Fixes #68 Fixes #1256 Fixes #1134 : browser now check every action : mkdir, createfile, move, rename, read, write. Also removes the 'drag&drop' in browser editor

2011-06-04 10:37:59 +00:00 · 2011-06-04 10:37:59 +00:00 · 26ae262b90
parent b99db10d05
commit 26ae262b90
7 changed files with 110 additions and 1496 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -226,7 +226,6 @@ bureau/admin/js/jquery_ui/js/jquery.ui.datepicker-es.js -text
 bureau/admin/js/jquery_ui/js/jquery.ui.datepicker-fr.js -text
 bureau/admin/js/prototype.js -text
 bureau/admin/js/rico.js -text
 bureau/admin/js/wz_dragdrop.js -text
 bureau/admin/login.php -text
 bureau/admin/logo.png -text
 bureau/admin/logo2.png -text
--- a/bureau/admin/bro_editor.php
+++ b/bureau/admin/bro_editor.php
@ -40,27 +40,37 @@ if ($cancel) {
 	exit();
 }
 if ($saveret) {
-	$bro->Save($editfile,$R,$texte);
+  if ($bro->Save($editfile,$R,$texte)) {
    $error=sprintf(_("Your file %s has been saved"),$editfile)." (".format_date('%3$d-%2$d-%1$d %4$d:%5$d',date("Y-m-d H:i:s")).")";
  } else {
    $error=$err->errstr();
  }
  include("bro_main.php");
  exit();
 }
 if ($save) {
-	$bro->Save($editfile,$R,$texte);
+  if ($bro->Save($editfile,$R,$texte)) {
    $error=sprintf(_("Your file %s has been saved"),$editfile)." (".format_date('%3$d-%2$d-%1$d %4$d:%5$d',date("Y-m-d H:i:s")).")";
  } else {
    $error=$err->errstr();
  }
 }
 include_once("head.php");
 ?>
 <p>
-<?php if ($error) echo "<font color=\"red\">$error</font><br />"; ?>
+<?php if ($error) echo "<p class=\"error\">$error</p>"; ?>
 <?php echo _("File editing")." <code>$R/<b>$editfile</b></code><br />"; ?>
 </p>
 <form action="bro_editor.php" method="post"><br />
 <div id="resizer" style="left: 0px; top: 0px; z-index: 54; width: <?php echo $p["editsizex"]*8; ?>px; height: <?php echo $p["editsizey"]*8; ?>px; cursor: auto;"><textarea class="int" style="font-family: <?php echo $p["editor_font"]; ?>; font-size: <?php echo $p["editor_size"]; ?>; width: 90%; height: 90%;" name="texte"><?php
-$bro->content($R,$editfile);
+  $failed=false;
-?></textarea><img src="/admin/icon/winresize.gif" alt="<?php __("ctrl+click or shift+click and drag to resize the editing zone"); ?>" title="<?php __("ctrl+click or shift+click and drag to resize the editing zone"); ?>" height="20" width="20" /></div><br />
+  if (!$bro->content($R,$editfile)) {
    $failed=true;
  }
 ?></textarea>
 <?php if ($failed) echo "<p class=\"error\">".$err->errstr()."</p>"; ?>
 	<input type="hidden" name="editfile" value="<?php echo str_replace("\"","&quot;",$editfile); ?>" />
 	<input type="hidden" name="R" value="<?php echo str_replace("\"","&quot;",$R); ?>" />
@ -68,10 +78,5 @@ $bro->content($R,$editfile);
 	<input type="submit" class="inb" value="<?php __("Save &amp; Quit"); ?>" name="saveret" />
 	<input type="submit" class="inb" value="<?php __("Quit"); ?>" name="cancel" />
 <br />
 <script type="text/javascript">
 <!--
 SET_DHTML("resizer"+RESIZABLE);
 //-->
 </script>
 </form>
 <?php include_once("foot.php"); ?>
--- a/bureau/admin/head.php
+++ b/bureau/admin/head.php
@ -37,7 +37,6 @@ if (!$charset) $charset="iso-8859-1";
 <link rel="stylesheet" href="styles/style.css" type="text/css" />
 <meta http-equiv="Content-Type" content="text/html; charset=<?php echo $charset; ?>" />
 <script type="text/javascript" src="js/alternc.js"></script>
 <script type="text/javascript" src="js/wz_dragdrop.js"></script>
 <script src="js/jquery.min.js" type="text/javascript"></script>
 <script src="js/jquery_ui/js/jquery-ui-1.8.10.custom.min.js" type="text/javascript"></script>
 <?php
--- a/bureau/admin/js/wz_dragdrop.js
+++ b/bureau/admin/js/wz_dragdrop.js
--- a/bureau/class/m_bro.php
+++ b/bureau/class/m_bro.php
@ -330,7 +330,10 @@ class m_bro {
    $file=ssla($file);
    $absolute=$this->convertabsolute($dir."/".$file,0);
    if ($absolute && !file_exists($absolute)) {
-      mkdir($absolute,00777);
+      if (!@mkdir($absolute,00777)) {
 	$err->raise("bro",4);
 	return false;
      }
      $db->query("UPDATE browser SET crff=1 WHERE uid='$cuid';");
      return true;
    } else {
@ -355,7 +358,10 @@ class m_bro {
      return false;
    }
    if (!file_exists($absolute)) {
-      touch($absolute);
+      if (!@touch($absolute)) {
 	$err->raise("bro",3);
 	return false;
      }
    }
    $db->query("UPDATE browser SET crff=0 WHERE uid='$cuid';");
    return true;
@ -433,10 +439,7 @@ class m_bro {
      return false;
    }
    // FIXME: check that we don't have a huge security issue here ...
    // If the destionation (new) doesn't have an absolute path, give it the prefix (old) from the first file found
    if ($new[0] != '/') {
      // Ex: settings.php will become /var/alternc/html/f/foo/www/example.org/drupal-6.10/sites/default/settings.php
      $new = $old . '/' . $new;
    } else {
      $new = $this->convertabsolute($new,0);
@ -464,9 +467,10 @@ class m_bro {
   * @param string $R dossier dans lequel se trouve les fichiers à renommer.
   * @param array of string $old Ancien nom des fichiers
   * @param array of string $new Nouveau nom des fichiers
   * @param $verbose boolean shall we 'echo' what we did ?
   * @return boolean TRUE si les fichiers ont été renommés, FALSE si une erreur s'est produite.
   */
-  function ChangePermissions($R,$d,$perm) {
+  function ChangePermissions($R,$d,$perm,$verbose=true) {
    global $err;
    $absolute=$this->convertabsolute($R,0);
    if (!$absolute) {
@ -476,7 +480,6 @@ class m_bro {
    for ($i=0;$i<count($d);$i++) {
      $d[$i]=ssla($d[$i]); // strip slashes if needed
      if (!strpos($d[$i],"/")) {  // caractère / interdit dans le nom du fichier
 	// @rename($absolute."/".$old[$i],$absolute."/".$old[$i].$alea);
 	$m = fileperms($absolute."/". $d[$i]);
 	// pour l'instant on se limite a "write" pour owner, puisque c'est le seul
@ -488,9 +491,11 @@ class m_bro {
 	}
 	$m = $m | ($perm[$i]['w'] ? 128 : 0); // 0600
 	chmod($absolute."/".$d[$i], $m);
 	if ($verbose) {
 	  echo "chmod " . sprintf('%o', $m) . " file, was " . sprintf('%o', fileperms($absolute."/". $d[$i])). " -- " . $perm[$i]['w'];
 	}
      }
    }
    return true;
  }
@ -550,16 +555,18 @@ class m_bro {
    }
    $file = escapeshellarg($file);
    $dest = escapeshellarg($dest);
-#TODO new version of tar supports `tar xf ...` so there is no
+    // TODO new version of tar supports `tar xf ...` so there is no
-#     need to specify the compression format
+    //     need to specify the compression format
    exec("tar -xzf $file -C $dest", $void, $ret);
    if ($ret) {
      #print "tgz extraction failed, moving on to tbz\n";
      exec("tar -xjf $file -C $dest", $void, $ret);
    }
    if ($ret) {
      $cmd = "unzip -o $file -d $dest";
-      #print "tbz extraction failed, moving on to zip: $cmd\n";
+      exec($cmd, $void, $ret);
    }
    if ($ret) {
      $cmd = "gunzip $file";
      exec($cmd, $void, $ret);
    }
    if ($ret) {
@ -611,64 +618,6 @@ class m_bro {
  function CopyOneFile($src, $dest)
  {
    global $err;
    /*
     * XXX: Disabled functionality until audit is completed
     */
    /*
    if (substr($src, 0, 7) == "http://") {
      $filename = basename($src);
      $extractdir = tempnam("/tmp", "brouteur");
      unlink($extractdir);
      mkdir($extractdir);
      if (!$http = @fopen($src, "rb")) {
        // Try to get a handle on $http with fsockopen instead
 //FIXME we'd better use a real http getter function/class (such as Octopuce_Http_Client (ask Benjamin)
        ereg('^http://([^/]+)(/.*)$', $src, $eregs);
        $hostname = $eregs[1];
        $path = $eregs[2];
        $http = @fsockopen($hostname, 80);
        @fputs($http, "GET $path HTTP/1.1\nHost: $hostname\n\n");
      }
      if ($http) {
        // Save the bits
        $f = fopen("$extractdir/$filename", "wb");
        while (!feof($http)) {
          $bin = fgets($http, 16384);
          fwrite($f, $bin);
 //FIXME if (!trim($bin)) break;
        }
        fclose($f);
        fclose($http);
      } else {
        // Dammit, try with wget than
        exec("wget -q '$src' -O '$extractdir/$filename'", $void, $ret);
        if ($ret) {
          $error = _("Unable to download the web application's package.");
          return false;
        }
      }
      // Now extract that package
      if (!brouteur_extract("$extractdir/$filename", $extractdir)) {
        $error = _("Unable to extract the files");
        return false;
      }
      unlink("$extractdir/$filename");
      // Corrupt $src since we want to copy $extractdir/packagename
      $hd = opendir($extractdir);
      while ($file = readdir($hd)) {
        if ($file != "." && $file != "..") {
          $src = "$extractdir/$file";
          break;
        }
      }
    }
    */
    // Last step // Copy -R
    $src = escapeshellarg($src);
    $dest = escapeshellarg($dest);
    exec("cp -Rpf $src $dest", $void, $ret);
@ -718,10 +667,19 @@ class m_bro {
    if (!strpos($file,"/")) {
      $absolute.="/".$file;
      if (file_exists($absolute)) {
-	$content = @file($absolute);
+	$f=fopen($absolute,"rb");
-	for($i=0;$i<count($content);$i++) {
+	if ($f) {
-	  echo str_replace("<","&lt;",str_replace("&","&amp;",$content[$i]));
+	  while ($s=fgets($f,1024)) {
 	    echo str_replace("<","&lt;",str_replace("&","&amp;",$s));
 	  }
 	  fclose($f);
 	} else {
 	  $err->raise("bro",6);
 	  return false;
 	}
      } else {
 	$err->raise("bro",6);
 	return false;
      }
    } else {
      $err->raise("bro",1);
@ -783,6 +741,7 @@ class m_bro {
    }
  }
  /**
   * Return a HTML snippet representing an extraction function only if the mimetype of $name is supported
   */
@ -810,16 +769,17 @@ class m_bro {
    return false;
  }
  /* ------------------------------------------------------------------ */
  /** Echoes the content of the file $file located in directory $R
   */
  function content_send($R,$file) {
    global $err;
    $absolute=$this->convertabsolute($R,0);
    if (!strpos($file,"/")) {
      $absolute.="/".$file;
      if (file_exists($absolute)) {
-	$content = @file($absolute);
+	readfile($absolute);
 	for($i=0;$i<count($content);$i++) {
 	  echo stripslashes($content[$i]);
 	}
      }
    } else {
      $err->raise("bro",1);
@ -827,6 +787,7 @@ class m_bro {
    }
  }
  /* ----------------------------------------------------------------- */
  /** Sauve le fichier $file dans le dossier $R avec pour contenu $texte
   * le contenu est issu d'un textarea, et ne DOIT PAS contenir de \ ajoutés
@ -847,6 +808,9 @@ class m_bro {
 	if ($f) {
 	  fputs($f,$texte,strlen($texte));
 	  fclose($f);
 	} else {
 	  $err->raise("bro",5);
 	  return false;
 	}
      }
    } else {
@ -855,34 +819,36 @@ class m_bro {
    }
  }
  /* ----------------------------------------------------------------- */
  /** Echo d'un flux .tar.Z contenant tout le contenu du dossier $dir
   * @param string $dir dossier à dumper, relatif à la racine du compte du membre.
   * @return void NE RETOURNE RIEN, et il faut Quitter le script immédiatement après
   */
  function DownloadZ($dir="") {
-    global $mem;
+    global $mem,$L_ALTERNC_LOC;
    header("Content-Disposition: attachment; filename=".$mem->user["login"].".Z");
    header("Content-Type: application/x-Z");
    header("Content-Transfer-Encoding: binary");
    $d=escapeshellarg(".".$this->convertabsolute($dir,1));
    set_time_limit(0);
-    passthru("/bin/tar -cZ -C /var/alternc/html/".substr($mem->user["login"],0,1)."/".$mem->user["login"]."/ $d");
+    passthru("/bin/tar -cZ -C ".$L_ALTERNC_LOC."/html/".substr($mem->user["login"],0,1)."/".$mem->user["login"]."/ $d");
  }
  /* ----------------------------------------------------------------- */
  /** Echo d'un flux .tgz contenant tout le contenu du dossier $dir
   * @param string $dir dossier à dumper, relatif à la racine du compte du membre.
   * @return void NE RETOURNE RIEN, et il faut Quitter le script immédiatement après
   */
  function DownloadTGZ($dir="") {
-    global $mem;
+    global $mem,$L_ALTERNC_LOC;
    header("Content-Disposition: attachment; filename=".$mem->user["login"].".tgz");
    header("Content-Type: application/x-tgz");
    header("Content-Transfer-Encoding: binary");
    $d=escapeshellarg(".".$this->convertabsolute($dir,1));
    set_time_limit(0);
-    passthru("/bin/tar -cz -C /var/alternc/html/".substr($mem->user["login"],0,1)."/".$mem->user["login"]."/ $d");
+    passthru("/bin/tar -cz -C ".$L_ALTERNC_LOC."/html/".substr($mem->user["login"],0,1)."/".$mem->user["login"]."/ $d");
  }
@ -892,22 +858,23 @@ class m_bro {
   * @return void NE RETOURNE RIEN, et il faut Quitter le script immédiatement après
   */
  function DownloadTBZ($dir="") {
-    global $mem;
+    global $mem,$L_ALTERNC_LOC;
    header("Content-Disposition: attachment; filename=".$mem->user["login"].".tar.bz2");
    header("Content-Type: application/x-bzip2");
    header("Content-Transfer-Encoding: binary");
    $d=escapeshellarg(".".$this->convertabsolute($dir,1));
    set_time_limit(0);
-    passthru("/bin/tar -cj -C /var/alternc/html/".substr($mem->user["login"],0,1)."/".$mem->user["login"]."/ $d");
+    passthru("/bin/tar -cj -C ".$L_ALTERNC_LOC."/html/".substr($mem->user["login"],0,1)."/".$mem->user["login"]."/ $d");
  }
  /* ----------------------------------------------------------------- */
  /** Echo d'un flux .ZIP contenant tout le contenu du dossier $dir
   * @param string $dir dossier à dumper, relatif à la racine du compte du membre.
   * @return void NE RETOURNE RIEN, et il faut Quitter le script immédiatement après
   */
  function DownloadZIP($dir="") {
-    global $mem;
+    global $mem,$L_ALTERNC_LOC;
    header("Content-Disposition: attachment; filename=".$mem->user["login"].".zip");
    header("Content-Type: application/x-zip");
    header("Content-Transfer-Encoding: binary");
@ -916,6 +883,7 @@ class m_bro {
    passthru("/usr/bin/zip -r - $d");
  }
  /* ----------------------------------------------------------------- */
  /** Fonction de tri perso utilisé par filelist.
   * @access private
@ -926,6 +894,7 @@ class m_bro {
    return $a["name"]>$b["name"];
  }
  /* ----------------------------------------------------------------- */
  /** Efface $file et tous ses sous-dossiers s'il s'agit d'un dossier
   * A UTILISER AVEC PRECAUTION !!!
--- a/bureau/locales/en_US/LC_MESSAGES/manual.po
+++ b/bureau/locales/en_US/LC_MESSAGES/manual.po
@ -674,6 +674,22 @@ msgstr "File or folder name is incorrect"
 msgid "err_bro_2"
 msgstr "You cannot move or copy a file to the same folder"
 #. Cannot create the requested file. Please check permissions.
 msgid "err_bro_3"
 msgstr "Cannot create the requested file. Please check permissions."
 #. Cannot create the requested directory. Please check permissions.
 msgid "err_bro_4"
 msgstr "Cannot create the requested directory. Please check permissions."
 #. Cannot edit the requested file. Please check permissions.
 msgid "err_bro_5"
 msgstr "Cannot edit the requested file. Please check permissions."
 #. Cannot read the requested file. Please check permissions.
 msgid "err_bro_6"
 msgstr "Cannot read the requested file. Please check permissions."
 #. If we manage your DNS <br />You can manage your mails elsewhere if you want 
 #. (MX field).<br />Write <b><code>%s</code></b> in this field if your mail 
 #. must be managed by %s<br />or put the IP address or name of the mail server 
@ -781,11 +797,6 @@ msgstr "The password is mandatory"
 msgid "err_mysql_21"
 msgstr "The username cannot be empty"
 msgid "err_bro_3"
 msgstr ""
 "You don't have the right to write into this folder. Please check the access "
 "rights."
 # $d,$m,$y,$h,$i,$hh,$am
 #  1  2  3  4  5  6   7
 #, fuzzy
--- a/bureau/locales/fr_FR/LC_MESSAGES/manual.po
+++ b/bureau/locales/fr_FR/LC_MESSAGES/manual.po
@ -692,6 +692,22 @@ msgstr "R
 msgid "err_bro_2"
 msgstr "Vous ne pouvez pas déplacer un fichier dans le même répertoire !"
 #. Cannot create the requested file. Please check permissions.
 msgid "err_bro_3"
 msgstr "Impossible de créer le fichier demandé. Vérifiez les permissions."
 #. Cannot create the requested directory. Please check permissions.
 msgid "err_bro_4"
 msgstr "Impossible de créer le répertoire demandé. Vérifiez les permissions."
 #. Cannot edit the requested file. Please check permissions.
 msgid "err_bro_5"
 msgstr "Impossible de modifier le fichier demandé. Vérifiez les permissions."
 #. Cannot read the requested file. Please check permissions.
 msgid "err_bro_6"
 msgstr "Impossible de lire le fichier demandé. Vérifiez les permissions."
 #. If we manage your DNS <br />You can manage your mails elsewhere if you want 
 #. (MX field).<br />Write <b><code>%s</code></b> in this field if your mail 
 #. must be managed by %s<br />or put the IP address or name of the mail server 
@ -788,11 +804,6 @@ msgstr "Le mot de passe est obligatoire"
 msgid "err_mysql_21"
 msgstr "Le nom d'utilisateur ne peut pas être vide"
 msgid "err_bro_3"
 msgstr ""
 "Vous n'avez pas le droit d'écrire dans ce répertoire. Vérifiez les droits "
 "d'accès !"
 # $d,$m,$y
 #  1  2  3 
 msgid "%3$d-%2$d-%1$d"