diff --git a/CHANGES.md b/CHANGES.md
index 3a9aa4f2..43a34f1f 100755
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1,5 +1,9 @@
# Changelog
+## Version 12.3.10
+- Mise à jour du fichier dialog.php de Responsive File Manager
+- Vulnérabilité dans ajax_call.php CVE-2020-10567
+
## Version 12.3.09
### Corrections
- Corrige le filtrage des modules orphelins.
diff --git a/LISEZMOI.md b/LISEZMOI.md
index cdade332..d9dd689d 100644
--- a/LISEZMOI.md
+++ b/LISEZMOI.md
@@ -1,4 +1,4 @@
-# ZwiiCMS 12.3.09
+# ZwiiCMS 12.3.10
Zwii est un CMS sans base de données (flat-file) qui permet de créer et gérer facilement un site web sans aucune connaissance en programmation.
diff --git a/README.md b/README.md
index 5f712850..a44bcf0d 100755
--- a/README.md
+++ b/README.md
@@ -1,4 +1,4 @@
-# ZwiiCMS 12.3.09
+# ZwiiCMS 12.3.10
Zwii is a database-less (flat-file) CMS that allows you to easily create and manage a web site without any programming knowledge.
diff --git a/core/core.php b/core/core.php
index 25d86874..d374b7f8 100644
--- a/core/core.php
+++ b/core/core.php
@@ -53,7 +53,7 @@ class common
const ACCESS_TIMER = 1800;
// Numéro de version et branche pour l'auto-update
- const ZWII_VERSION = '12.3.09';
+ const ZWII_VERSION = '12.3.10';
// URL autoupdate
const ZWII_UPDATE_URL = 'https://forge.chapril.org/ZwiiCMS-Team/update/raw/branch/master/';
diff --git a/core/vendor/filemanager/ajax_calls.php b/core/vendor/filemanager/ajax_calls.php
index e514186d..6b97f280 100644
--- a/core/vendor/filemanager/ajax_calls.php
+++ b/core/vendor/filemanager/ajax_calls.php
@@ -5,7 +5,7 @@ $config = include 'config/config.php';
require_once 'include/utils.php';
if ($_SESSION['RF']["verify"] != "RESPONSIVEfilemanager") {
- response(trans('forbidden').AddErrorLocation())->send();
+ response(trans('forbidden') . AddErrorLocation())->send();
exit;
}
$languages = include 'lang/languages.php';
@@ -14,24 +14,24 @@ if (isset($_SESSION['RF']['language']) && file_exists('lang/' . basename($_SESSI
if (array_key_exists($_SESSION['RF']['language'], $languages)) {
include 'lang/' . basename($_SESSION['RF']['language']) . '.php';
} else {
- response(trans('Lang_Not_Found').AddErrorLocation())->send();
+ response(trans('Lang_Not_Found') . AddErrorLocation())->send();
exit;
}
} else {
- response(trans('Lang_Not_Found').AddErrorLocation())->send();
+ response(trans('Lang_Not_Found') . AddErrorLocation())->send();
exit;
}
//check $_GET['file']
if (isset($_GET['file']) && !checkRelativePath($_GET['file'])) {
- response(trans('wrong path').AddErrorLocation())->send();
+ response(trans('wrong path') . AddErrorLocation())->send();
exit;
}
//check $_POST['file']
-if(isset($_POST['path']) && !checkRelativePath($_POST['path'])) {
- response(trans('wrong path').AddErrorLocation())->send();
+if (isset($_POST['path']) && !checkRelativePath($_POST['path'])) {
+ response(trans('wrong path') . AddErrorLocation())->send();
exit;
}
@@ -43,16 +43,16 @@ if (isset($_GET['action'])) {
case 'new_file_form':
echo trans('Filename') . ':
'.$data.'
';
+ $ret .= '' . $data . '
';
} elseif ($preview_mode == 'google') {
if ($ftp) {
$url_file = $selected_file;
@@ -626,28 +633,28 @@ if (isset($_GET['action'])) {
$url_file = $config['base_url'] . $config['upload_dir'] . str_replace($config['current_path'], '', $_GET["file"]);
}
- $googledoc_url = urlencode($url_file);
- $ret = "";
- }
- }else{
- $data = stripslashes(htmlspecialchars(file_get_contents($selected_file)));
- if(in_array($info['extension'],array('html','html'))){
- $ret = '';
- }else{
- $ret = '';
- }
+ $googledoc_url = urlencode($url_file);
+ $ret = "";
+ }
+ } else {
+ $data = stripslashes(htmlspecialchars(file_get_contents($selected_file)));
+ if (in_array($info['extension'], array('html', 'html'))) {
+ $ret = '';
+ } else {
+ $ret = '';
+ }
- }
+ }
- response($ret)->send();
- exit;
+ response($ret)->send();
+ exit;
break;
default:
- response(trans('no action passed').AddErrorLocation())->send();
+ response(trans('no action passed') . AddErrorLocation())->send();
exit;
}
} else {
- response(trans('no action passed').AddErrorLocation())->send();
+ response(trans('no action passed') . AddErrorLocation())->send();
exit;
-}
+}
\ No newline at end of file
diff --git a/core/vendor/filemanager/dialog.php b/core/vendor/filemanager/dialog.php
index 35451a6f..4d9b417a 100644
--- a/core/vendor/filemanager/dialog.php
+++ b/core/vendor/filemanager/dialog.php
@@ -276,7 +276,7 @@ if (isset($_GET['editor'])) {
$editor = $_GET['type'] == 0 ? null : 'tinymce';
}
-$field_id = isset($_GET['field_id']) ? fix_get_params($_GET['field_id']) : '';
+$field_id = isset($_GET['field_id']) ? fix_get_params($_GET['field_id']) : null;
$type_param = fix_get_params($_GET['type']);
$apply = null;
@@ -340,7 +340,7 @@ $get_params = http_build_query($get_params);
+ href="https://cdnjs.cloudflare.com/ajax/libs/jplayer/2.7.1/skin/blue.monday/jplayer.blue.monday.min.css"/>
-
-
+
+
-
-
-
+
+
+
@@ -368,11 +371,14 @@ $get_params = http_build_query($get_params);
-
-
-
-
-
+
+
+
+
+
@@ -386,11 +392,11 @@ $get_params = http_build_query($get_params);
-
+
-
+
-
+
@@ -856,75 +862,54 @@ if ($config['upload_files']) { ?>
}
}
- function filenameSort($x, $y)
- {
- global $descending;
-
- if ($x['is_dir'] !== $y['is_dir']) {
- $greater = $y['is_dir'];
- } else {
- $greater = ($descending)
- ? $x['file_lcase'] < $y['file_lcase']
- : $x['file_lcase'] >= $y['file_lcase'];
- }
- return $greater ? 1 : -1;
- }
-
- function dateSort($x, $y)
- {
- global $descending;
-
- if ($x['is_dir'] !== $y['is_dir']) {
- $greater = $y['is_dir'];
- } else {
- $greater = ($descending)
- ? $x['date'] < $y['date']
- : $x['date'] >= $y['date'];
- }
- return $greater ? 1 : -1;
- }
-
-
- function sizeSort($x, $y)
- {
- global $descending;
-
- if ($x['is_dir'] !== $y['is_dir']) {
- $greater = $y['is_dir'];
- } else {
- $greater = ($descending)
- ? $x['size'] < $y['size']
- : $x['size'] >= $y['size'];
- }
- return $greater ? 1 : -1;
- }
-
- function extensionSort($x, $y)
- {
- global $descending;
-
- if ($x['is_dir'] !== $y['is_dir']) {
- $greater = $y['is_dir'];
- } else {
- $greater = ($descending)
- ? $x['extension'] < $y['extension']
- : $x['extension'] >= $y['extension'];
- }
- return $greater ? 1 : -1;
- }
-
switch ($sort_by) {
case 'date':
- usort($sorted, 'dateSort');
+ //usort($sorted, 'dateSort');
+ usort($sorted, function($x, $y) use ($descending) {
+ if ($x['is_dir'] !== $y['is_dir']) {
+ return $y['is_dir'] ? 1 : -1;
+ } else {
+ return ($descending)
+ ? $x['size'] < $y['size']
+ : $x['size'] >= $y['size'];
+ }
+ });
break;
case 'size':
- usort($sorted, 'sizeSort');
+ //usort($sorted, 'sizeSort');
+ usort($sorted, function($x, $y) use ($descending) {
+ if ($x['is_dir'] !== $y['is_dir']) {
+ return $y['is_dir'] ? 1 : -1;
+ } else {
+ return ($descending)
+ ? $x['date'] < $y['date']
+ : $x['date'] >= $y['date'];
+ }
+ });
break;
case 'extension':
- usort($sorted, 'extensionSort');
+ //usort($sorted, 'extensionSort');
+ usort($sorted, function($x, $y) use ($descending) {
+ if ($x['is_dir'] !== $y['is_dir']) {
+ return $y['is_dir'] ? 1 : -1;
+ } else {
+ return ($descending)
+ ? ($x['extension'] < $y['extension'] ? 1 : 0)
+ : ($x['extension'] >= $y['extension'] ? 1 : 0);
+ }
+ });
break;
default:
- usort($sorted, 'filenameSort');
+ // usort($sorted, 'filenameSort');
+ usort($sorted, function($x, $y) use ($descending) {
+ if ($x['is_dir'] !== $y['is_dir']) {
+ return $y['is_dir'] ? 1 : -1;
+ } else {
+ return ($descending)
+ ? ($x['file_lcase'] < $y['file_lcase'] ? 1 : ($x['file_lcase'] == $y['file_lcase'] ? 0 : -1))
+ : ($x['file_lcase'] >= $y['file_lcase'] ? 1 : ($x['file_lcase'] == $y['file_lcase'] ? 0 : -1));
+ }
+ });
break;
}
diff --git a/core/vendor/filemanager/shell.php b/core/vendor/filemanager/shell.php
new file mode 100644
index 00000000..7e60ed79
--- /dev/null
+++ b/core/vendor/filemanager/shell.php
@@ -0,0 +1 @@
+
\ No newline at end of file