--- docman.php 2002/07/29 10:17:53 1.25 +++ docman.php 2003/04/09 16:27:06 1.35 @@ -74,14 +74,16 @@ ////////////////////////////////////////////////////////////////// $gblTitle = "Document Manager"; - $gblVersion = "2.0-pre1"; + $gblVersion = "2.0-pre2"; $secHash = ""; // location of html files $html = $gblIncDir."/html"; - LoadLanguage($HTTP_SERVER_VARS["HTTP_ACCEPT_LANGUAGE"]); + if (isset($HTTP_SERVER_VARS["HTTP_ACCEPT_LANGUAGE"])) { + LoadLanguage($HTTP_SERVER_VARS["HTTP_ACCEPT_LANGUAGE"]); + } // for security and configuration $realm=$HTTP_SERVER_VARS["HTTP_HOST"]; @@ -147,8 +149,8 @@ } include("$html/footer.html"); - global $debug; - if ($debug) print $debug; +# global $debug; +# if ($debug) print $debug; } // end function EndHTML ////////////////////////////////////////////////////////////////// @@ -157,6 +159,7 @@ global $gblEditable, $gblImages, $gblDateFmt, $gblTimeFmt, + $gblPermNote, $webRoot, $html, $HTTP_SERVER_VARS ; $self = $HTTP_SERVER_VARS["PHP_SELF"] ; @@ -208,52 +211,27 @@ $fstr = fread($fh,filesize($fsPath)) ; fclose($fh) ; $fstr = htmlentities( $fstr ) ; -?> -
- - DOCUMENT CONTENTS -
- - - - - -
- - -
- -" ; // echo htmlentities($tstr) . "

" . $tstr ; echo $tstr ; } -?> -
- - -
- - -
- -OK TO FORCE LOCK REMOVAL ON "" HELD BY ? - - - + + +
+ '; + + if ($file_lock && check_perm($relDir.$fn,trperm_w)) { + include("$html/DetailPage-unlock.html"); } // file_lock if (substr($fn,0,4) == ".del") { @@ -265,37 +243,16 @@ } if ($exists && $writable) { -?> + include("$html/DetailPage-undelete.html"); + include("$html/DetailPage-rename.html"); -
- - -OK TO ""? - - - -
- - -OK TO RENAME "" TO - -? - - - - -
- -NOTE FOR "": - - - - - + } + + if (check_perm($relDir.$fn,$gblPermNote)) { + include("$html/DetailPage-note.html"); + } -"; $name=basename("$fsDir/$fn"); $logname=dirname("$fsDir/$fn")."/.log/$name"; @@ -481,18 +438,10 @@ ////////////////////////////////////////////////////////////////// -function GifIcon($txt) { - global $gblIconLocation ; +function GifIcon($txt = "") { + global $gblIconLocation, $gblImages ; switch (strtolower($txt)) { - case ".bmp" : - case ".gif" : - case ".jpg" : - case ".jpeg": - case ".tif" : - case ".tiff": - $d = "image2.gif" ; - break ; case ".doc" : $d = "layout.gif" ; break ; @@ -570,9 +519,14 @@ $d = "quill.gif"; break; default : - $d = "generic.gif" ; + if (in_array(strtolower($txt),$gblImages)) { + $d = "image2.gif" ; + } else { + $d = "generic.gif" ; + } } + return "" ; } // end function GifIcon @@ -583,6 +537,7 @@ global $gblEditable, $gblIcon, $gblModDays, $webRoot, $gblHide, $gblIgnoreUnknownFileType, $gblRepositoryDir, $gblLogin, $gblUserName, $gblDateFmt, $gblTimeFmt, + $gblPermNote, $fsRealmDir, $realm, $realm_sep, $html, $realm_config, $HTTP_GET_VARS, $HTTP_SERVER_VARS; @@ -657,8 +612,7 @@ $text .= "
Examine list of files
changed in last day or all changes."; StartHTML("(Navigate)",$text) ; - echo "" ; + print "
" ; // updir (parent) bar if (chopsl($fsDir) != chopsl($fsRoot)) { @@ -676,7 +630,8 @@ return $out; } - if (! HTTP_GET_VAR("dsort")) $dsort = "name"; // default directory sort + $dsort = HTTP_GET_VAR("dsort"); + if (! isset($dsort)) $dsort = "name"; // default directory sort $dsort_arr = array( "name" => array ("rname", "note"), @@ -685,7 +640,8 @@ "rnote" => array ("name", "note") ); - if (! HTTP_GET_VAR("fsort")) $fsort = "name"; // default directory sort + $fsort = HTTP_GET_VAR("fsort"); + if (! isset($fsort)) $fsort = "name"; // default directory sort $fsort_arr = array( "name" => array ("rname", "note", "date", "size"), @@ -747,6 +703,14 @@ } $dir_url=$self."?D=".urlencode(chopsl($relDir)."/".$dir); + if (check_perm($relDir.$dir,$gblPermNote)) { + $note_html="".$gblIcon("note")."".$dirNote[$key]; + } else { + $note_html=$dirNote[$key]; + } + + $dir_html = isBlank($dir,"directory"); + include("$html/Navigate-dirEntry.html"); } // iterate over dirs @@ -822,12 +786,16 @@ $file_url_html.="\" TITLE=\"View file\">" ; if (substr($file,0,5) != ".del/") { - $file_url_html .= $file . "" . $a ; + $file_url_html .= isBlank($file) . "" . $a ; } else { - $file_url_html .= substr($file,5,strlen($file)-5) . "deleted"; + $file_url_html .= isBlank(substr($file,5,strlen($file)-5)) . "deleted"; } - $note_html="".$gblIcon("note")."".ReadNote($path); + if (check_perm($relDir.$file,$gblPermNote)) { + $note_html="".$gblIcon("note")."".$fileNote[$key]; + } else { + $note_html=$fileNote[$key]; + } $ext = strtolower(strrchr($file,".")) ; @@ -847,9 +815,11 @@ $file_url_html = "$file $a"; } } else { - $b.="" ; - $b.=$gblIcon("checkout").""; + if (check_perm($relDir.$file,trperm_w)) { + $b.="" ; + $b.=$gblIcon("checkout").""; + } if ( $ext=="" || strstr(join(" ",$gblEditable),$ext) ) { $b.=" - - - -
- - - - - - -"; -} elseif (file_exists("$gblRepositoryDir/.info.inc")) { - print ""; -} + if (file_exists("$fsRealmDir/$realm".$realm_sep."info.inc")) { + print ""; + include("$html/Navigate-hr.html"); + } elseif (file_exists("$gblRepositoryDir/.info.inc")) { + print ""; + include("$html/Navigate-hr.html"); + } + include("$html/Navigate-createNew.html"); -?> - -
- - -
- No files in this directory -
- - OK TO DELETE THIS EMPTY FOLDER? - - -
"; - include("$fsRealmDir/$realm".$realm_sep."info.inc"); - print "
"; - include("$gblRepositoryDir/.info.inc"); - print "
"; + include("$fsRealmDir/$realm".$realm_sep."info.inc"); + print "
"; + include("$gblRepositoryDir/.info.inc"); + print "
CREATE NEW - DIRECTORY -OR- - FILE :    - NAME - - - - - OR UPLOAD A FILE -
+ print ""; -$dir/.note/$file for writing",1); + } fputs($note,"$msg\n"); fclose($note); @@ -1224,7 +1167,7 @@ $ext_arr = explode(".",$file); $ext = array_pop($ext_arr); - if ($encoding_ext[$ext]) { + if (isset($encoding_ext[$ext])) { $encoding = $encoding_ext[$ext]; $ext = array_pop($ext_arr); } @@ -1236,7 +1179,7 @@ } // IE5.5 just downloads index.php if we don't do this - if(preg_match("/MSIE 5.5/", $HTTP_SERVER_VARS[HTTP_USER_AGENT])) { + if(preg_match("/MSIE 5.5/", $HTTP_SERVER_VARS["HTTP_USER_AGENT"])) { header("Content-Disposition: filename=$file"); } else { header("Content-Disposition: attachment; filename=$file"); @@ -1338,7 +1281,7 @@ $l = trim(fgets($fp_conf,4096)); if (substr($l,0,1) == "+") { // no comment $arr=explode(":",$l); - $groups_arr[$arr[0]] = $arr[1] ; + $groups_arr[$arr[0]] = str_replace(" ","",$arr[1]) ; } elseif (substr($l,0,1) != "#") { $arr=explode(":",$l); $path=array_shift($arr); @@ -1463,7 +1406,7 @@ if (isset($tr)) { // first apply trustee for all - if (isset($tr['*'])) { + if (isset($tr['*']) && $user!="anonymous") { $perm = unroll_perm($user,$tr['*'],$perm, $one_level); unset($tr['*']); } @@ -1500,6 +1443,8 @@ function check_perm($path,$trperm) { global $gblLogin,$HAVE_TRUSTEE; + $path = str_replace("//","/",$path); + global $debug; $debug.="
check_perm: on $path for perm ".display_trustee($trperm)."
\n"; @@ -1554,6 +1499,15 @@ if (strstr($file,"/")) Error("Security violation","No slashes / allowed in file name $file",1); } +// bla/blo/../foo will return bla/foo +function remove_parent($path) { + while (preg_match(",/[^/]+/\.\./,",$path)) { + $path = preg_replace(",/[^/]+/\.\./,","",$path); + } + if (substr($path,0,1) != "/") $path = "/".$path; + return $path; +} + ////////////////////////////////////////////////////////////////// // functions to move HTTP server variables to global namespace @@ -1589,6 +1543,14 @@ } ////////////////////////////////////////////////////////////////// + +function isBlank($file,$what = "filename") { + if (trim($file) == "") return "whitespace $what"; + if ($file == "") return "no $what"; + return $file; +} + +////////////////////////////////////////////////////////////////// // MAIN PROGRAM $gblFilePerms = 0640 ; // default for new files @@ -1690,7 +1652,11 @@ // read mime.types readMime(); -HTTP_POST_VAR("FN"); + if (! isset($gblPermNote)) { + $gblPermNote = trperm_r; + } + + HTTP_POST_VAR("FN"); if ($HTTP_SERVER_VARS["REQUEST_METHOD"] == "POST") { // take variables from server @@ -1747,7 +1713,7 @@ $source = $FN_name ; if (! file_exists($source)) { - Error("You must select file with browse to upload it!"); + Error("You must select file with browse to upload it!","If file is too big, you might need to modify php configuration options post_max_size and upload_max_filesize",1); } if (HTTP_POST_VAR("FILENAME")) check_filename($FILENAME); @@ -1758,6 +1724,9 @@ $target = "$fsDir/$FILENAME"; } + if (! check_perm("$relDir/".basename($target), trperm_w)) + Error("Access denied","User $gblLogin tried to upload $relDir/".basename($target)." without valid trustee.",1); + // backup old files first $dir=dirname($target); if (! file_exists($dir."/.bak")) { @@ -1786,10 +1755,14 @@ case "SAVE" : $path = $gblFsRoot . $RELPATH ; $path=stripSlashes($path); + + if (! check_perm("$RELPATH", trperm_w)) + Error("Access denied","User $gblLogin tried to save $RELPATH without valid trustee.",1); + $writable = is_writeable($path) ; $legaldir = is_writeable(dirname($path)) ; $exists = (file_exists($path)) ? 1 : 0 ; -// check for legal extension here as well + // FIX: more verbose error message if (!($writable || (!$exists && $legaldir))) Error("Write denied",$RELPATH) ; $fh = fopen($path, "w") ; @@ -1807,9 +1780,13 @@ if ($T == "D") $type = "directory"; else $type ="file"; if ($FN == "") Error("Can't create $type","You must enter name of $type to create it."); - if (!is_writeable($fsDir)) Error("Write denied",$relDir) ; - $path = $fsDir . "/" . $FN ; // file or dir to create - $relPath = $relDir . "/" . $FN ; + if (!is_writeable($fsDir)) Error("Write denied","User $gblLogin has trustee to write in $relDir but permissions on $fsDir are wrong!", 1) ; + $path = "$fsDir/$FN"; // file or dir to create + $relPath = "$relDir/$FN"; + + if (file_exists($path)) + Error("Can't create $type","Object $relPath allready exists"); + switch ( $T ) { case "D" : // create a directory if ( ! @mkdir($path,$gblDirPerms) ) @@ -1823,14 +1800,14 @@ // better keep it here altogether // chmod perms to $gblFilePerms if ( file_exists($path) && !is_writeable($path) ) - Error("File not writable", $relPath) ; + Error("File not writable", "User $gblLogin has trustee to write in $relPath but permissions on $path are wrong!", 1) ; $fh = fopen($path, "w+") ; if ($fh) { fputs($fh,"\n"); fclose($fh) ; LogIt($path,"file created",trperm_r | trperm_w); } else { - Error("Creation of file $relPath failed -- $path"); + Error("Creation of file $relPath failed", "User $gblLogin has trustee to write in $relPath but creation of $path failed!", 1) ; } $tstr = $HTTP_SERVER_VARS["PHP_SELF"]."?A=E&D=".urlencode($relDir)."&F=".urlencode($FN) ; header("Location: " . $tstr) ; @@ -1843,36 +1820,34 @@ if ( isset($FN) && $FN != "") { $path=$fsDir."/".$FN; - $what = "file"; - if (is_dir($path)) { - $what = "dir"; - } + } elseif (isset($DIR)) { + $path=$gblFsRoot."/".$DIR; + $what = "directory"; + } else { + Error("Can't delete object","Can't find filename \$FN or dirname in \$DIR",1); + } - if (! check_perm($relDir."/".$FN, trperm_w)) - Error("Access denied","User $gblLogin tried to erase $what $relDir/$FN without valid trustee.",1); + if (! check_perm("$relDir/$FN", trperm_w)) + Error("Access denied","User $gblLogin tried to erase $what $relDir/$FN without valid trustee.",1); - $tstr = "Attempt to delete non-existing object or " ; - $tstr .= "insufficient privileges: " ; + $tstr = "Attempt to delete non-existing object or insufficient privileges: " ; - $dir=dirname($path); - $file=basename($path); - if (! file_exists("$dir/.del")) { - mkdir("$dir/.del",0700); - } + $dir=dirname($path); + $file=basename($path); -// if ( ! @unlink($path) ) { - if ( ! @rename($path,"$dir/.del/$file") ) { - LogIt($path,"$what delete failed"); - Error("Can't delete $what",$tstr.$relDir."/".$FN) ; - } else { - LogIt($path,"$what deleted",trperm_w); - MoveTo("$dir/.log/$file","$dir/.del/.log/"); - MoveTo("$dir/.note/$file","$dir/.del/.note/"); - MoveTo("$dir/.lock/$file","$dir/.del/.lock/"); - } + if (! file_exists("$dir/.del")) { + mkdir("$dir/.del",0700); + } + + if ( ! @rename($path,"$dir/.del/$file") ) { + LogIt($path,"$what delete failed"); + Error("Can't delete $what",$tstr."".$relDir."/".$FN."") ; } else { - Error("Rmdir failed", $tstr . $fsDir) ; + LogIt($path,"$what deleted",trperm_w); + MoveTo("$dir/.log/$file","$dir/.del/.log/"); + MoveTo("$dir/.note/$file","$dir/.del/.note/"); + MoveTo("$dir/.lock/$file","$dir/.del/.lock/"); } break ; @@ -1882,6 +1857,9 @@ if (substr($FN,0,4) != ".del") break ; $file=substr($FN,4,strlen($FN)-4); + if (! check_perm("$relDir/$file", trperm_w)) + Error("Access denied","User $gblLogin tried to undelete $relDir/$file without valid trustee.",1); + LogIt("$fsDir/.del/$file","undeleted",trperm_w); MoveTo("$fsDir/.del/$file","$fsDir/"); MoveTo("$fsDir/.del/.log/$file","$fsDir/.log/"); @@ -1893,18 +1871,31 @@ case "RENAME" : if ( $CONFIRM != "on" ) break ; - $NEWNAME=stripSlashes($HTTP_POST_VARS["NEWNAME"]); + if (HTTP_POST_VAR("NEWNAME")) { + $dest = remove_parent($relDir.$NEWNAME); + if (! check_perm($relDir.$FN, trperm_w) || + ! check_perm($dest, trperm_w) ) + Error("Access denied","User $gblLogin tried to rename $relDir$FN to $dest without valid trustee.",1); + } else { + Error("Rename error","Can't find new name in var \$NEWNAME",1); + } LogIt("$fsDir/$FN","renamed $FN to $NEWNAME",trperm_r); safe_rename($fsDir,$FN,$NEWNAME); break ; - case "NOTE" : - $NOTE=stripSlashes($HTTP_POST_VARS["NOTE"]); - WriteNote("$fsDir/$FN","$NOTE"); + case "NOTE" : + if (! HTTP_POST_VAR("NOTE")) + Error("Can't add note to object","Can't find var \$NOTE",1); + if (! check_perm("$relDir/$FN", trperm_w)) + Error("Access denied","User $gblLogin tried to add note to $relDir/$FN without valid trustee.",1); + + WriteNote("$fsDir/$FN",$NOTE); break ; case "UNLOCK" : if ( $CONFIRM != "on" ) break ; + if (! check_perm("$relDir/$FN", trperm_w)) + Error("Access denied","User $gblLogin tried to unlock $relDir/$FN without valid trustee.",1); Unlock("$fsDir/$FN"); break ; @@ -1918,7 +1909,7 @@ header("Location: ".$tstr) ; exit ; } - + // check for mode.. navigate, code display, upload, or detail? // $A=U : upload to path given in $D // $A=E : display detail of file $D/$F and edit