--- docman.php 2002/07/27 22:26:30 1.12 +++ docman.php 2002/07/28 12:14:18 1.14 @@ -145,6 +145,9 @@ $url_title="relogin"; } include("$html/footer.html"); + + global $debug; + if ($debug) print $debug; } // end function EndHTML ////////////////////////////////////////////////////////////////// @@ -160,14 +163,16 @@ $exists = file_exists($fsPath) ; $ext = strtolower(strrchr($relPath,".")) ; - $editable = ( $ext=="" || strstr(join(" ",$gblEditable),$ext)) ; - $writable = is_writeable($fsPath) ; + $editable = ( $ext=="" || strstr(join(" ",$gblEditable),$ext)) && + check_perm($relPath,trperm_w); + $writable = is_writeable($fsPath) && check_perm($relPath,trperm_w) ; + $writable_dir = is_writeable($fsDir) && check_perm($relDir,trperm_w) ; $file_lock = CheckLock($fsPath); if (!$editable && !$exists) - Error("Creation unsupported for type",$relPath) ; - if (!exists && !is_writeable($fsDir) ) - Error("Creation denied",$relDir) ; + Error("Creation denied","Can't create $relPath") ; + if (!$exists && !$writable_dir ) + Error("Creation denied","Can't write in directory $relDir while creating $relPathfor which user has permissions.",1); $text = _("Use this page to view, modify or ") ; if (is_dir($fsPath)) { @@ -200,7 +205,7 @@ $fstr = htmlentities( $fstr ) ; ?> -
+ DOCUMENT CONTENTS
@@ -574,14 +579,14 @@ $gblIgnoreUnknownFileType, $gblRepositoryDir, $fsRealmDir, $realm, $realm_sep, $HTTP_GET_VARS, $html, $realm_config; - + $self = $HTTP_SERVER_VARS["PHP_SELF"] ; if ($relDir == "") $relDir = "/"; $fsDir = $fsRoot.$relDir."/"; // current directory - if (!is_dir($fsDir)) Error("Dir not found",$relDir) ; + if (!is_dir($fsDir)) Error("Dir not found",$relDir,1) ; $hide_items=",$gblHide,"; @@ -634,7 +639,7 @@ echo "" ; - // updir bar + // updir (parent) bar if (chopsl($fsDir) != chopsl($fsRoot)) { $parent = dirname($relDir) ; if ($parent == "") $parent = "/" ; @@ -714,7 +719,7 @@ $dir = $dirList[$key]; $info_url=self_args(array("A"=>"A=E", "F"=>"F=".urlencode($dir), "D"=>$D)); - $dir_url=$self."?D=".urlencode($relDir."/".$dir); + $dir_url=$self."?D=".urlencode(chopsl($relDir)."/".$dir); include("$html/Navigate-dirEntry.html"); } // iterate over dirs @@ -1212,8 +1217,8 @@ ////////////////////////////////////////////////////////////////// function chopsl($path) { - if (substr($path,strlen($path)-1,1) == "/") $path=substr($path,0,strlen($path)-1); $path=str_replace("//","/",$path); + if (substr($path,strlen($path)-1,1) == "/") $path=substr($path,0,strlen($path)-1); return $path; } @@ -1438,15 +1443,17 @@ function check_perm($path,$trperm) { global $gblLogin,$HAVE_TRUSTEE; -print "
check_perm: $path test perm ".display_trustee($perm)."
\n"; + + global $debug; +$debug.="
check_perm: $path test perm ".display_trustee($perm)."
\n"; $return = ! $HAVE_TRUSTEE; if ($HAVE_TRUSTEE) { $perm = check_trustee($gblLogin,$path); -print " d: $perm[deny] (".display_trustee($perm[deny]).") a: $perm[allow] (".display_trustee($perm[allow]).") perm: $trperm"; +$debug.=" d: $perm[deny] (".display_trustee($perm[deny]).") a: $perm[allow] (".display_trustee($perm[allow]).") perm: $trperm"; if ($perm[deny] & $trperm) $return=0; elseif ($perm[allow] & $trperm) $return=1; } -print " return: $return
\n"; +$debug.=" return: $return
\n"; return($return); } @@ -1476,6 +1483,19 @@ } ////////////////////////////////////////////////////////////////// + +// check for invalid characters in filename and dirname (.. and /) + +function check_dirname($file) { + if (strstr($file,"..")) Error("Security violation","No parent dir .. allowed in directory name $file",1); +} + +function check_filename($file) { + if (strstr($file,"..")) Error("Security violation","No parent dir .. allowed in file name $file",1); + if (strstr($file,"/")) Error("Security violation","No slashes / allowed in file name $file",1); +} + +////////////////////////////////////////////////////////////////// // MAIN PROGRAM $gblFilePerms = 0640 ; // default for new files @@ -1503,7 +1523,7 @@ // try to add dir to script name to realm var if (is_dir("$fsRealmDir/$realm/".dirname($HTTP_SERVER_VARS[SCRIPT_NAME]))) { - $realm .= "/".dirname($HTTP_SERVER_VARS[SCRIPT_NAME]); + $realm .= dirname($HTTP_SERVER_VARS[SCRIPT_NAME]); $realm_sep = "/"; } else { $realm_sep = "."; @@ -1569,36 +1589,46 @@ Error("401 Unauthorized","No trespassing !",0,1); } + // read mime.types readMime(); - // get current directory relative to $gblFsRoot - $relDir = $DIR ; // from POST - if ($relDir == "") { // not defined in POST ? - $relDir = urldecode($D) ; // then use GET - } + if ($HTTP_SERVER_VARS["REQUEST_METHOD"] == "POST") { + // take variables from server + $FN=stripSlashes($HTTP_POST_VARS["FN"]); + $DIR=stripSlashes($HTTP_POST_VARS["DIR"]); + $RELPATH=stripSlashes($HTTP_POST_VARS["RELPATH"]); + $T=stripSlashes($HTTP_POST_VARS["T"]); + $CONFIRM=stripSlashes($HTTP_POST_VARS["CONFIRM"]); + + check_filename($FN); + check_dirname($DIR); + check_dirname($RELPATH); - $relDir=stripSlashes($relDir); + $relDir = $DIR; + } else { + // get + $A=stripSlashes($HTTP_GET_VARS["A"]); + $D=stripSlashes(urldecode($HTTP_GET_VARS["D"])); + $F=stripSlashes($HTTP_GET_VARS["F"]); - if ($relDir == "/") $relDir = "" ; - // default : website root = "" + check_filename($F); + check_dirname($D); - if (strstr($relDir,"..")) Error("No updirs allowed"); + $relDir = $D; + } - // full paths contain "fs" or "Fs". Paths realitve to root of - // website contain "rel" or "Rel". The script won't let you - // edit anything above directory equal to http://server.com - // i.e. below $gblFsRoot. + if ($relDir == "/") $relDir = "" ; $relScriptDir = dirname($SCRIPT_NAME) ; // i.e. /docman // start on server root $gblFsRoot = $gblRepositoryDir; - // i.e. /home/httpd/html + // i.e. /home/httpd/repository $fsDir = $gblFsRoot . $relDir ; // current directory - if ( !is_dir($fsDir) ) Error("Dir not found",$relDir) ; + if ( !is_dir($fsDir) ) Error("Dir not found",$relDir,1) ; if (isset($HTTP_SERVER_VARS["HTTPS"]) && $HTTP_SERVER_VARS["HTTPS"] == "on") { $webRoot = "https://"; @@ -1607,21 +1637,6 @@ } $webRoot .= $HTTP_SERVER_VARS["HTTP_HOST"] . $relScriptDir; - // take variables from server - $FN=stripSlashes($HTTP_POST_VARS["FN"]); - $DIR=stripSlashes($HTTP_POST_VARS["DIR"]); - $RELPATH=stripSlashes($HTTP_POST_VARS["RELPATH"]); - $T=stripSlashes($HTTP_POST_VARS["T"]); - $CONFIRM=stripSlashes($HTTP_POST_VARS["CONFIRM"]); - - // get - $A=stripSlashes($HTTP_GET_VARS["A"]); - $D=stripSlashes($HTTP_GET_VARS["D"]); - -// if (isset($F)) Error("Document manager system error","variable $F shouldn't be set here (re-check old code)",1); -// $F=stripSlashes($HTTP_SERVER_VARS["PATH_INFO"]); - $F=stripSlashes($HTTP_GET_VARS["F"]); - switch ($HTTP_POST_VARS["POSTACTION"]) { case "UPLOAD" : $FN_name=stripSlashes($HTTP_POST_FILES["FN"]["tmp_name"]); @@ -1634,8 +1649,8 @@ } $FILENAME = $HTTP_POST_VARS["FILENAME"]; - if (strstr($FILENAME,"/")) - Error("Upload error","Non-conforming filename. Filename $FILENAME has slashes (/) in it.") ; + check_filename($FILENAME); + if (! isset($FILENAME)) { // from update file $target = "$fsDir/".basename($FN); } else { @@ -1803,7 +1818,7 @@ // $A=Co : checkout file $D/$F // $A=Ci : checkin file $D/$F // $A=V : view file (do nothing except log) - // $A=I : include file .$F.php from $gblFsRoot + // $A=I : include file .$F.php from [$gblIncDir|realm]/include_php // default : display directory $D switch ($A) { @@ -1858,11 +1873,17 @@ EndHTML() ; exit; case "I" : - $F=stripSlashes($F); - $inc_file="${gblFsRoot}/.${F}.php"; - if (!isset($F) || $F == "" || !file_exists($inc_file)) Error("Fatal error $inc_file"); // can't find file to include + if (! isset($F) || $F == "") + Error("Can't find file to include","Your request didn't specify file to include which should be in variable F like $HTTP_SERVER_VARS[REQUEST_URI]&F=include_php_file",1); + if (file_exists("$gblIncDir/include_php/$F.php")) { + $inc_file="$gblIncDir/include_php/${F}.php"; + } elseif (file_exists("$fsRealmDir/$realm/$F.php")) { + $inc_file="$fsRealmDir/$realm/${F}.php"; + } else { + Error("Can't find file to include","Can't find include file $F.php in $gblIncDir/include_php/ nor $fsRealmDir/$realm/",1); + } if (!is_readable($inc_file)) - Error("Read access to include file denied",".${F}.php"); + Error("Read access to include file denied","Can't read PHP include file $inc_file. Fix permissions on it."); $text = "Your include file should define \$text variable which holds this text and \$title variable which is page title"; $title = "You should define \$title variable with page title"; include($inc_file);