--- docman.php 2002/07/25 21:16:08 1.2 +++ docman.php 2002/07/28 11:39:59 1.13 @@ -25,8 +25,8 @@ // from where to include auth_*.php modules? $gblIncDir = "/data/docman2"; - // force download (so it won't open in associated application) - $gblForceDownload = 1; + // force download on view (so it won't open in associated application) + $gblForceDownload = 0; // date format $gblDateFmt="Y-m-d"; @@ -84,14 +84,14 @@ LoadLanguage($HTTP_SERVER_VARS["HTTP_ACCEPT_LANGUAGE"]); // for security and configuration - $realm="$HTTP_HOST"; // FIX + $realm=$HTTP_SERVER_VARS[HTTP_HOST]; $fsDocumentRoot = dirname($HTTP_SERVER_VARS[SCRIPT_FILENAME]); - if ($fsDocumentRoot == "") Error("Configuration error","Can't get SCRIPT_FILENAME from your web server. Please set \$fsDocumentRoot in \$"); + if ($fsDocumentRoot == "") Error("Configuration error","Can't get SCRIPT_FILENAME from your web server. Please set \$fsDocumentRoot in \$",1); // globals for later - $gblLogin = $PHP_AUTH_USER; - $gblPasswd = $PHP_AUTH_PW; + $gblLogin = $HTTP_SERVER_VARS[PHP_AUTH_USER]; + $gblPasswd = $HTTP_SERVER_VARS[PHP_AUTH_PW]; ////////////////////////////////////////////////////////////////// @@ -109,16 +109,16 @@ function StartHTML($title,$text="") { - global $html,$fsDocumentRoot; + global $html,$fsDocumentRoot,$HTTP_SERVER_VARS; $title = $gblTitle." ".$title ; - $host = $GLOBALS["HTTP_HOST"] ; - $self = $GLOBALS["PHP_SELF"] ; + $host = $HTTP_SERVER_VARS["HTTP_HOST"] ; + $self = $HTTP_SERVER_VARS["PHP_SELF"] ; if (file_exists("$fsDocumentRoot/docman.css")) { $css=dirname($self)."/docman.css"; } else { - $css=$self."?STYLE=get&css=$css"; + $css=$self."?STYLE=get"; } include("$html/head.html"); @@ -145,15 +145,17 @@ $url_title="relogin"; } include("$html/footer.html"); - //phpinfo(); + + global $debug; + if ($debug) print $debug; } // end function EndHTML ////////////////////////////////////////////////////////////////// function DetailPage($fsRoot,$relDir,$fn) { - global $gblEditable, $gblImages, $webRoot, $html ; - $self = $GLOBALS["PHP_SELF"] ; + global $gblEditable, $gblImages, $webRoot, $html, $HTTP_SERVER_VARS ; + $self = $HTTP_SERVER_VARS["PHP_SELF"] ; $relPath = $relDir . "/" . $fn ; $fsPath = $fsRoot . $relPath ; @@ -161,14 +163,16 @@ $exists = file_exists($fsPath) ; $ext = strtolower(strrchr($relPath,".")) ; - $editable = ( $ext=="" || strstr(join(" ",$gblEditable),$ext)) ; - $writable = is_writeable($fsPath) ; + $editable = ( $ext=="" || strstr(join(" ",$gblEditable),$ext)) && + check_perm($relPath,trperm_w); + $writable = is_writeable($fsPath) && check_perm($relPath,trperm_w) ; + $writable_dir = is_writeable($fsDir) && check_perm($relDir,trperm_w) ; $file_lock = CheckLock($fsPath); if (!$editable && !$exists) - Error(_("Creation unsupported for type"),$relPath) ; - if (!exists && !is_writeable($fsDir) ) - Error(_("Creation denied"),$relDir) ; + Error("Creation denied","Can't create $relPath") ; + if (!$exists && !$writable_dir ) + Error("Creation denied","Can't write in directory $relDir while creating $relPathfor which user has permissions.",1); $text = _("Use this page to view, modify or ") ; if (is_dir($fsPath)) { @@ -201,7 +205,7 @@ $fstr = htmlentities( $fstr ) ; ?> -
+ DOCUMENT CONTENTS
@@ -572,46 +576,45 @@ function Navigate($fsRoot,$relDir) { global $gblEditable, $gblIcon, $gblModDays, $webRoot, $gblHide, - $HTTP_GET_VARS, $html; - - $self = $GLOBALS["PHP_SELF"] ; + $gblIgnoreUnknownFileType, $gblRepositoryDir, + $fsRealmDir, $realm, $realm_sep, + $HTTP_GET_VARS, $html, $realm_config; + + $self = $HTTP_SERVER_VARS["PHP_SELF"] ; if ($relDir == "") $relDir = "/"; $fsDir = $fsRoot.$relDir."/"; // current directory - if (!is_dir($fsDir)) Error("Dir not found",$relDir) ; + if (!is_dir($fsDir)) Error("Dir not found",$relDir,1) ; $hide_items=",$gblHide,"; -#display_all_trustee(); -print "-- $fsDir --"; - // read directory contents if ( !($dir = @opendir($fsDir)) ) - Error("Read Access denied",$relDir) ; + Error("Read Access denied",$relDir,1) ; while ($item = readdir($dir)) { -print "$item, "; if ( substr($item,0,1) == "." || strstr($hide_items,",$item,") ) continue ; - if ((is_dir($fsDir.$item) || is_link ($fsDir.$item)) && check_perm($relDir.$item,trperm_b)) { - $dirList[$item] = $item ; - $dirNote[$item] = ReadNote($fsDir.$item); - } else if ( is_file($fsDir.$item) && check_perm($relDir.$item,trperm_r) ) { - $fileList[$item] = $item ; - $fileDate[$item] = filemtime($fsDir.$item) ; - $fileSize[$item] = filesize($fsDir.$item) ; - $fileNote[$item] = ReadNote($fsDir.$item); + if (is_dir($fsDir.$item) || is_link ($fsDir.$item)) { + if (check_perm($relDir.$item,trperm_b)) { + $dirList[$item] = $item ; + $dirNote[$item] = ReadNote($fsDir.$item); + } + } else if (is_file($fsDir.$item)) { + if (check_perm($relDir.$item,trperm_r)) { + $fileList[$item] = $item ; + $fileDate[$item] = filemtime($fsDir.$item) ; + $fileSize[$item] = filesize($fsDir.$item) ; + $fileNote[$item] = ReadNote($fsDir.$item); + } } else { - // unknown file type - // $text = "Could not determine file type of " ; - // Error("File Error", $text.$relDir."/".$item) ; - // exit ; + if (! $gblIgnoreUnknownFileType) Error("File Type Error", "Item ".$fsDir.$item." is not file, directory or link. If you want to ignore errors like this, set \$gblIgnoreUnknownFileType = 1 in $realm_config.",1); } } closedir($dir) ; // scan deleted files - if ( $GLOBALS[show_deleted] == 1 && ($dir = @opendir("$fsDir/.del")) ) { + if ( $HTTP_GET_VARS["show_deleted"] == 1 && ($dir = @opendir("$fsDir/.del")) ) { while ($item = readdir($dir)) { if ( substr($item,0,1) == "." || strstr($hide_items,",$item,") || !check_perm($relDir.$item,trperm_w) ) continue ; $fileList[$item] = ".del/$item" ; @@ -626,7 +629,7 @@ // start navigation page $text = "Use this page to add, delete"; - if (! isset($show_deleted)) { + if (! isset($HTTP_GET_VARS[show_deleted])) { $text .= ", undelete"; } $text .= " or revise files on this web site." ; @@ -636,7 +639,7 @@ echo "" ; - // updir bar + // updir (parent) bar if (chopsl($fsDir) != chopsl($fsRoot)) { $parent = dirname($relDir) ; if ($parent == "") $parent = "/" ; @@ -716,7 +719,7 @@ $dir = $dirList[$key]; $info_url=self_args(array("A"=>"A=E", "F"=>"F=".urlencode($dir), "D"=>$D)); - $dir_url=$self."?D=".urlencode($relDir."/".$dir); + $dir_url=$self."?D=".urlencode(chopsl($relDir)."/".$dir); include("$html/Navigate-dirEntry.html"); } // iterate over dirs @@ -788,8 +791,7 @@ $file_lock=CheckLock($path); - $file_url_html="" ; if (substr($file,0,5) != ".del/") { @@ -804,8 +806,7 @@ if ($file_lock) { if ($file_lock == $GLOBALS[gblUserName]) { - $b.="" ; $file_url_html=$b; $b.=$gblIcon("checkin")."" ; @@ -819,14 +820,12 @@ $file_url_html = "$file $a"; } } else { - $b.="" ; - $b.=$gblIcon("checkout")."" ; + $b.=$gblIcon("checkout").""; if ( $ext=="" || strstr(join(" ",$gblEditable),$ext) ) { - $b.="" ; $b.=$gblIcon("view")."" ; } else { @@ -866,12 +865,18 @@ "; +} elseif (file_exists("$gblRepositoryDir/.info.inc")) { print " - "; + include("$gblRepositoryDir/.info.inc"); + print ""; } + + ?> @@ -896,54 +901,55 @@ function UploadPage($fsRoot, $relDir, $filename="") { - $self = $GLOBALS["PHP_SELF"] ; + global $html, $HTTP_SERVER_VARS; + + $self = $HTTP_SERVER_VARS["PHP_SELF"] ; if ($relDir == "") $relDir = "/" ; -?> -

"; + include("$fsRealmDir/$realm".$realm_sep."info.inc"); + print "
"; - include(".info.inc"); - print "
-
- -DESTINATION DIRECTORY: - -
DESTINATION FILE: - - -

PATHNAME OF LOCAL FILE
- - -

-

-

If the [BROWSE...] button is not displayed,
-you must upgrade to an RFC1867-compliant browser.

-

Your browser:

- -
-
-
- -
-

+ include("$html/UploadPage.html"); -Hit your Browser's Back Button.

" ; - EndHTML() ; +// Error with sysadmin flag are reported to error_log or hidden from +// users + +function Error($title,$text="",$sysadmin=0,$no_404=0) { + global $gblSeparateAdminMessages, + $gblMailAdminMessages,$realm, + $HTTP_SERVER_VARS; + if (! headers_sent() && ! $no_404) header("HTTP/1.0 404 Not Found"); + if ($sysadmin) { + if ($gblSeparateAdminMessages) { + $user="Your administrator "; + if ($gblMailAdminMessages) { + mail($HTTP_SERVER_VARS["SERVER_ADMIN"], "docman $realm error message: $title", strip_tags($text)); + $user.="".$HTTP_SERVER_VARS["SERVER_ADMIN"]." "; + } + $user.="has been notified about error" ; + StartHTML("($title)",$user); + echo "

Hit your Browser's Back Button.

" ; + EndHTML(); + error_log("docman $realm: ".strip_tags($text)); + } else { + StartHTML("ADMIN: ".$title,$text) ; + echo "

Hit your Browser's Back Button.

" ; + EndHTML(); + } + } else { + StartHTML("(".$title.")",$text) ; + echo "

Hit your Browser's Back Button.

" ; + EndHTML() ; + } exit ; } // end function Error -////////////////////////////////////////////////////////////////// - function LogIt($target,$msg, $changelog=0) { $dir=dirname($target); if (! file_exists($dir."/.log")) { - if (! @mkdir($dir."/.log",0700)) Error("docman installation problem","can't create log directory $dir/.log"); + if (! @mkdir($dir."/.log",0700)) Error("docman installation problem","can't create log directory $dir/.log",1); } $file=basename($target); @@ -1082,13 +1088,15 @@ function try_rename($from,$to) { # print "$from -> $to\n"; if (file_exists($from) && is_writeable(dirname($to))) { - rename($from,$to); + return rename($from,$to); + } else { + return 0; } } function try_dir($todir) { if (! file_exists($todir)) { - mkdir($todir,0700); + @mkdir($todir,0700); } } @@ -1098,7 +1106,7 @@ # print "
$fromdir / $fromfile -> $todir / $tofile\n\n";
 
-	try_rename("$fromdir/$fromfile","$todir/$tofile");
+	if (! try_rename("$fromdir/$fromfile","$todir/$tofile")) Error("Rename error","Can't rename file $fromfile to $tofile",1);
 	try_dir("$todir/.log");
 	try_rename("$fromdir/.log/$fromfile","$todir/.log/$tofile");
 	try_dir("$todir/.note");
@@ -1134,7 +1142,8 @@
 
 function DisplayChangeLog($day) {
 
-	global $gblFsRoot;
+	global $gblFsRoot,$HTTP_SERVER_VARS;
+
 	if (!file_exists("$gblFsRoot/.changelog")) return;
 	$log=fopen("$gblFsRoot/.changelog","r");
 	$logarr = array();
@@ -1156,28 +1165,50 @@
 		$time = date("$GLOBALS[gblTimeFmt]", $e[0]);
 		$dir = dirname($e[1]);
 		$file = basename($e[1]);
-		print "$date$time$dir/$file$e[2]$e[3]\n";
+		print "$date$time$dir/$file$e[2]$e[3]\n";
 	}
 	print "";
-	print "
".GifIcon(up)." Back to front page.
";
+	print "
".GifIcon(up)." Back to front page.
";
 }
 
 //////////////////////////////////////////////////////////////////
 
-function Download($path) {
-	global $HTTP_USER_AGENT;
-	$file=basename($path);
+function Download($path,$force=0) {
+	global $HTTP_SERVER_VARS,$mime_type;
+
+	// default transfer-encoding
+	$encoding = "binary";
+
+	// known transfer encodings
+	$encoding_ext = array(
+		"gz" => "x-gzip",
+		"Z" => "x-compress",
+	);
+
+	$file = basename($path);
 	$size = filesize($path);
-	//header("Content-Type: application/octet-stream");
-	header("Content-Type: application/force-download");
-	header("Content-Length: $size");
+
+	$ext_arr = explode(".",$file);
+	$ext = array_pop($ext_arr);
+	if ($encoding_ext[$ext]) {
+		$encoding = $encoding_ext[$ext];
+		$ext = array_pop($ext_arr);
+	}
+
+	if ($force || !isset($mime_type[$ext])) {
+		header("Content-Type: application/force-download");
+	} else {
+		header("Content-Type: $mime_type[$ext]");
+	}
+
 	// IE5.5 just downloads index.php if we don't do this
-	if(preg_match("/MSIE 5.5/", $HTTP_USER_AGENT)) {
+	if(preg_match("/MSIE 5.5/", $HTTP_SERVER_VARS[HTTP_USER_AGENT])) {
 		header("Content-Disposition: filename=$file");
 	} else {
 		header("Content-Disposition: attachment; filename=$file");
 	}
-	header("Content-Transfer-Encoding: binary");
+
+	header("Content-Transfer-Encoding: $encoding");
 	$fh = fopen($path, "r");
 	fpassthru($fh);
 }
@@ -1186,8 +1217,8 @@
 //////////////////////////////////////////////////////////////////
 
 function chopsl($path) {
-	if (substr($path,strlen($path)-1,1) == "/") $path=substr($path,0,strlen($path)-1);
 	$path=str_replace("//","/",$path);
+	if (substr($path,strlen($path)-1,1) == "/") $path=substr($path,0,strlen($path)-1);
 	return $path;
 }
 
@@ -1267,8 +1298,6 @@
 	$groups_arr = array();
 	$perm_arr = array();
 
-	$error=0;
-
 	$tr_arr = array();
 
 	while (! feof($fp_conf)) {
@@ -1336,7 +1365,7 @@
 }
 
 if ($error) {
-	Error("Trustee error",$error);
+	Error("Trustee error",$error,1);
 } else {
 	include("$trustee_php");
 }
@@ -1414,18 +1443,57 @@
 
 function check_perm($path,$trperm) {
 	global $gblLogin,$HAVE_TRUSTEE;
-print "
check_perm: $path test perm ".display_trustee($perm)."
\n";
+
+	global $debug;
+$debug.="
check_perm: $path test perm ".display_trustee($perm)."
\n";
 	$return = ! $HAVE_TRUSTEE;
 	if ($HAVE_TRUSTEE) {
 		$perm = check_trustee($gblLogin,$path);
-print " d: $perm[deny] (".display_trustee($perm[deny]).") a: $perm[allow] (".display_trustee($perm[allow]).") perm: $trperm";
+$debug.=" d: $perm[deny] (".display_trustee($perm[deny]).") a: $perm[allow] (".display_trustee($perm[allow]).") perm: $trperm";
 		if ($perm[deny] & $trperm) $return=0;
 		elseif ($perm[allow] & $trperm) $return=1;
 	}
-print " return: $return
\n";
+$debug.=" return: $return
\n";
 	return($return);
 }
 
+//////////////////////////////////////////////////////////////////
+
+function readMime() {
+	global $mime_type;
+
+	if (! isset($gblMimeTypes)) {
+		$gblMimeTypes = "/etc/mime.types";
+	}
+
+	$mime = @fopen($gblMimeTypes,"r");
+
+	if (! $mime) Error("Can't read MIME types","$gblMimeTypes file not found. You can setup other mime.types file using \$gblMimeTypes in $realm_config");
+
+	while($line = fgets($mime,80)) {
+		if (substr($line,0,1) == "#") continue;	// skip comment
+		$arr = preg_split("/[\s\t]+/",$line);
+		$type = array_shift($arr);
+		while ($ext = array_shift($arr)) {
+			$mime_type[$ext] = $type;
+		}
+	}
+
+	fclose($mime);
+}
+
+//////////////////////////////////////////////////////////////////
+
+// check for invalid characters in filename and dirname (.. and /)
+
+function check_dirname($file) {
+	if (strstr($file,"..")) Error("Security violation","No parent dir .. allowed in directory name $file",1);
+}
+
+function check_filename($file) {
+	if (strstr($file,"..")) Error("Security violation","No parent dir .. allowed in file name $file",1);
+	if (strstr($file,"/")) Error("Security violation","No slashes / allowed in file name $file",1);
+}
 
 //////////////////////////////////////////////////////////////////
 // MAIN PROGRAM
@@ -1433,6 +1501,7 @@
 	$gblFilePerms = 0640 ;         // default for new files
 	$gblDirPerms  = 0750 ;		// default for new dirs
 
+	$STYLE = $HTTP_GET_VARS[STYLE];
 	if (isset($STYLE) && $STYLE == "get") {
 		include("$html/docman.css");
 		exit;
@@ -1451,7 +1520,16 @@
 	if (! isset($fsRealmDir)) {
 		$fsRealmDir = "$gblIncDir/realm";
 	}
-	$realm_config = "$fsRealmDir/$realm.conf";
+
+	// try to add dir to script name to realm var
+	if (is_dir("$fsRealmDir/$realm/".dirname($HTTP_SERVER_VARS[SCRIPT_NAME]))) {
+		$realm .= "/".dirname($HTTP_SERVER_VARS[SCRIPT_NAME]);
+		$realm_sep = "/";
+	} else {
+		$realm_sep = ".";
+	}
+
+	$realm_config = $fsRealmDir."/".$realm.$realm_sep."conf";
 
 	// read user-defined configuration
 	if (file_exists($realm_config)) {
@@ -1484,8 +1562,10 @@
 		exit ;
 	}
 
+	if (!is_dir($gblRepositoryDir)) Error("Repository dir not found","Can't find repository directory $gblRepositoryDir. Please fix that in $realm_config variable \$gblRepositoryDir.",1);
+
 	// trustee (ACL) file configuration
-	$trustee_conf="$gblIncDir/realm/$realm.trustee";
+	$trustee_conf="$fsRealmDir/$realm".$realm_sep."trustee";
 	// compiled version of trustee file
 	$trustee_php="$gblRepositoryDir/.trustee.php";
 	// get ACL informations
@@ -1506,60 +1586,73 @@
 		isset($relogin) && $secHash == $relogin) {
 		header("WWW-authenticate: basic realm=\"$realm\"") ;
 		header("HTTP/1.0 401 Unauthorized") ;
-		Error("401 Unauthorized","No trespassing !");
-		exit ;
+		Error("401 Unauthorized","No trespassing !",0,1);
 	}
 
-	// get current directory relative to $gblFsRoot 
-	$relDir = $DIR ;	// from POST
-	if ($relDir == "") {	// not defined in POST ? 
-		$relDir = urldecode($D) ;  // then use GET
-	}	
 
-	$relDir=stripSlashes($relDir);
+	// read mime.types
+	readMime();
 
-	if ($relDir == "/") $relDir = "" ; 	
-	// default : website root = ""
+	if ($HTTP_SERVER_VARS["REQUEST_METHOD"] == "POST") {
+		// take variables from server
+		$FN=stripSlashes($HTTP_POST_VARS["FN"]);
+		$DIR=stripSlashes($HTTP_POST_VARS["DIR"]);
+		$RELPATH=stripSlashes($HTTP_POST_VARS["RELPATH"]);
+		$T=stripSlashes($HTTP_POST_VARS["T"]);
+		$CONFIRM=stripSlashes($HTTP_POST_VARS["CONFIRM"]);
 
-	if (strstr($relDir,"..")) Error("No updirs allowed");
+		check_filename($FN);
+		check_dirname($DIR);
+		check_dirname($RELPATH);
+
+		$relDir = $DIR;
+	} else {
+		// get
+		$A=stripSlashes($HTTP_GET_VARS["A"]);
+		$D=stripSlashes(urldecode($HTTP_GET_VARS["D"]));
+		$F=stripSlashes($HTTP_GET_VARS["F"]);
+
+		check_filename($F);
+		check_dirname($D);
+
+		$relDir = $D;
+	}
 
-	// full paths contain "fs" or "Fs". Paths realitve to root of
-	// website contain "rel" or "Rel". The script won't let you 
-	// edit anything above directory equal to http://server.com 
-	// i.e. below $gblFsRoot.
+	if ($relDir == "/") $relDir = "" ; 	
 
 	$relScriptDir = dirname($SCRIPT_NAME) ;  	
 	// i.e. /docman
 
 	// start on server root
 	$gblFsRoot = $gblRepositoryDir;
-	// i.e. /home/httpd/html
+	// i.e. /home/httpd/repository
 
 	$fsDir = $gblFsRoot . $relDir ; // current directory
-	if ( !is_dir($fsDir) ) Error("Dir not found",$relDir) ;
+	if ( !is_dir($fsDir) ) Error("Dir not found",$relDir,1) ;
 
-	if (isset($GLOBALS["HTTPS"]) && $GLOBALS["HTTPS"] == "on") {
+	if (isset($HTTP_SERVER_VARS["HTTPS"]) && $HTTP_SERVER_VARS["HTTPS"] == "on") {
 		$webRoot  = "https://";
 	} else {
 		$webRoot  = "http://";
 	}
-	$webRoot .= $GLOBALS["HTTP_HOST"] . $relScriptDir;
-
-	$FN=stripSlashes($FN);
+	$webRoot .= $HTTP_SERVER_VARS["HTTP_HOST"] . $relScriptDir;
 
-	switch ($POSTACTION) {
+	switch ($HTTP_POST_VARS["POSTACTION"]) {
 	case "UPLOAD" :
+		$FN_name=stripSlashes($HTTP_POST_FILES["FN"]["tmp_name"]);
+		$FN=stripSlashes($HTTP_POST_FILES["FN"]["name"]);
 		if (!is_writeable($fsDir)) Error("Write denied",$relDir) ;
-		if (strstr($FN_name,"/")) 
-			Error("Non-conforming filename") ;
-		// TODO : should rather check for escapeshellcmds
-		// but maybe RFC 18xx asserts safe filenames ....
-		$source = $FN ;
+
+		$source = $FN_name ;
 		if (! file_exists($source)) {
 			Error("You must select file with browse to upload it!");
 		}
+
+		$FILENAME = $HTTP_POST_VARS["FILENAME"];
+		check_filename($FILENAME);
+
 		if (! isset($FILENAME)) { 	// from update file
-			$target = "$fsDir/$FN_name" ;
+			$target = "$fsDir/".basename($FN);
 		} else {
 			$target = "$fsDir/$FILENAME";
 		}
@@ -1657,9 +1750,8 @@
 
 //			if ( ! @unlink($path) ) { 
 			if ( ! rename($path,"$dir/.del/$file") ) { 
-				Error("File delete failed", $tstr . $path) ; 
 				LogIt($path,"file delete failed");
-				exit ; 
+				Error("File delete failed", $tstr . $path) ; 
 			} else {
 				LogIt($path,"file deleted",trperm_w);
 				MoveTo("$dir/.log/$file","$dir/.del/.log/");
@@ -1693,11 +1785,13 @@
 	case "RENAME" :  
 		if ( $CONFIRM != "on" ) break ;
 
+		$NEWNAME=stripSlashes($HTTP_POST_VARS["NEWNAME"]);
 		LogIt("$fsDir/$FN","renamed $FN to $NEWNAME",trperm_r);
 		safe_rename($fsDir,$FN,$NEWNAME);
 		break ;
 
 	case "NOTE" :  
+		$NOTE=stripSlashes($HTTP_POST_VARS["NOTE"]);
 		WriteNote("$fsDir/$FN","$NOTE");
 		break ;
 
@@ -1733,13 +1827,12 @@
 		if (!is_writeable($gblFsRoot . $relDir)) 
 			Error("Write access denied",$relDir) ;
 		$text  = "Use this page to upload a single " ;
-		$text .= "file to $HTTP_HOST." ;
+		$text .= "file to $realm." ;
 		StartHTML("(Upload Page)", $text) ;
 		UploadPage($gblFsRoot, $relDir) ;
 		EndHTML() ;
 		exit ;
 	case "E" :
-		$F=stripSlashes($F);
 		// detail of $relDir/$F
 		if (is_file("$gblFsRoot/$relDir/$F") || is_dir("$gblFsRoot/$relDir/$F")) DetailPage($gblFsRoot, $relDir, $F) ;
 		exit ;
@@ -1751,7 +1844,7 @@
 	case "Co" :
 		// checkout
 		Lock("$gblFsRoot/$relDir/$F");
-		Download("$gblFsRoot/$relDir/$F");
+		Download("$gblFsRoot/$relDir/$F",1);
 		exit;
 	case "Ci" :
 		$F=stripSlashes($F);
@@ -1759,7 +1852,7 @@
 		if (!is_writeable($gblFsRoot . $relDir)) 
 			Error("Write access denied",$relDir) ;
 		$text  = "Use this page to update a single " ;
-		$text .= "file to $HTTP_HOST." ;
+		$text .= "file to $realm." ;
 		StartHTML("(Update file Page)", $text) ;
 		UploadPage($gblFsRoot, $relDir, $F) ;
 		EndHTML() ;
@@ -1767,12 +1860,7 @@
 	case "V" :
 		// view
 		LogIt("$gblFsRoot/$relDir/$F","viewed");
-		if ($gblForceDownload) {
-			Download("$gblFsRoot/$relDir/$F");
-		} else {
-			header("Content-Disposition: attachment; filename=$F" );
-			Header("Location: $webRoot".urlpath("$relDir/$F"));
-		}
+		Download("$gblFsRoot/$relDir/$F",$gblForceDownload);
 		exit;
 	case "Ch" :
 		StartHTML("(File changes)","All changes chronologicaly...");
@@ -1794,7 +1882,7 @@
 		$title = "You should define \$title variable with page title";
 		include($inc_file);
 		StartHTML($title, $text) ;
-		print "
".GifIcon(up)." Back to front page.
";
+		print "
".GifIcon(up)." Back to front page.
";
 		EndHTML() ;
 		exit ;
 	}
@@ -1803,5 +1891,5 @@
 	Navigate($gblFsRoot,$relDir) ;	
 	exit ;
 
-	Error("Whooah!","By cartesian logic, this never happens") ;
+	Error("Whooah!","By cartesian logic, this never happens",1) ;
 ?>