--- docman.php 2002/07/29 10:29:04 1.26 +++ docman.php 2002/07/29 14:17:05 1.32 @@ -157,6 +157,7 @@ global $gblEditable, $gblImages, $gblDateFmt, $gblTimeFmt, + $gblPermNote, $webRoot, $html, $HTTP_SERVER_VARS ; $self = $HTTP_SERVER_VARS["PHP_SELF"] ; @@ -208,52 +209,27 @@ $fstr = fread($fh,filesize($fsPath)) ; fclose($fh) ; $fstr = htmlentities( $fstr ) ; -?> -
- - DOCUMENT CONTENTS -
- - - - - -
- - -
- -" ; // echo htmlentities($tstr) . "

" . $tstr ; echo $tstr ; } -?> -
- - -
- - -
- -OK TO FORCE LOCK REMOVAL ON "" HELD BY ? - - - + + +
+ '; + + if ($file_lock && check_perm($relDir.$fn,trperm_w)) { + include("$html/DetailPage-unlock.html"); } // file_lock if (substr($fn,0,4) == ".del") { @@ -265,37 +241,16 @@ } if ($exists && $writable) { -?> + include("$html/DetailPage-undelete.html"); + include("$html/DetailPage-rename.html"); -
- - -OK TO ""? - - - -
- - -OK TO RENAME "" TO - -? - - - - -
- -NOTE FOR "": - - - - - + } + + if (check_perm($relDir.$fn,$gblPermNote)) { + include("$html/DetailPage-note.html"); + } -"; $name=basename("$fsDir/$fn"); $logname=dirname("$fsDir/$fn")."/.log/$name"; @@ -481,18 +436,10 @@ ////////////////////////////////////////////////////////////////// -function GifIcon($txt) { - global $gblIconLocation ; +function GifIcon($txt = "") { + global $gblIconLocation, $gblImages ; switch (strtolower($txt)) { - case ".bmp" : - case ".gif" : - case ".jpg" : - case ".jpeg": - case ".tif" : - case ".tiff": - $d = "image2.gif" ; - break ; case ".doc" : $d = "layout.gif" ; break ; @@ -570,9 +517,14 @@ $d = "quill.gif"; break; default : - $d = "generic.gif" ; + if (in_array(strtolower($txt),$gblImages)) { + $d = "image2.gif" ; + } else { + $d = "generic.gif" ; + } } + return "" ; } // end function GifIcon @@ -583,6 +535,7 @@ global $gblEditable, $gblIcon, $gblModDays, $webRoot, $gblHide, $gblIgnoreUnknownFileType, $gblRepositoryDir, $gblLogin, $gblUserName, $gblDateFmt, $gblTimeFmt, + $gblPermNote, $fsRealmDir, $realm, $realm_sep, $html, $realm_config, $HTTP_GET_VARS, $HTTP_SERVER_VARS; @@ -657,8 +610,7 @@ $text .= "
Examine list of files
changed in last day or all changes."; StartHTML("(Navigate)",$text) ; - echo "" ; + print "
" ; // updir (parent) bar if (chopsl($fsDir) != chopsl($fsRoot)) { @@ -676,7 +628,8 @@ return $out; } - if (! HTTP_GET_VAR("dsort")) $dsort = "name"; // default directory sort + $dsort = HTTP_GET_VAR("dsort"); + if (! isset($dsort)) $dsort = "name"; // default directory sort $dsort_arr = array( "name" => array ("rname", "note"), @@ -685,7 +638,8 @@ "rnote" => array ("name", "note") ); - if (! HTTP_GET_VAR("fsort")) $fsort = "name"; // default directory sort + $fsort = HTTP_GET_VAR("fsort"); + if (! isset($fsort)) $fsort = "name"; // default directory sort $fsort_arr = array( "name" => array ("rname", "note", "date", "size"), @@ -747,6 +701,12 @@ } $dir_url=$self."?D=".urlencode(chopsl($relDir)."/".$dir); + if (check_perm($relDir.$dir,$gblPermNote)) { + $note_html="".$gblIcon("note")."".$dirNote[$key]; + } else { + $note_html=$dirNote[$key]; + } + include("$html/Navigate-dirEntry.html"); } // iterate over dirs @@ -827,7 +787,11 @@ $file_url_html .= substr($file,5,strlen($file)-5) . "deleted"; } - $note_html="".$gblIcon("note")."".ReadNote($path); + if (check_perm($relDir.$file,$gblPermNote)) { + $note_html="".$gblIcon("note")."".$fileNote[$key]; + } else { + $note_html=$fileNote[$key]; + } $ext = strtolower(strrchr($file,".")) ; @@ -847,9 +811,11 @@ $file_url_html = "$file $a"; } } else { - $b.="" ; - $b.=$gblIcon("checkout").""; + if (check_perm($relDir.$file,trperm_w)) { + $b.="" ; + $b.=$gblIcon("checkout").""; + } if ( $ext=="" || strstr(join(" ",$gblEditable),$ext) ) { $b.=" - - - -
- - - - - - -"; -} elseif (file_exists("$gblRepositoryDir/.info.inc")) { - print ""; -} + if (file_exists("$fsRealmDir/$realm".$realm_sep."info.inc")) { + print ""; + include("$html/Navigate-hr.html"); + } elseif (file_exists("$gblRepositoryDir/.info.inc")) { + print ""; + include("$html/Navigate-hr.html"); + } + include("$html/Navigate-createNew.html"); -?> - -
- - -
- No files in this directory -
- - OK TO DELETE THIS EMPTY FOLDER? - - -
"; - include("$fsRealmDir/$realm".$realm_sep."info.inc"); - print "
"; - include("$gblRepositoryDir/.info.inc"); - print "
"; + include("$fsRealmDir/$realm".$realm_sep."info.inc"); + print "
"; + include("$gblRepositoryDir/.info.inc"); + print "
CREATE NEW - DIRECTORY -OR- - FILE :    - NAME - - - - - OR UPLOAD A FILE -
+ print ""; -$dir/.note/$file for writing",1); + } fputs($note,"$msg\n"); fclose($note); @@ -1500,6 +1439,8 @@ function check_perm($path,$trperm) { global $gblLogin,$HAVE_TRUSTEE; + $path = str_replace("//","/",$path); + global $debug; $debug.="
check_perm: on $path for perm ".display_trustee($trperm)."
\n"; @@ -1554,6 +1495,15 @@ if (strstr($file,"/")) Error("Security violation","No slashes / allowed in file name $file",1); } +// bla/blo/../foo will return bla/foo +function remove_parent($path) { + while (preg_match(",/[^/]+/\.\./,",$path)) { + $path = preg_replace(",/[^/]+/\.\./,","",$path); + } + if (substr($path,0,1) != "/") $path = "/".$path; + return $path; +} + ////////////////////////////////////////////////////////////////// // functions to move HTTP server variables to global namespace @@ -1690,7 +1640,11 @@ // read mime.types readMime(); -HTTP_POST_VAR("FN"); + if (! isset($gblPermNote)) { + $gblPermNote = trperm_r; + } + + HTTP_POST_VAR("FN"); if ($HTTP_SERVER_VARS["REQUEST_METHOD"] == "POST") { // take variables from server @@ -1758,6 +1712,9 @@ $target = "$fsDir/$FILENAME"; } + if (! check_perm("$relDir/".basename($target), trperm_w)) + Error("Access denied","User $gblLogin tried to upload $relDir/".basename($target)." without valid trustee.",1); + // backup old files first $dir=dirname($target); if (! file_exists($dir."/.bak")) { @@ -1786,10 +1743,14 @@ case "SAVE" : $path = $gblFsRoot . $RELPATH ; $path=stripSlashes($path); + + if (! check_perm("$RELPATH", trperm_w)) + Error("Access denied","User $gblLogin tried to save $RELPATH without valid trustee.",1); + $writable = is_writeable($path) ; $legaldir = is_writeable(dirname($path)) ; $exists = (file_exists($path)) ? 1 : 0 ; -// check for legal extension here as well + // FIX: more verbose error message if (!($writable || (!$exists && $legaldir))) Error("Write denied",$RELPATH) ; $fh = fopen($path, "w") ; @@ -1807,9 +1768,13 @@ if ($T == "D") $type = "directory"; else $type ="file"; if ($FN == "") Error("Can't create $type","You must enter name of $type to create it."); - if (!is_writeable($fsDir)) Error("Write denied",$relDir) ; - $path = $fsDir . "/" . $FN ; // file or dir to create - $relPath = $relDir . "/" . $FN ; + if (!is_writeable($fsDir)) Error("Write denied","User $gblLogin has trustee to write in $relDir but permissions on $fsDir are wrong!", 1) ; + $path = "$fsDir/$FN"; // file or dir to create + $relPath = "$relDir/$FN"; + + if (file_exists($path)) + Error("Can't create $type","Object $relPath allready exists"); + switch ( $T ) { case "D" : // create a directory if ( ! @mkdir($path,$gblDirPerms) ) @@ -1823,14 +1788,14 @@ // better keep it here altogether // chmod perms to $gblFilePerms if ( file_exists($path) && !is_writeable($path) ) - Error("File not writable", $relPath) ; + Error("File not writable", "User $gblLogin has trustee to write in $relPath but permissions on $path are wrong!", 1) ; $fh = fopen($path, "w+") ; if ($fh) { fputs($fh,"\n"); fclose($fh) ; LogIt($path,"file created",trperm_r | trperm_w); } else { - Error("Creation of file $relPath failed -- $path"); + Error("Creation of file $relPath failed", "User $gblLogin has trustee to write in $relPath but creation of $path failed!", 1) ; } $tstr = $HTTP_SERVER_VARS["PHP_SELF"]."?A=E&D=".urlencode($relDir)."&F=".urlencode($FN) ; header("Location: " . $tstr) ; @@ -1843,36 +1808,34 @@ if ( isset($FN) && $FN != "") { $path=$fsDir."/".$FN; - $what = "file"; - if (is_dir($path)) { - $what = "dir"; - } + } elseif (isset($DIR)) { + $path=$gblFsRoot."/".$DIR; + $what = "directory"; + } else { + Error("Can't delete object","Can't find filename \$FN or dirname in \$DIR",1); + } - if (! check_perm($relDir."/".$FN, trperm_w)) - Error("Access denied","User $gblLogin tried to erase $what $relDir/$FN without valid trustee.",1); + if (! check_perm("$relDir/$FN", trperm_w)) + Error("Access denied","User $gblLogin tried to erase $what $relDir/$FN without valid trustee.",1); - $tstr = "Attempt to delete non-existing object or " ; - $tstr .= "insufficient privileges: " ; + $tstr = "Attempt to delete non-existing object or insufficient privileges: " ; - $dir=dirname($path); - $file=basename($path); - if (! file_exists("$dir/.del")) { - mkdir("$dir/.del",0700); - } + $dir=dirname($path); + $file=basename($path); -// if ( ! @unlink($path) ) { - if ( ! @rename($path,"$dir/.del/$file") ) { - LogIt($path,"$what delete failed"); - Error("Can't delete $what",$tstr.$relDir."/".$FN) ; - } else { - LogIt($path,"$what deleted",trperm_w); - MoveTo("$dir/.log/$file","$dir/.del/.log/"); - MoveTo("$dir/.note/$file","$dir/.del/.note/"); - MoveTo("$dir/.lock/$file","$dir/.del/.lock/"); - } + if (! file_exists("$dir/.del")) { + mkdir("$dir/.del",0700); + } + + if ( ! @rename($path,"$dir/.del/$file") ) { + LogIt($path,"$what delete failed"); + Error("Can't delete $what",$tstr."".$relDir."/".$FN."") ; } else { - Error("Rmdir failed", $tstr . $fsDir) ; + LogIt($path,"$what deleted",trperm_w); + MoveTo("$dir/.log/$file","$dir/.del/.log/"); + MoveTo("$dir/.note/$file","$dir/.del/.note/"); + MoveTo("$dir/.lock/$file","$dir/.del/.lock/"); } break ; @@ -1882,6 +1845,9 @@ if (substr($FN,0,4) != ".del") break ; $file=substr($FN,4,strlen($FN)-4); + if (! check_perm("$relDir/$file", trperm_w)) + Error("Access denied","User $gblLogin tried to undelete $relDir/$file without valid trustee.",1); + LogIt("$fsDir/.del/$file","undeleted",trperm_w); MoveTo("$fsDir/.del/$file","$fsDir/"); MoveTo("$fsDir/.del/.log/$file","$fsDir/.log/"); @@ -1893,18 +1859,31 @@ case "RENAME" : if ( $CONFIRM != "on" ) break ; - $NEWNAME=stripSlashes($HTTP_POST_VARS["NEWNAME"]); + if (HTTP_POST_VAR("NEWNAME")) { + $dest = remove_parent($relDir.$NEWNAME); + if (! check_perm($relDir.$FN, trperm_w) || + ! check_perm($dest, trperm_w) ) + Error("Access denied","User $gblLogin tried to rename $relDir$FN to $dest without valid trustee.",1); + } else { + Error("Rename error","Can't find new name in var \$NEWNAME",1); + } LogIt("$fsDir/$FN","renamed $FN to $NEWNAME",trperm_r); safe_rename($fsDir,$FN,$NEWNAME); break ; - case "NOTE" : - $NOTE=stripSlashes($HTTP_POST_VARS["NOTE"]); - WriteNote("$fsDir/$FN","$NOTE"); + case "NOTE" : + if (! HTTP_POST_VAR("NOTE")) + Error("Can't add note to object","Can't find var \$NOTE",1); + if (! check_perm("$relDir/$FN", trperm_w)) + Error("Access denied","User $gblLogin tried to add note to $relDir/$FN without valid trustee.",1); + + WriteNote("$fsDir/$FN",$NOTE); break ; case "UNLOCK" : if ( $CONFIRM != "on" ) break ; + if (! check_perm("$relDir/$FN", trperm_w)) + Error("Access denied","User $gblLogin tried to unlock $relDir/$FN without valid trustee.",1); Unlock("$fsDir/$FN"); break ; @@ -1918,7 +1897,7 @@ header("Location: ".$tstr) ; exit ; } - + // check for mode.. navigate, code display, upload, or detail? // $A=U : upload to path given in $D // $A=E : display detail of file $D/$F and edit