diff --git a/core/module/user/user.php b/core/module/user/user.php
index a8559cfd..a35b479a 100755
--- a/core/module/user/user.php
+++ b/core/module/user/user.php
@@ -88,10 +88,13 @@ class user extends common {
* Suppression
*/
public function delete() {
+ //
+ // $url prend l'adresse sans le token
+ $url = explode('&',$this->getUrl(2));
// Accès refusé
if(
// L'utilisateur n'existe pas
- $this->getData(['user', $this->getUrl(2)]) === null
+ $this->getData(['user', $url[0]]) === null
// Groupe insuffisant
AND ($this->getUrl('group') < self::GROUP_MODERATOR)
) {
@@ -100,8 +103,23 @@ class user extends common {
'access' => false
]);
}
+ // Jeton incorrect
+ elseif(!isset($_GET['csrf'])) {
+ // Valeurs en sortie
+ $this->addOutput([
+ 'redirect' => helper::baseUrl() . 'user',
+ 'notification' => 'Jeton invalide'
+ ]);
+ }
+ elseif ($_GET['csrf'] !== $_SESSION['csrf']) {
+ // Valeurs en sortie
+ $this->addOutput([
+ 'redirect' => helper::baseUrl() . 'user',
+ 'notification' => 'Suppression non autorisée'
+ ]);
+ }
// Bloque la suppression de son propre compte
- elseif($this->getUser('id') === $this->getUrl(2)) {
+ elseif($this->getUser('id') === $url[0]) {
// Valeurs en sortie
$this->addOutput([
'redirect' => helper::baseUrl() . 'user',
@@ -110,7 +128,7 @@ class user extends common {
}
// Suppression
else {
- $this->deleteData(['user', $this->getUrl(2)]);
+ $this->deleteData(['user', $url[0]]);
// Valeurs en sortie
$this->addOutput([
'redirect' => helper::baseUrl() . 'user',
@@ -280,7 +298,7 @@ class user extends common {
]),
template::button('userDelete' . $userId, [
'class' => 'userDelete buttonRed',
- 'href' => helper::baseUrl() . 'user/delete/' . $userId,
+ 'href' => helper::baseUrl() . 'user/delete/' . $userId. '&csrf=' . $_SESSION['csrf'],
'value' => template::ico('cancel')
])
];
diff --git a/core/module/user/view/add/add.php b/core/module/user/view/add/add.php
index fbb0415e..78616aa7 100755
--- a/core/module/user/view/add/add.php
+++ b/core/module/user/view/add/add.php
@@ -43,7 +43,7 @@
diff --git a/core/module/user/view/edit/edit.php b/core/module/user/view/edit/edit.php
index 53465073..9bff48a0 100755
--- a/core/module/user/view/edit/edit.php
+++ b/core/module/user/view/edit/edit.php
@@ -58,7 +58,7 @@
diff --git a/core/vendor/filemanager/UploadHandler.php b/core/vendor/filemanager/UploadHandler.php
index ed212191..780c54d3 100755
--- a/core/vendor/filemanager/UploadHandler.php
+++ b/core/vendor/filemanager/UploadHandler.php
@@ -380,6 +380,10 @@ class UploadHandler
$file->error = $this->get_error_message('accept_file_types');
return false;
}
+ if (preg_match($this->options['image_file_types'], $file->name) && function_exists('exif_imagetype') && !@exif_imagetype($uploaded_file)) {
+ $file->error = $this->get_error_message('accept_file_types');
+ return false;
+ }
if ($uploaded_file && is_uploaded_file($uploaded_file)) {
$file_size = $this->get_file_size($uploaded_file);
} else {
@@ -519,7 +523,7 @@ class UploadHandler
// Remove path information and dots around the filename, to prevent uploading
// into different directories or replacing hidden system files.
// Also remove control characters and spaces (\x00..\x20) around the filename:
- $name = trim($this->basename(stripslashes($name)), ".\x00..\x20");
+ $name = trim($this->basename(stripslashes($name)), "\x00..\x20");
// Use a timestamp for empty filenames:
if (!$name) {
$name = str_replace('.', '-', microtime(true));
@@ -1330,6 +1334,11 @@ class UploadHandler
'',
$content_disposition_header
)) : null;
+ // TODO check
+ // if (isset($content_disposition_header) && !empty($content_disposition_header) ) {
+ // $file_name = str_replace('attachment; filename="', '', $content_disposition_header);
+ // $file_name = str_replace('"', '', $file_name);
+ // }
// Parse the Content-Range header, which has the following form:
// Content-Range: bytes 0-524287/2000000
$content_range_header = $this->get_server_var('HTTP_CONTENT_RANGE');
diff --git a/core/vendor/filemanager/ajax_calls.php b/core/vendor/filemanager/ajax_calls.php
index 025d5cfe..0fe40f3f 100755
--- a/core/vendor/filemanager/ajax_calls.php
+++ b/core/vendor/filemanager/ajax_calls.php
@@ -1,8 +1,6 @@
send();
exit;
}
+
+
+//check $_GET['file']
+if(isset($_GET['file']) && !checkRelativePath($_GET['file'])) {
+ response(trans('wrong path').AddErrorLocation())->send();
+ exit;
+}
+
+//check $_POST['file']
+if(isset($_POST['path']) && !checkRelativePath($_POST['path'])) {
+ response(trans('wrong path').AddErrorLocation())->send();
+ exit;
+}
+
+
$ftp = ftp_con($config);
if(isset($_GET['action']))
@@ -52,7 +65,7 @@ if(isset($_GET['action']))
case 'filter':
if (isset($_GET['type']))
{
- if (isset($remember_text_filter) && $remember_text_filter)
+ if (isset($config['remember_text_filter']) && $config['remember_text_filter'])
{
$_SESSION['RF']["filter"] = $_GET['type'];
}
@@ -73,24 +86,10 @@ if(isset($_GET['action']))
$_SESSION['RF']["descending"] = $_GET['descending'];
}
break;
- case 'image_size': // not used
- $pos = strpos($_POST['path'], $upload_dir);
- if ($pos !== false)
- {
- $info = getimagesize(substr_replace($_POST['path'], $current_path, $pos, strlen($upload_dir)));
- response($info)->send();
- exit;
- }
- break;
case 'save_img':
$info = pathinfo($_POST['name']);
- if (
- strpos($_POST['path'], '/') === 0
- || strpos($_POST['path'], '../') !== false
- || strpos($_POST['path'], '..\\') !== false
- || strpos($_POST['path'], './') === 0
- || (strpos($_POST['url'], 'http://s3.amazonaws.com/feather') !== 0 && strpos($_POST['url'], 'https://s3.amazonaws.com/feather') !== 0)
+ if ((strpos($_POST['url'], 'http://s3.amazonaws.com/feather') !== 0 && strpos($_POST['url'], 'https://s3.amazonaws.com/feather') !== 0)
|| $_POST['name'] != fix_filename($_POST['name'], $config)
|| ! in_array(strtolower($info['extension']), array( 'jpg', 'jpeg', 'png' ))
)
@@ -106,7 +105,7 @@ if(isset($_GET['action']))
}
if (!checkresultingsize(strlen($image_data))) {
- response(sprintf(trans('max_size_reached'),$MaxSizeTotal).AddErrorLocation())->send();
+ response(sprintf(trans('max_size_reached'),$config['MaxSizeTotal']).AddErrorLocation())->send();
exit;
}
if($ftp){
@@ -116,42 +115,36 @@ if(isset($_GET['action']))
$temp .=".".substr(strrchr($_POST['url'],'.'),1);
file_put_contents($temp,$image_data);
- $ftp->put($ftp_base_folder.$upload_dir . $_POST['path'] . $_POST['name'], $temp, FTP_BINARY);
+ $ftp->put($config['ftp_base_folder'].$config['upload_dir'] . $_POST['path'] . $_POST['name'], $temp, FTP_BINARY);
create_img($temp,$temp,122,91);
- $ftp->put($ftp_base_folder.$ftp_thumbs_dir. $_POST['path'] . $_POST['name'], $temp, FTP_BINARY);
+ $ftp->put($config['ftp_base_folder'].$config['ftp_thumbs_dir']. $_POST['path'] . $_POST['name'], $temp, FTP_BINARY);
unlink($temp);
}else{
- file_put_contents($current_path . $_POST['path'] . $_POST['name'],$image_data);
- create_img($current_path . $_POST['path'] . $_POST['name'], $thumbs_base_path.$_POST['path'].$_POST['name'], 122, 91);
+ file_put_contents($config['current_path'] . $_POST['path'] . $_POST['name'],$image_data);
+ create_img($config['current_path'] . $_POST['path'] . $_POST['name'], $config['thumbs_base_path'].$_POST['path'].$_POST['name'], 122, 91);
// TODO something with this function cause its blowing my mind
new_thumbnails_creation(
- $current_path.$_POST['path'],
- $current_path.$_POST['path'].$_POST['name'],
+ $config['current_path'].$_POST['path'],
+ $config['current_path'].$_POST['path'].$_POST['name'],
$_POST['name'],
- $current_path,
+ $config['current_path'],
$config
);
}
break;
case 'extract':
- if ( strpos($_POST['path'], '/') === 0
- || strpos($_POST['path'], '../') !== false
- || strpos($_POST['path'], '..\\') !== false
- || strpos($_POST['path'], './') === 0)
- {
- response(trans('wrong path'.AddErrorLocation()))->send();
- exit;
+ if(!$config['extract_files']){
+ response(trans('wrong action').AddErrorLocation())->send();
}
-
if($ftp){
- $path = $ftp_base_url.$upload_dir . $_POST['path'];
- $base_folder = $ftp_base_url.$upload_dir . fix_dirname($_POST['path']) . "/";
+ $path = $config['ftp_base_url'].$config['upload_dir'] . $_POST['path'];
+ $base_folder = $config['ftp_base_url'].$config['upload_dir'] . fix_dirname($_POST['path']) . "/";
}else{
- $path = $current_path . $_POST['path'];
- $base_folder = $current_path . fix_dirname($_POST['path']) . "/";
+ $path = $config['current_path'] . $_POST['path'];
+ $base_folder = $config['current_path'] . fix_dirname($_POST['path']) . "/";
}
$info = pathinfo($path);
@@ -184,32 +177,28 @@ if(isset($_GET['action']))
$sizeTotalFinal += $aStat['size'];
}
if (!checkresultingsize($sizeTotalFinal)) {
- response(sprintf(trans('max_size_reached'),$MaxSizeTotal).AddErrorLocation())->send();
+ response(sprintf(trans('max_size_reached'),$config['MaxSizeTotal']).AddErrorLocation())->send();
exit;
}
- //make all the folders
+ //make all the folders and unzip into the folders
for ($i = 0; $i < $zip->numFiles; $i++)
{
- $OnlyFileName = $zip->getNameIndex($i);
- $FullFileName = $zip->statIndex($i);
- if (substr($FullFileName['name'], -1, 1) == "/")
- {
- create_folder($base_folder . $FullFileName['name']);
- }
- }
- //unzip into the folders
- for ($i = 0; $i < $zip->numFiles; $i++)
- {
- $OnlyFileName = $zip->getNameIndex($i);
$FullFileName = $zip->statIndex($i);
- if ( ! (substr($FullFileName['name'], -1, 1) == "/"))
- {
- $fileinfo = pathinfo($OnlyFileName);
- if (in_array(strtolower($fileinfo['extension']), $ext))
+ if(checkRelativePath($FullFileName['name'])){
+ if (substr($FullFileName['name'], -1, 1) == "/")
{
- copy('zip://' . $path . '#' . $OnlyFileName, $base_folder . $FullFileName['name']);
+ create_folder($base_folder . $FullFileName['name']);
+ }
+
+ if ( ! (substr($FullFileName['name'], -1, 1) == "/"))
+ {
+ $fileinfo = pathinfo($FullFileName['name']);
+ if (in_array(strtolower($fileinfo['extension']), $config['ext']))
+ {
+ copy('zip://' . $path . '#' . $FullFileName['name'], $base_folder . $FullFileName['name']);
+ }
}
}
}
@@ -234,7 +223,7 @@ if(isset($_GET['action']))
$phar = new PharData($path);
$phar->decompressFiles();
$files = array();
- check_files_extensions_on_phar($phar, $files, '', $ext);
+ check_files_extensions_on_phar($phar, $files, '', $config);
$phar->extractTo($base_folder, $files, true);
break;
@@ -246,22 +235,28 @@ if(isset($_GET['action']))
if($ftp){
unlink($path);
- $ftp->putAll($base_folder, "/".$ftp_base_folder . $upload_dir . fix_dirname($_POST['path']), FTP_BINARY);
+ $ftp->putAll($base_folder, "/".$config['ftp_base_folder'] . $config['upload_dir'] . fix_dirname($_POST['path']), FTP_BINARY);
deleteDir($base_folder);
}
break;
case 'media_preview':
+ if(isset($_GET['file'])){
+ $_GET['file'] = sanitize($_GET['file']);
+ }
+ if(isset($_GET['title'])){
+ $_GET['title'] = sanitize($_GET['title']);
+ }
if($ftp){
- $preview_file = $ftp_base_url.$upload_dir . $_GET['file'];
+ $preview_file = $config['ftp_base_url'].$config['upload_dir'] . $_GET['file'];
}else{
- $preview_file = $current_path . $_GET["file"];
+ $preview_file = $config['current_path'] . $_GET["file"];
}
$info = pathinfo($preview_file);
ob_start();
?>
-
+
@@ -308,7 +303,7 @@ if(isset($_GET['action']))
-
+
-
+
';
- $ret .= '
'.$data.'
';
- } else {
- $ret .= '
'.$data.' ';
- }
+ $ret .= '';
+ $ret .= '
'.$data.'
';
}
elseif ($preview_mode == 'google') {
if($ftp){
$url_file = $selected_file;
}else{
- $url_file = $base_url . $upload_dir . str_replace($current_path, '', $_GET["file"]);
+ $url_file = $config['base_url'] . $config['upload_dir'] . str_replace($config['current_path'], '', $_GET["file"]);
}
$googledoc_url = urlencode($url_file);
- $googledoc_html = "
";
- $ret = $googledoc_html;
+ $ret = "
";
}
- } else {
+ }else{
$data = stripslashes(htmlspecialchars(file_get_contents($selected_file)));
- $ret = '
';
+ if(in_array($info['extension'],array('html','html'))){
+ $ret = '
';
+ }else{
+ $ret = '
';
+ }
+
}
response($ret)->send();
@@ -700,4 +689,3 @@ if(isset($_GET['action']))
response(trans('no action passed').AddErrorLocation())->send();
exit;
}
-?>
\ No newline at end of file
diff --git a/core/vendor/filemanager/config/config.php b/core/vendor/filemanager/config/config.php
index fd6b13fa..f948b8f9 100755
--- a/core/vendor/filemanager/config/config.php
+++ b/core/vendor/filemanager/config/config.php
@@ -1,5 +1,5 @@
false,
+ 'multiple_selection' => true,
/*
|
| The user can have a select button that pass a json to external input or pass the first file selected to editor
| If you use responsivefilemanager tinymce extension can copy into editor multiple object like images, videos, audios, links in the same time
|
*/
- 'multiple_selection_action_button' => false,
+ 'multiple_selection_action_button' => true,
/*
|--------------------------------------------------------------------------
@@ -330,23 +330,28 @@ $config = array(
'rename_files' => true,
'rename_folders' => true,
'duplicate_files' => true,
+ 'extract_files' => true,
'copy_cut_files' => true, // for copy/cut files
'copy_cut_dirs' => true, // for copy/cut directories
'chmod_files' => true, // change file permissions
'chmod_dirs' => true, // change folder permissions
'preview_text_files' => true, // eg.: txt, log etc.
'edit_text_files' => true, // eg.: txt, log etc.
- 'create_text_files' => true, // only create files with exts. defined in $editable_text_file_exts
+ 'create_text_files' => true, // only create files with exts. defined in $config['editable_text_file_exts']
+ 'download_files' => true, // allow download files or just preview
// you can preview these type of files if $preview_text_files is true
- 'previewable_text_file_exts' => array( "bsh", "c","css", "cc", "cpp", "cs", "csh", "cyc", "cv", "htm", "html", "java", "js", "m", "mxml", "perl", "pl", "pm", "py", "rb", "sh", "xhtml", "xml","xsl" ),
- 'previewable_text_file_exts_no_prettify' => array( 'txt', 'log' ),
+ 'previewable_text_file_exts' => array( "bsh", "c","css", "cc", "cpp", "cs", "csh", "cyc", "cv", "htm", "html", "java", "js", "m", "mxml", "perl", "pl", "pm", "py", "rb", "sh", "xhtml", "xml","xsl",'txt', 'log','' ),
// you can edit these type of files if $edit_text_files is true (only text based files)
- // you can create these type of files if $create_text_files is true (only text based files)
+ // you can create these type of files if $config['create_text_files'] is true (only text based files)
// if you want you can add html,css etc.
// but for security reasons it's NOT RECOMMENDED!
- 'editable_text_file_exts' => array( 'txt', 'log', 'xml', 'html', 'css', 'htm', 'js' ),
+ 'editable_text_file_exts' => array( 'txt', 'log', 'xml', 'html', 'css', 'htm', 'js','' ),
+
+ 'jplayer_exts' => array("mp4","flv","webmv","webma","webm","m4a","m4v","ogv","oga","mp3","midi","mid","ogg","wav"),
+
+ 'cad_exts' => array('dwg', 'dxf', 'hpgl', 'plt', 'spl', 'step', 'stp', 'iges', 'igs', 'sat', 'cgm', 'svg'),
// Preview with Google Documents
'googledoc_enabled' => true,
@@ -363,8 +368,8 @@ $config = array(
//**********************
//Allowed extensions (lowercase insert)
//**********************
- 'ext_img' => array( 'jpg', 'jpeg', 'png', 'gif', 'bmp', 'tiff', 'svg', 'ico' ), //Images
- 'ext_file' => array( 'doc', 'docx', 'rtf', 'pdf', 'xls', 'xlsx', 'txt', 'csv', 'html', 'xhtml', 'psd', 'sql', 'log', 'fla', 'xml', 'ade', 'adp', 'mdb', 'accdb', 'ppt', 'pptx', 'odt', 'ots', 'ott', 'odb', 'odg', 'otp', 'otg', 'odf', 'ods', 'odp', 'css', 'ai', 'kmz','dwg', 'dxf', 'hpgl', 'plt', 'spl', 'step', 'stp', 'iges', 'igs', 'sat', 'cgm', 'tiff'), //Files
+ 'ext_img' => array( 'jpg', 'jpeg', 'png', 'gif', 'bmp', 'tiff','svg', 'ico' ), //Images
+ 'ext_file' => array( 'doc', 'docx', 'rtf', 'pdf', 'xls', 'xlsx', 'txt', 'csv', 'html', 'xhtml', 'psd', 'sql', 'log', 'fla', 'xml', 'ade', 'adp', 'mdb', 'accdb', 'ppt', 'pptx', 'odt', 'ots', 'ott', 'odb', 'odg', 'otp', 'otg', 'odf', 'ods', 'odp', 'css', 'ai', 'kmz','dwg', 'dxf', 'hpgl', 'plt', 'spl', 'step', 'stp', 'iges', 'igs', 'sat', 'cgm', 'tiff',''), //Files
'ext_video' => array( 'mov', 'mpeg', 'm4v', 'mp4', 'avi', 'mpg', 'wma', "flv", "webm" ), //Video
'ext_music' => array( 'mp3', 'mpga', 'm4a', 'ac3', 'aiff', 'mid', 'ogg', 'wav' ), //Audio
'ext_misc' => array( 'zip', 'rar', 'gz', 'tar', 'iso', 'dmg' ), //Archives
@@ -374,7 +379,21 @@ $config = array(
// If you insert an extensions blacklist array the filemanager don't check any extensions but simply block the extensions in the list
// otherwise check Allowed extensions configuration
//*********************
- 'ext_blacklist' => false, //['jpg'],
+ 'ext_blacklist' => false,//['exe','bat','jpg'],
+
+
+ //Empty filename permits like .htaccess, .env, ...
+ 'empty_filename' => false,
+
+ /*
+ |--------------------------------------------------------------------------
+ | accept files without extension
+ |--------------------------------------------------------------------------
+ |
+ | If you want to accept files without extension, remember to add '' extension on allowed extension
+ |
+ */
+ 'files_without_extension' => false,
/******************
* AVIARY config
@@ -480,4 +499,3 @@ return array_merge(
),
)
);
-?>
diff --git a/core/vendor/filemanager/css/rtl-style.css b/core/vendor/filemanager/css/rtl-style.css
index eb67f806..dd0800c5 100755
Binary files a/core/vendor/filemanager/css/rtl-style.css and b/core/vendor/filemanager/css/rtl-style.css differ
diff --git a/core/vendor/filemanager/dialog.php b/core/vendor/filemanager/dialog.php
index a7c5bfe0..d0fafcfa 100755
--- a/core/vendor/filemanager/dialog.php
+++ b/core/vendor/filemanager/dialog.php
@@ -4,17 +4,14 @@ $time = time();
$config = include 'config/config.php';
-//TODO switch to array
-extract($config, EXTR_OVERWRITE);
-
if (USE_ACCESS_KEYS == TRUE){
- if (!isset($_GET['akey'], $access_keys) || empty($access_keys)){
+ if (!isset($_GET['akey'], $config['access_keys']) || empty($config['access_keys'])){
die('Access Denied!');
}
$_GET['akey'] = strip_tags(preg_replace( "/[^a-zA-Z0-9\._-]/", '', $_GET['akey']));
- if (!in_array($_GET['akey'], $access_keys)){
+ if (!in_array($_GET['akey'], $config['access_keys'])){
die('Access Denied!');
}
}
@@ -24,19 +21,22 @@ $_SESSION['RF']["verify"] = "RESPONSIVEfilemanager";
if(isset($_POST['submit'])){
include 'upload.php';
}else{
+ $config['default_language'] = $config['default_language'];
+ $available_languages = include 'lang/languages.php';
-$lang = $config['default_language'];
-$languages = include 'lang/languages.php';
-if (isset($_GET['lang']))
-{
- $lang = strip_tags($_GET['lang']);
- if(array_key_exists($lang,$languages)){
- $_SESSION['RF']['language'] = $lang;
+ list($preferred_language) = array_values(array_filter(array(
+ isset($_GET['lang']) ? $_GET['lang'] : null,
+ isset($_SESSION['RF']['language']) ? $_SESSION['RF']['language'] : null,
+ $config['default_language']
+ )));
+
+ if(array_key_exists($preferred_language, $available_languages))
+ {
+ $_SESSION['RF']['language'] = $preferred_language;
}
-}elseif(isset($_SESSION['RF']['language']) && $_SESSION['RF']['language'])
- $lang = strip_tags($_SESSION['RF']['language']);
- if(array_key_exists($lang,$languages)){
- $_SESSION['RF']['language'] = $lang;
+ else
+ {
+ $_SESSION['RF']['language'] = $config['default_language'];
}
}
include 'include/utils.php';
@@ -47,10 +47,8 @@ if (isset($_GET['fldr']) && !empty($_GET['fldr'])) {
}elseif(isset($_SESSION['RF']['fldr']) && !empty($_SESSION['RF']['fldr'])){
$subdir_path = rawurldecode(trim(strip_tags($_SESSION['RF']['fldr']),"/"));
}
-if (strpos($subdir_path,'../') === FALSE
- && strpos($subdir_path,'./') === FALSE
- && strpos($subdir_path,'..\\') === FALSE
- && strpos($subdir_path,'.\\') === FALSE)
+
+if ( checkRelativePath($subdir_path))
{
$subdir = strip_tags($subdir_path) ."/";
$_SESSION['RF']['fldr'] = $subdir_path;
@@ -70,11 +68,11 @@ setcookie('last_position',$subdir,time() + (86400 * 7));
if ($subdir == "/") { $subdir = ""; }
// If hidden folders are specified
-if(count($hidden_folders)){
+if(count($config['hidden_folders'])){
// If hidden folder appears in the path specified in URL parameter "fldr"
$dirs = explode('/', $subdir);
foreach($dirs as $dir){
- if($dir !== '' && in_array($dir, $hidden_folders)){
+ if($dir !== '' && in_array($dir, $config['hidden_folders'])){
// Ignore the path
$subdir = "";
break;
@@ -82,8 +80,8 @@ if(count($hidden_folders)){
}
}
-if ($show_total_size) {
- list($sizeCurrentFolder,$fileCurrentNum,$foldersCurrentCount) = folder_info($current_path,false);
+if ($config['show_total_size']) {
+ list($sizeCurrentFolder,$fileCurrentNum,$foldersCurrentCount) = folder_info($config['current_path'],false);
}
/***
*SUB-DIR CODE
@@ -94,9 +92,10 @@ if (!isset($_SESSION['RF']["subfolder"]))
}
$rfm_subfolder = '';
-if (!empty($_SESSION['RF']["subfolder"]) && strpos($_SESSION['RF']["subfolder"],'../') === FALSE && strpos($_SESSION['RF']["subfolder"],'..\\') === FALSE
-&& strpos($_SESSION['RF']["subfolder"],'./') === FALSE && strpos($_SESSION['RF']["subfolder"],"/") !== 0
-&& strpos($_SESSION['RF']["subfolder"],'.') === FALSE)
+if (!empty($_SESSION['RF']["subfolder"])
+ && strpos($_SESSION['RF']["subfolder"],"/") !== 0
+ && strpos($_SESSION['RF']["subfolder"],'.') === FALSE
+)
{
$rfm_subfolder = $_SESSION['RF']['subfolder'];
}
@@ -105,23 +104,23 @@ if ($rfm_subfolder != "" && $rfm_subfolder[strlen($rfm_subfolder)-1] != "/") { $
$ftp=ftp_con($config);
-if (($ftp && !$ftp->isDir($ftp_base_folder.$upload_dir.$rfm_subfolder.$subdir)) || (!$ftp && !file_exists($current_path.$rfm_subfolder.$subdir)))
+if (($ftp && !$ftp->isDir($config['ftp_base_folder'].$config['upload_dir'].$rfm_subfolder.$subdir)) || (!$ftp && !file_exists($config['current_path'].$rfm_subfolder.$subdir)))
{
$subdir = '';
$rfm_subfolder = "";
}
-$cur_dir = $upload_dir.$rfm_subfolder.$subdir;
-$cur_path = $current_path.$rfm_subfolder.$subdir;
-$thumbs_path = $thumbs_base_path.$rfm_subfolder;
+$cur_dir = $config['upload_dir'].$rfm_subfolder.$subdir;
+$cur_path = $config['current_path'].$rfm_subfolder.$subdir;
+$thumbs_path = $config['thumbs_base_path'].$rfm_subfolder;
$parent = $rfm_subfolder.$subdir;
if($ftp){
- $cur_dir = $ftp_base_folder.$cur_dir;
+ $cur_dir = $config['ftp_base_folder'].$cur_dir;
$cur_path = str_replace(array('/..','..'),'',$cur_dir);
- $thumbs_path = str_replace(array('/..','..'),'',$ftp_base_folder.$ftp_thumbs_dir.$rfm_subfolder);
- $parent = $ftp_base_folder.$parent;
+ $thumbs_path = str_replace(array('/..','..'),'',$config['ftp_base_folder'].$config['ftp_thumbs_dir'].$rfm_subfolder);
+ $parent = $config['ftp_base_folder'].$parent;
}
if(!$ftp){
@@ -132,11 +131,10 @@ if(!$ftp){
$i++;
if ($parent=="./") $parent="";
- if (file_exists($current_path.$parent."config.php"))
+ if (file_exists($config['current_path'].$parent."config.php"))
{
- $configTemp = include $current_path.$parent.'config.php';
+ $configTemp = include $config['current_path'].$parent.'config.php';
$config = array_merge($config,$configTemp);
- extract($config, EXTR_OVERWRITE);
$cycle = FALSE;
}
@@ -192,7 +190,7 @@ $crossdomain=!!$crossdomain;
//view type
if(!isset($_SESSION['RF']["view_type"]))
{
- $view = $default_view;
+ $view = $config['default_view'];
$_SESSION['RF']["view_type"] = $view;
}
@@ -253,7 +251,7 @@ if (isset($_GET['extensions'])){
$ext_tmp = array();
foreach($extensions as $extension){
$extension = fix_strtolower($extension);
- if(in_array( $extension, $config['ext'])){
+ if(check_file_extension( $extension, $config)){
$ext_tmp[]=$extension;
}
}
@@ -311,7 +309,7 @@ $get_params['fldr'] ='';
$get_params = http_build_query($get_params);
?>
-
+
@@ -325,7 +323,7 @@ $get_params = http_build_query($get_params);
-
+