--- docman.php 2002/07/28 17:31:03 1.19 +++ docman.php 2002/07/28 19:52:11 1.23 @@ -90,8 +90,8 @@ if ($fsDocumentRoot == "") Error("Configuration error","Can't get SCRIPT_FILENAME from your web server. Please set \$fsDocumentRoot in \$",1); // globals for later - $gblLogin = $HTTP_SERVER_VARS["PHP_AUTH_USER"]; - $gblPasswd = $HTTP_SERVER_VARS["PHP_AUTH_PW"]; + $gblLogin = HTTP_SERVER_VAR("PHP_AUTH_USER"); + $gblPasswd = HTTP_SERVER_VAR("PHP_AUTH_PW"); ////////////////////////////////////////////////////////////////// @@ -155,7 +155,10 @@ function DetailPage($fsRoot,$relDir,$fn) { - global $gblEditable, $gblImages, $webRoot, $html, $HTTP_SERVER_VARS ; + global $gblEditable, $gblImages, + $gblDateFmt, $gblTimeFmt, + $webRoot, $html, + $HTTP_SERVER_VARS ; $self = $HTTP_SERVER_VARS["PHP_SELF"] ; $relPath = $relDir . "/" . $fn ; @@ -188,8 +191,8 @@ echo "

" . $relDir . "/" . $fn . "

" ; if ($exists) { // get file info $fsize = filesize($fsPath) ; - $fmodified = date("$GLOBALS[gblDateFmt] $GLOBALS[gblTimeFmt]", filemtime($fsPath)) ; - $faccessed = date("$GLOBALS[gblDateFmt] $GLOBALS[gblTimeFmt]", fileatime($fsPath)) ; + $fmodified = date("$gblDateFmt $gblTimeFmt", filemtime($fsPath)) ; + $faccessed = date("$gblDateFmt $gblTimeFmt", fileatime($fsPath)) ; $fuid=fileowner($fsPath); $fgid=filegroup($fsPath); $userinfo = posix_getpwuid($fuid); @@ -578,7 +581,7 @@ global $gblEditable, $gblIcon, $gblModDays, $webRoot, $gblHide, $gblIgnoreUnknownFileType, $gblRepositoryDir, - $gblLogin, + $gblLogin, $gblUserName, $gblDateFmt, $gblTimeFmt, $fsRealmDir, $realm, $realm_sep, $html, $realm_config, $HTTP_GET_VARS, $HTTP_SERVER_VARS; @@ -593,7 +596,7 @@ global $debug; $debug .= "[$gblLogin|$relDir] before >"; - if (! check_perm($relDir,(trperm_b | trperm_r))) + if (! check_perm($relDir,trperm_b)) Error("Access denied","User $gblLogin tried to access $relDir without valid trustee.",1); $debug .= "< afeter"; @@ -816,7 +819,7 @@ $ext = strtolower(strrchr($file,".")) ; if ($file_lock) { - if ($file_lock == $GLOBALS[gblUserName]) { + if ($file_lock == $gblUserName) { $b.="" ; $file_url_html=$b; @@ -844,7 +847,7 @@ } } - $mod = date("$GLOBALS[gblDateFmt] $GLOBALS[gblTimeFmt]",$mod); + $mod = date("$gblDateFmt $gblTimeFmt",$mod); include("$html/Navigate-fileEntry.html"); @@ -956,6 +959,8 @@ function LogIt($target,$msg, $changelog=0) { + global $gblDateFmt, $gblTimeFmt, $gblUserName, $gblFsRoot; + $dir=dirname($target); if (! file_exists($dir."/.log")) { if (! @mkdir($dir."/.log",0700)) Error("docman installation problem","can't create log directory $dir/.log",1); @@ -963,18 +968,17 @@ $file=basename($target); $log=fopen("$dir/.log/$file","a+"); - fputs($log,date("$GLOBALS[gblDateFmt]\t$GLOBALS[gblTimeFmt]"). - "\t$GLOBALS[gblUserName]\t$msg\n"); + fputs($log,date("$gblDateFmt\t$gblTimeFmt"). + "\t$gblUserName\t$msg\n"); fclose($log); if (! $changelog) return; - global $gblFsRoot; $log=fopen("$gblFsRoot/.changelog","a+"); if (substr($target,0,strlen($gblFsRoot)) == $gblFsRoot) $target=substr($target,strlen($gblFsRoot),strlen($target)-strlen($gblFsRoot)); $msg=str_replace("\t"," ",$msg); - fputs($log,time()."\t$target\t$GLOBALS[gblUserName]\t$msg\n"); + fputs($log,time()."\t$target\t$gblUserName\t$msg\n"); fclose($log); // FIX: implement e-mail notification based on $changelog @@ -1034,6 +1038,8 @@ function Lock($target) { + global $gblUserName; + $target=stripSlashes($target); $dir=dirname($target); if (! file_exists($dir."/.lock")) { @@ -1045,7 +1051,7 @@ LogIt($target,"attempt to locked allready locked file!"); } else { $lock=fopen("$dir/.lock/$file","w"); - fputs($lock,"$GLOBALS[gblUserName]\n"); + fputs($lock,"$gblUserName\n"); fclose($lock); LogIt($target,"file locked"); @@ -1094,6 +1100,9 @@ ////////////////////////////////////////////////////////////////// function safe_rename($fromdir,$fromfile,$tofile) { + + global $gblNumBackups; + function try_rename($from,$to) { # print "$from -> $to\n"; if (file_exists($from) && is_writeable(dirname($to))) { @@ -1123,7 +1132,7 @@ try_dir("$todir/.lock"); try_rename("$fromdir/.lock/$fromfile","$todir/.lock/$tofile"); try_dir("$todir/.bak"); - for($i=0;$i<=$GLOBALS[gblNumBackups];$i++) { + for($i=0;$i<=$gblNumBackups;$i++) { try_rename("$fromdir/.bak/$i/$fromfile","$todir/.bak/$i/$tofile"); } } @@ -1151,7 +1160,10 @@ function DisplayChangeLog($day) { - global $gblFsRoot,$HTTP_SERVER_VARS; + global $gblFsRoot, $gblDateFmt, $gblTimeFmt, + $HTTP_SERVER_VARS; + + $self = $HTTP_SERVER_VARS["PHP_SELF"]; if (!file_exists("$gblFsRoot/.changelog")) return; $log=fopen("$gblFsRoot/.changelog","r"); @@ -1170,14 +1182,14 @@ print "\n"; while ($e = array_shift($logarr)) { $cl=$cl1; $cl1=$cl2; $cl2=$cl; - $date = date("$GLOBALS[gblDateFmt]", $e[0]); - $time = date("$GLOBALS[gblTimeFmt]", $e[0]); + $date = date($gblDateFmt, $e[0]); + $time = date($gblTimeFmt, $e[0]); $dir = dirname($e[1]); $file = basename($e[1]); print "$date$time$dir/$file$e[2]$e[3]\n"; } print "
"; - print "

".GifIcon(up)." Back to front page.

"; + print "

".GifIcon("up")." Back to front page.

"; } ////////////////////////////////////////////////////////////////// @@ -1393,11 +1405,9 @@ } // helper function -function unroll_perm($u,$t,$user,$perm) { +function unroll_perm($u,$t,$perm,$one_level) { - // check user FIX - if ($t & trmask_not && ($u==$user)) continue; - if (!($t & trmask_not) && ($u!=$user)) continue; + if ($t & trmask_one_level && !$one_level) return $perm; if ($t & trmask_deny) { if ($t & trmask_clear) { @@ -1429,31 +1439,35 @@ $tmppath.=array_shift($path_arr); $debug.= ">> $tmppath "; - # clear one level flag - $perm['allow'] &= ~trmask_one_level; - $perm['deny'] &= ~trmask_one_level; - if (! isset($trustees[$tmppath])) continue; $tr = $trustees[$tmppath]; + $one_level = (!count($path_arr)); +$debug.=" O($one_level) "; + if (isset($tr)) { // first apply trustee for all if (isset($tr['*'])) { - $perm = unroll_perm($user,$tr['*'],$user, $perm); + $perm = unroll_perm($user,$tr['*'],$perm, $one_level); unset($tr['*']); } - // then apply group policies + // then apply not and group policies foreach ($tr as $g=>$t) { - if ($t & trmask_group && in_group($user,$g)) { + if ($t & trmask_not && $g != $user) { + $t = $t & ~trmask_not; + $perm = unroll_perm($user,$t,$perm, $one_level); + unset($tr[$g]); + + } elseif ($t & trmask_group && in_group($user,$g)) { // resolv user $t = $t & ~trmask_group; - $perm = unroll_perm($user,$t,$user, $perm); + $perm = unroll_perm($user,$t,$perm, $one_level); unset($tr[$g]); } } // then apply user policy if (isset($tr[$user])) { - $perm = unroll_perm($user,$tr[$user],$user, $perm); + $perm = unroll_perm($user,$tr[$user],$perm,$one_level); unset($tr[$user]); } } @@ -1528,18 +1542,26 @@ // [replacement for register_globals in php.ini] function HTTP_GET_VAR($var) { - global $HTTP_GET_VARS, $GLOBALS; + global $HTTP_GET_VARS, ${$var}; if (isset($HTTP_GET_VARS[$var])) { - $GLOBALS[$var] = stripSlashes($HTTP_GET_VARS[$var]); - return $GLOBALS[$var]; + $$var = stripSlashes($HTTP_GET_VARS[$var]); + return $$var; } } function HTTP_POST_VAR($var) { - global $HTTP_GET_VARS, $GLOBALS; - if (isset($HTTP_GET_VARS[$var])) { - $GLOBALS[$var] = stripSlashes($HTTP_GET_VARS[$var]); - return $GLOBALS[$var]; + global $HTTP_POST_VARS, ${$var}; + if (isset($HTTP_POST_VARS[$var])) { + $$var = $HTTP_POST_VARS[$var]; + return $$var; + } +} + +function HTTP_SERVER_VAR($var) { + global $HTTP_SERVER_VARS, ${$var}; + if (isset($HTTP_SERVER_VARS[$var])) { + $$var = $HTTP_SERVER_VARS[$var]; + return $$var; } } @@ -1650,19 +1672,22 @@ // read mime.types readMime(); +HTTP_POST_VAR("FN"); + if ($HTTP_SERVER_VARS["REQUEST_METHOD"] == "POST") { // take variables from server - if (HTTP_POST_VAR("FN")) check_filename($FN); + if (HTTP_POST_VAR("FN")) + check_filename($FN); if (HTTP_POST_VAR("DIR")) { check_dirname($DIR); $relDir = $DIR; } else { trigger_error("Can't get DIR",E_USER_WARNING); + $relDir = "/"; } if (HTTP_POST_VAR("RELPATH")) check_dirname($RELPATH); HTTP_POST_VAR("T"); HTTP_POST_VAR("CONFIRM"); - } else { // get HTTP_GET_VAR("A"); @@ -1707,8 +1732,7 @@ Error("You must select file with browse to upload it!"); } - $FILENAME = $HTTP_POST_VARS["FILENAME"]; - check_filename($FILENAME); + if (HTTP_POST_VAR("FILENAME")) check_filename($FILENAME); if (! isset($FILENAME)) { // from update file $target = "$fsDir/".basename($FN); @@ -1721,11 +1745,11 @@ if (! file_exists($dir."/.bak")) { mkdir($dir."/.bak",0700); } - if (! file_exists($dir."/.bak/$GLOBALS[gblNumBackups]")) { - mkdir($dir."/.bak/$GLOBALS[gblNumBackups]",0700); + if (! file_exists($dir."/.bak/$gblNumBackups")) { + mkdir($dir."/.bak/$gblNumBackups",0700); } $file=basename($target); - for($i=$GLOBALS[gblNumBackups]-1;$i>0;$i--) { + for($i=$gblNumBackups-1;$i>0;$i--) { MoveTo("$dir/.bak/$i/$file","$dir/.bak/".($i+1)."/"); } MoveTo($target,$dir."/.bak/1/"); @@ -1751,7 +1775,7 @@ if (!($writable || (!$exists && $legaldir))) Error("Write denied",$RELPATH) ; $fh = fopen($path, "w") ; - $FILEDATA=stripSlashes($FILEDATA); + HTTP_POST_VAR("FILEDATA"); fwrite($fh,$FILEDATA) ; fclose($fh) ; clearstatcache() ; @@ -1760,7 +1784,11 @@ case "CREATE" : // we know $fsDir exists - if ($FN == "") break; // no filename! + if (! check_perm($relDir, trperm_w)) + Error("Write access denied","You don't have permission to write in $relDir"); + if ($T == "D") $type = "directory"; + else $type ="file"; + if ($FN == "") Error("Can't create $type","You must enter name of $type to create it."); if (!is_writeable($fsDir)) Error("Write denied",$relDir) ; $path = $fsDir . "/" . $FN ; // file or dir to create $relPath = $relDir . "/" . $FN ; @@ -1786,7 +1814,7 @@ } else { Error("Creation of file $relPath failed -- $path"); } - $tstr = "$PHP_SELF?A=E&D=".urlencode($relDir)."&F=".urlencode($FN) ; + $tstr = $HTTP_SERVER_VARS["PHP_SELF"]."?A=E&D=".urlencode($relDir)."&F=".urlencode($FN) ; header("Location: " . $tstr) ; exit ; } @@ -1865,8 +1893,8 @@ // common to all POSTs : redirect to directory view ($relDir) if (isset($POSTACTION)) { - $tstr = $PHP_SELF . "?D=" . urlencode($relDir) ; - header("Location: " . $tstr) ; + $tstr = $HTTP_SERVER_VARS["PHP_SELF"]."?D=".urlencode($relDir); + header("Location: ".$tstr) ; exit ; }