Mirror/codiad
1
0
Fork 0
mirror of https://github.com/xevidos/codiad.git synced 2025-01-09 06:21:56 +01:00
Code Issues Projects Releases Packages Wiki Activity

Started work on an invalid character solution for files.

Browse source
This commit is contained in:
xevidos 2019-03-03 11:38:22 -05:00
parent 53026ba69e
commit bbc3cdb9bc
4 changed files with 97 additions and 74 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

35
components/filemanager/class.filemanager.php
View file

@ -526,6 +526,8 @@ class Filemanager extends Common {
$explode = explode( '/', $this->path ); $explode = explode( '/', $this->path );
array_pop( $explode ); array_pop( $explode );
$new_path = implode( "/", $explode ) . "/" . $this->new_name; $new_path = implode( "/", $explode ) . "/" . $this->new_name;
$new_path = $this->cleanPath( $new_path );
if ( ! file_exists( $new_path ) ) { if ( ! file_exists( $new_path ) ) {
if ( rename( $this->path, $new_path ) ) { if ( rename( $this->path, $new_path ) ) {
@ -753,21 +755,34 @@ class Filemanager extends Common {
public static function cleanPath( $path ) { public static function cleanPath( $path ) {
// replace backslash with slash // Prevent going out of the workspace
$path = str_replace( '\\', '/', $path );
// allow only valid chars in paths$
$path = preg_replace( '/[^A-Za-z0-9\-\._\/\ ]/', '', $path );
// maybe this is not needed anymore
// prevent Poison Null Byte injections
$path = str_replace( chr( 0 ), '', $path );
// prevent go out of the workspace
while ( strpos( $path, '../' ) !== false ) { while ( strpos( $path, '../' ) !== false ) {
$path = str_replace( '../', '', $path ); $path = str_replace( '../', '', $path );
} }
if( Filemanager::isAbsPath( $path ) ) {
$full_path = $path;
} else {
$full_path = WORKSPACE . "/" . $path;
}
/**
* If a file with an invalid character exists and the user is
* trying to rename or delete it, allow the actual file name.
*/
echo var_dump( file_exists( $full_path ),($_GET['action'] == "modify"),($_GET['action'] == "delete" ), $path, $full_path );
if( file_exists( $full_path ) && ( $_GET['action'] == "modify" || $_GET['action'] == "delete" ) ) {
} else {
// Only allow certain characters in filenames
$path = preg_replace( '/[^A-Za-z0-9\-\._\/\ ]/', '', $path );
}
return $path; return $path;
} }
} }

116
components/poller/init.js
View file

@ -3,66 +3,64 @@
* as-is and without warranty under the MIT License. See * as-is and without warranty under the MIT License. See
* [root]/license.txt for more. This information must remain intact. * [root]/license.txt for more. This information must remain intact.
*/ */
(function(global, $) {
(function(global, $){ var codiad = global.codiad;
var codiad = global.codiad; $(function() {
codiad.poller.init();
$(function() { });
codiad.poller.init();
});
codiad.poller = {
interval: 10000,
init: function() {
var _this = this;
setInterval(function() {
_this.checkAuth();
_this.saveDrafts();
}, _this.interval);
},
//////////////////////////////////////////////////////////////////
// Poll authentication
//////////////////////////////////////////////////////////////////
checkAuth: function() {
// Run controller to check session (also acts as keep-alive) & Check user
$.get(codiad.user.controller + '?action=verify', function(data) {
if (data == 'false') {
codiad.user.logout();
}
});
},
//////////////////////////////////////////////////////////////////
// Poll For Auto-Save of drafts (persist)
//////////////////////////////////////////////////////////////////
saveDrafts: function() {
$('#active-files a.changed')
.each(function() {
// Get changed content and path
var path = $(this)
.attr('data-path');
var content = codiad.active.sessions[path].getValue();
// TODO: Add some visual indication about draft getting saved.
// Set localstorage
localStorage.setItem(path, content);
});
}
};
codiad.poller = {
interval: 10000,
init: function() {
let _this = this;
let interval = null;
setInterval( function() {
_this.checkAuth();
_this.saveDrafts();
}, _this.interval);
},
//////////////////////////////////////////////////////////////////
// Poll authentication
//////////////////////////////////////////////////////////////////
checkAuth: function() {
// Run controller to check session (also acts as keep-alive) & Check user
$.get(codiad.user.controller + '?action=verify', function(data) {
if(data == 'false') {
codiad.user.logout();
}
});
},
//////////////////////////////////////////////////////////////////
// Poll For Auto-Save of drafts (persist)
//////////////////////////////////////////////////////////////////
saveDrafts: function() {
$('#active-files a.changed')
.each(function() {
// Get changed content and path
let path = $(this)
.attr('data-path');
let content = codiad.active.sessions[path].getValue();
// TODO: Add some visual indication about draft getting saved.
// Set localstorage
localStorage.setItem(path, content);
});
}
};
})(this, jQuery); })(this, jQuery);

16
components/user/class.user.php
View file

@ -190,6 +190,11 @@ class User {
$sessions_permissions = substr( sprintf( '%o', fileperms( SESSIONS_PATH ) ), -4 ); $sessions_permissions = substr( sprintf( '%o', fileperms( SESSIONS_PATH ) ), -4 );
$sessions_owner = posix_getpwuid( fileowner( SESSIONS_PATH ) ); $sessions_owner = posix_getpwuid( fileowner( SESSIONS_PATH ) );
if( is_array( $server_user ) ) {
$server_user = $server_user["uid"];
}
if( ! ( $sessions_owner === $server_user ) ) { if( ! ( $sessions_owner === $server_user ) ) {
try { try {
@ -251,7 +256,7 @@ class User {
$query = "UPDATE users SET token=? WHERE username=?;"; $query = "UPDATE users SET token=? WHERE username=?;";
$bind_variables = array( sha1( $token ), $this->username ); $bind_variables = array( sha1( $token ), $this->username );
$sql->query( $query, $bind_variables, 0, 'rowCount' ); $return = $sql->query( $query, $bind_variables, 0, 'rowCount' );
if( isset( $user['project'] ) && $user['project'] != '' ) { if( isset( $user['project'] ) && $user['project'] != '' ) {
@ -274,9 +279,12 @@ class User {
* Check duplicate sessions * Check duplicate sessions
* *
* This function checks to see if the user is currently logged in * This function checks to see if the user is currently logged in
* on any other machine and if they are then log them off. This * on any other machine and if they are then log them off using
* will fix the issue with the new auto save attempting to save both * session_destroy, otherwise close the session without saving data
* users at the same time. * using session abort().
*
* This should help fix the issue with auto save
* attempting to save both users at the same time.
*/ */
public static function checkDuplicateSessions( $username ) { public static function checkDuplicateSessions( $username ) {

4
components/user/init.js
View file

@ -72,13 +72,15 @@
authenticate: function() { authenticate: function() {
console.log( this.loginForm.serialize() );
$.ajax({ $.ajax({
type: "POST", type: "POST",
url: this.controller + '?action=authenticate', url: this.controller + '?action=authenticate',
data: this.loginForm.serialize(), data: this.loginForm.serialize(),
success: function( data ) { success: function( data ) {
parsed = codiad.jsend.parse(data); let parsed = codiad.jsend.parse( data );
if( parsed != 'error' ) { if( parsed != 'error' ) {
// Session set, reload // Session set, reload
window.location.reload(); window.location.reload();