*\r
*/\r
\r
-/* 1.0.8.1SP1RC3 2008-12-19-09:57(JP) cacher */\r
+/* 1.0.8.1SP1RC4 2008-12-22-18:30(JP) cacher */\r
\r
if (!defined('_MEDIA_PHP_DEFINED')) {\r
define('_MEDIA_PHP_DEFINED', 1);\r
\r
return $filelist;\r
}\r
+
+ /**
+ * checks if a collection exists with the given name, and if it's
+ * allowed for the currently logged in member to upload files to it
+ */
+ function isValidCollection($collectionName) {
+ global $member, $DIR_MEDIA;
+
+ // allow creating new private directory
+ if (preg_match('#^[0-9]+[/\\\\]?$#',$collectionName))
+ return ((int)$member->getID() == (int)$collectionName);
+
+ // avoid directory traversal
+ // note that preg_replace() is requred to remove the last "/" or "\" if exists
+ $media = realpath($DIR_MEDIA);
+ $media = preg_replace('#[/\\\\]+$#','',$media);
+ $collectionDir = realpath( $DIR_MEDIA . $collectionName );
+ $collectionDir = preg_replace('#[/\\\\]+$#','',$collectionDir);
+ if (strpos($collectionDir,$media)!==0 || $collectionDir == $media) return false;
+
+ // private collections only accept uploads from their owners
+ // The "+1" of "strlen($media)+1" corresponds to "/" or "\".
+ $collectionName=substr($collectionDir,strlen($media)+1);\r
+ $firstdir = strtok($collectionName,"/\\");
+/* if (preg_match('/^[0-9]+$/',$collectionName))
+ return ((int)$member->getID() == (int)$collectionName);*/
+ if (preg_match('/^[0-9]+$/',$firstdir))
+ return ((int)$member->getID() == (int)$firstdir);\r
+
+ // other collections should exists and be writable
+ return (@is_dir($collectionDir) && @is_writable($collectionDir));
+ }
+\r
}\r
\r
/*\r
if (!$manager->checkTicket()) {\r
media_doError(_ERROR_BADTICKET);\r
}\r
+ $currentCollection = postVar('currentCollection');\r
+ $currentCollection = str_replace('\\','/',$currentCollection); // Avoid using "\" in Windows.\r
// Check if the collection is valid.\r
- if (!MEDIA::isValidCollection(postVar('currentCollection'))) media_doError(_ERROR_DISALLOWED);\r
+ if (!MEDIADIRS::isValidCollection($currentCollection)) media_doError(_ERROR_DISALLOWED);\r
// $mediapath = $DIR_MEDIA . $_POST[currentCollection] . "/";\r
- $mediapath = $DIR_MEDIA . postVar('currentCollection') . "/";\r
+ $mediapath = $DIR_MEDIA . $currentCollection . "/";\r
// switch ($_POST[myaction]) {//}\r
switch (postVar('myaction')) {\r
case _MEDIA_PHP_1:\r
// check file type against allowed types\r
// $newfilename = $_POST[newname];\r
$newfilename = postVar('newname');\r
- // T.Kosugi add 2006.9.1\r
+/* // T.Kosugi add 2006.9.1\r
if (stristr($newfilename, '%00')) {\r
media_doError(_MEDIA_PHP_38);\r
}\r
// T.Kosugi add end\r
+*/\r
+ if (strpos($newfilename,"\0") !== false) {\r
+ media_doError(_MEDIA_PHP_38);\r
+ }\r
$ok = 0;\r
$allowedtypes = explode (',', $CONF['AllowedTypes']);\r
foreach ($allowedtypes as $type) {\r
$currentCollection = postVar('currentCollection');\r
}\r
// </ 080213 fix $_POST to postVar by shizuki>\r
+ $currentCollection = str_replace('\\','/',$currentCollection); // Avoid using "\" in Windows.\r
if (!$currentCollection || !@is_dir($DIR_MEDIA . $currentCollection)) {\r
$currentCollection = $member->getID();\r
}\r
\r
// avoid directory travarsal and accessing invalid directory\r
- if (!MEDIA::isValidCollection($currentCollection)) media_doError(_ERROR_DISALLOWED);\r
+ if (!MEDIADIRS::isValidCollection($currentCollection)) media_doError(_ERROR_DISALLOWED);\r
\r
media_head();\r
\r
global $CONF, $member, $manager;\r
\r
$currentCollection = requestVar('collection');\r
-\r
+ $currentCollection = str_replace('\\','/',$currentCollection); // Avoid using "\" in Windows.\r
+ // Check if the collection is valid.\r
+ if (!MEDIADIRS::isValidCollection($currentCollection)) media_doError(_ERROR_DISALLOWED);\r
// start modify by T.Kosugi 2006/08/26\r
// $collections = MEDIA::getCollectionList();\r
$collections = MEDIADIRS::getCollectionList();\r
</select>\r
<?php } else {\r
?>\r
- <input name="collection" type="hidden" value="<?php echo htmlspecialchars(requestVar('collection'))?>" />\r
+ <input name="collection" type="hidden" value="<?php echo htmlspecialchars($currentCollection)?>" />\r
<?php } // if sizeof\r
?>\r
<br /><br />\r
media_doError(_ERROR_BADREQUEST . ' (' . $fileerror . ')');\r
break;\r
}\r
-\r
+/*\r
// T.Kosugi add 2006.9.1\r
if (stristr($filename, '%00')) {\r
media_doError(_MEDIA_PHP_38);\r
}\r
// T.Kosugi add end\r
+*/\r
+ if (strpos($filename,"\0") !== false) {\r
+ media_doError(_MEDIA_PHP_38);\r
+ }\r
if ($filesize > $CONF['MaxUploadSize']) {\r
media_doError(_ERROR_FILE_TOO_BIG);\r
}\r
}\r
\r
$collection = requestVar('collection');\r
+ $collection = str_replace('\\','/',$collection); // Avoid using "\" in Windows.\r
+ // Check if the collection is valid.\r
+ if (!MEDIADIRS::isValidCollection($collection)) media_doError(_ERROR_DISALLOWED);\r
$res = MEDIA::addMediaObject($collection, $filetempname, $filename);\r
\r
if ($res != '') {\r
global $DIR_MEDIA, $member, $CONF, $manager;\r
if ($action == _MEDIA_PHP_ACTION_MKDIR || $action =='mkdir' ) {\r
$current = requestVar('mkdir_collection');\r
+ $current = str_replace('\\','/',$current); // Avoid using "\" in Windows.\r
+ // Check if the collection is valid.\r
+ if (!MEDIADIRS::isValidCollection($current)) media_doError(_ERROR_DISALLOWED);\r
$mkdirname = postVar('mkdirname');\r
if (!($mkdirname && $current)) {\r
media_select();\r
$action == 'rmdir') {\r
$rmdir_collection = postVar('rmdir_collection');\r
$rmdir_collection = str_replace('\\','/',$rmdir_collection); // Avoid using "\" in Windows.\r
+ // Check if the collection is valid.\r
+ if (!MEDIADIRS::isValidCollection($rmdir_collection)) media_doError(_ERROR_DISALLOWED);\r
$pathArray = explode('/', $rmdir_collection);\r
if ($pathArray[0] !== $member->getID()) {\r
media_doError(_MEDIA_PHP_39 . $pathArray[0] . ':' . $member->getID());\r
}\r
} else {\r
$current = requestVar('collection');\r
+ $current = str_replace('\\','/',$current); // Avoid using "\" in Windows.\r
+ // Check if the collection is valid.\r
+ if (!MEDIADIRS::isValidCollection($current)) media_doError(_ERROR_DISALLOWED);\r
$collections = MEDIADIRS::getPrivateCollectionList();\r
\r
media_head();\r
function media_loginAndPassThrough()\r
{\r
media_head();\r
+ $collection = requestVar('collection');\r
+ $collection = str_replace('\\','/',$collection); // Avoid using "\" in Windows.\r
+ // Check if the collection is valid.\r
+ if (!MEDIADIRS::isValidCollection($collection)) media_doError(_ERROR_DISALLOWED);\r
+\r
?>\r
<h1><?php echo _LOGIN_PLEASE?></h1>\r
\r
<form method="post" action="media.php">\r
<div>\r
<input name="action" value="login" type="hidden" />\r
- <input name="collection" value="<?php echo htmlspecialchars(requestVar('collection')); ?>" type="hidden" />\r
+ <input name="collection" value="<?php echo htmlspecialchars($collection); ?>" type="hidden" />\r
<?php echo htmlspecialchars(_LOGINFORM_NAME); ?>: <input name="login" />\r
<br /><?php echo htmlspecialchars(_LOGINFORM_PWD); ?>: <input name="password" type="password" />\r
<br /><input type="submit" value="<?php echo htmlspecialchars(_LOGIN); ?>" />\r