Fri, 8 Oct 2021 07:08:03 +0330
Subject: [PATCH] Fix security issue for deleting arbitrary files

---
 pheditor.php | 23 +++++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/pheditor.php b/pheditor.php
index 929b773..b4c7092 100755
--- a/pheditor.php
+++ b/pheditor.php
@@ -192,7 +192,7 @@
 
 	$dir = realpath(rtrim(MAIN_DIR . DS . trim($_GET['path'], '/'), '/'));
 
-	if (file_exists($dir) === false || is_dir($dir) === false || strpos($dir, MAIN_DIR) !== 0) {
+	if ($dir === false || check_path($dir) !== true) {
 		die('[]');
 	}
 
@@ -380,7 +380,7 @@
 			break;
 
 		case 'delete':
-			if (isset($_POST['path']) && file_exists(MAIN_DIR . $_POST['path'])) {
+			if (isset($_POST['path']) && file_exists(MAIN_DIR . $_POST['path']) && check_path(MAIN_DIR . $_POST['path'])) {
 				$path = MAIN_DIR . $_POST['path'];
 
 				if ($_POST['path'] == '/') {
@@ -400,6 +400,10 @@
 						echo json_success('Directory deleted successfully');
 					}
 				} else {
+					if (empty(PATTERN_FILES) === false && !preg_match(PATTERN_FILES, basename($_POST['path']))) {
+						die(json_error('Invalid file patterna'));
+					}
+
 					file_to_history($path);
 
 					if (is_writable($path)) {
@@ -618,6 +622,21 @@ function json_success($message, $params = [])
 	], $params), JSON_UNESCAPED_UNICODE);
 }
 
+function check_path($path, $check_existence = true)
+{
+	if ($check_existence === false) {
+		$path = dirname($path);
+	}
+
+	$real_path = realpath($path);
+
+	if (strpos($real_path, MAIN_DIR) === 0) {
+		return true;
+	}
+
+	return false;
+}
+
 $_SESSION['pheditor_token'] = bin2hex(random_bytes(32));
 
 ?>