Fixes #68 Fixes #1256 Fixes #1134 : browser now check every action : mkdir, createfile, move, rename, read, write. Also removes the 'drag&drop' in browser editor

.gitattributes

@@ -226,7 +226,6 @@ bureau/admin/js/jquery_ui/js/jquery.ui.datepicker-es.js -text
 bureau/admin/js/jquery_ui/js/jquery.ui.datepicker-fr.js -text
 bureau/admin/js/prototype.js -text
 bureau/admin/js/rico.js -text
-bureau/admin/js/wz_dragdrop.js -text
 bureau/admin/login.php -text
 bureau/admin/logo.png -text
 bureau/admin/logo2.png -text

bureau/admin/bro_editor.php

@@ -40,27 +40,37 @@ if ($cancel) {
 	exit();
 }
 if ($saveret) {
-	$bro->Save($editfile,$R,$texte);
+  if ($bro->Save($editfile,$R,$texte)) {
-	$error=sprintf(_("Your file %s has been saved"),$editfile)." (".format_date('%3$d-%2$d-%1$d %4$d:%5$d',date("Y-m-d H:i:s")).")";
+    $error=sprintf(_("Your file %s has been saved"),$editfile)." (".format_date('%3$d-%2$d-%1$d %4$d:%5$d',date("Y-m-d H:i:s")).")";
-	include("bro_main.php");
+  } else {
-	exit();
+    $error=$err->errstr();
+  }
+  include("bro_main.php");
+  exit();
 }
 if ($save) {
-	$bro->Save($editfile,$R,$texte);
+  if ($bro->Save($editfile,$R,$texte)) {
-	$error=sprintf(_("Your file %s has been saved"),$editfile)." (".format_date('%3$d-%2$d-%1$d %4$d:%5$d',date("Y-m-d H:i:s")).")";
+    $error=sprintf(_("Your file %s has been saved"),$editfile)." (".format_date('%3$d-%2$d-%1$d %4$d:%5$d',date("Y-m-d H:i:s")).")";
+  } else {
+    $error=$err->errstr();
+  }
 }
 
 include_once("head.php");
 
 ?>
 <p>
-<?php if ($error) echo "<font color=\"red\">$error</font><br />"; ?>
+<?php if ($error) echo "<p class=\"error\">$error</p>"; ?>
 <?php echo _("File editing")." <code>$R/<b>$editfile</b></code><br />"; ?>
 </p>
 <form action="bro_editor.php" method="post"><br />
 <div id="resizer" style="left: 0px; top: 0px; z-index: 54; width: <?php echo $p["editsizex"]*8; ?>px; height: <?php echo $p["editsizey"]*8; ?>px; cursor: auto;"><textarea class="int" style="font-family: <?php echo $p["editor_font"]; ?>; font-size: <?php echo $p["editor_size"]; ?>; width: 90%; height: 90%;" name="texte"><?php
-$bro->content($R,$editfile);
+  $failed=false;
-?></textarea><img src="/admin/icon/winresize.gif" alt="<?php __("ctrl+click or shift+click and drag to resize the editing zone"); ?>" title="<?php __("ctrl+click or shift+click and drag to resize the editing zone"); ?>" height="20" width="20" /></div><br />
+  if (!$bro->content($R,$editfile)) {
+    $failed=true;
+  }
+?></textarea>
+<?php if ($failed) echo "<p class=\"error\">".$err->errstr()."</p>"; ?>
 	<input type="hidden" name="editfile" value="<?php echo str_replace("\"","&quot;",$editfile); ?>" />
 	<input type="hidden" name="R" value="<?php echo str_replace("\"","&quot;",$R); ?>" />
 
@@ -68,10 +78,5 @@ $bro->content($R,$editfile);
 	<input type="submit" class="inb" value="<?php __("Save &amp; Quit"); ?>" name="saveret" />
 	<input type="submit" class="inb" value="<?php __("Quit"); ?>" name="cancel" />
 <br />
-<script type="text/javascript">
-<!--
-SET_DHTML("resizer"+RESIZABLE);
-//-->
-</script>
 </form>
 <?php include_once("foot.php"); ?>

bureau/admin/head.php

@@ -37,7 +37,6 @@ if (!$charset) $charset="iso-8859-1";
 <link rel="stylesheet" href="styles/style.css" type="text/css" />
 <meta http-equiv="Content-Type" content="text/html; charset=<?php echo $charset; ?>" />
 <script type="text/javascript" src="js/alternc.js"></script>
-<script type="text/javascript" src="js/wz_dragdrop.js"></script>
 <script src="js/jquery.min.js" type="text/javascript"></script>
 <script src="js/jquery_ui/js/jquery-ui-1.8.10.custom.min.js" type="text/javascript"></script>
 <?php

bureau/class/m_bro.php

@@ -330,7 +330,10 @@ class m_bro {
     $file=ssla($file);
     $absolute=$this->convertabsolute($dir."/".$file,0);
     if ($absolute && !file_exists($absolute)) {
-      mkdir($absolute,00777);
+      if (!@mkdir($absolute,00777)) {
+	$err->raise("bro",4);
+	return false;
+      }
       $db->query("UPDATE browser SET crff=1 WHERE uid='$cuid';");
       return true;
     } else {
@@ -355,7 +358,10 @@ class m_bro {
       return false;
     }
     if (!file_exists($absolute)) {
-      touch($absolute);
+      if (!@touch($absolute)) {
+	$err->raise("bro",3);
+	return false;
+      }
     }
     $db->query("UPDATE browser SET crff=0 WHERE uid='$cuid';");
     return true;
@@ -433,10 +439,7 @@ class m_bro {
       return false;
     }
 
-    // FIXME: check that we don't have a huge security issue here ...
-    // If the destionation (new) doesn't have an absolute path, give it the prefix (old) from the first file found
     if ($new[0] != '/') {
-      // Ex: settings.php will become /var/alternc/html/f/foo/www/example.org/drupal-6.10/sites/default/settings.php
       $new = $old . '/' . $new;
     } else {
       $new = $this->convertabsolute($new,0);
@@ -464,9 +467,10 @@ class m_bro {
    * @param string $R dossier dans lequel se trouve les fichiers à renommer.
    * @param array of string $old Ancien nom des fichiers
    * @param array of string $new Nouveau nom des fichiers
+   * @param $verbose boolean shall we 'echo' what we did ?
    * @return boolean TRUE si les fichiers ont été renommés, FALSE si une erreur s'est produite.
    */
-  function ChangePermissions($R,$d,$perm) {
+  function ChangePermissions($R,$d,$perm,$verbose=true) {
     global $err;
     $absolute=$this->convertabsolute($R,0);
     if (!$absolute) {
@@ -476,7 +480,6 @@ class m_bro {
     for ($i=0;$i<count($d);$i++) {
       $d[$i]=ssla($d[$i]); // strip slashes if needed
       if (!strpos($d[$i],"/")) {  // caractère / interdit dans le nom du fichier
-	// @rename($absolute."/".$old[$i],$absolute."/".$old[$i].$alea);
 	$m = fileperms($absolute."/". $d[$i]);
 
 	// pour l'instant on se limite a "write" pour owner, puisque c'est le seul
@@ -488,7 +491,9 @@ class m_bro {
 	}
 	$m = $m | ($perm[$i]['w'] ? 128 : 0); // 0600
 	chmod($absolute."/".$d[$i], $m);
-	echo "chmod " . sprintf('%o', $m) . " file, was " . sprintf('%o', fileperms($absolute."/". $d[$i])). " -- " . $perm[$i]['w'];
+	if ($verbose) {
+	  echo "chmod " . sprintf('%o', $m) . " file, was " . sprintf('%o', fileperms($absolute."/". $d[$i])). " -- " . $perm[$i]['w'];
+	}
       }
     }
 
@@ -550,16 +555,18 @@ class m_bro {
     }
     $file = escapeshellarg($file);
     $dest = escapeshellarg($dest);
-#TODO new version of tar supports `tar xf ...` so there is no
+    // TODO new version of tar supports `tar xf ...` so there is no
-#     need to specify the compression format
+    //     need to specify the compression format
     exec("tar -xzf $file -C $dest", $void, $ret);
     if ($ret) {
-      #print "tgz extraction failed, moving on to tbz\n";
       exec("tar -xjf $file -C $dest", $void, $ret);
     }
     if ($ret) {
       $cmd = "unzip -o $file -d $dest";
-      #print "tbz extraction failed, moving on to zip: $cmd\n";
+      exec($cmd, $void, $ret);
+    }
+    if ($ret) {
+      $cmd = "gunzip $file";
       exec($cmd, $void, $ret);
     }
     if ($ret) {
@@ -611,64 +618,6 @@ class m_bro {
   function CopyOneFile($src, $dest)
   {
     global $err;
-
-    /*
-     * XXX: Disabled functionality until audit is completed
-     */
-    /*
-    if (substr($src, 0, 7) == "http://") {
-      $filename = basename($src);
-      $extractdir = tempnam("/tmp", "brouteur");
-      unlink($extractdir);
-      mkdir($extractdir);
-
-      if (!$http = @fopen($src, "rb")) {
-        // Try to get a handle on $http with fsockopen instead
-//FIXME we'd better use a real http getter function/class (such as Octopuce_Http_Client (ask Benjamin)
-        ereg('^http://([^/]+)(/.*)$', $src, $eregs);
-        $hostname = $eregs[1];
-        $path = $eregs[2];
-        $http = @fsockopen($hostname, 80);
-        @fputs($http, "GET $path HTTP/1.1\nHost: $hostname\n\n");
-      }
-      if ($http) {
-        // Save the bits
-        $f = fopen("$extractdir/$filename", "wb");
-        while (!feof($http)) {
-          $bin = fgets($http, 16384);
-          fwrite($f, $bin);
-//FIXME if (!trim($bin)) break;
-        }
-        fclose($f);
-        fclose($http);
-      } else {
-        // Dammit, try with wget than
-        exec("wget -q '$src' -O '$extractdir/$filename'", $void, $ret);
-        if ($ret) {
-          $error = _("Unable to download the web application's package.");
-          return false;
-        }
-      }
-
-      // Now extract that package
-      if (!brouteur_extract("$extractdir/$filename", $extractdir)) {
-        $error = _("Unable to extract the files");
-        return false;
-      }
-      unlink("$extractdir/$filename");
-
-      // Corrupt $src since we want to copy $extractdir/packagename
-      $hd = opendir($extractdir);
-      while ($file = readdir($hd)) {
-        if ($file != "." && $file != "..") {
-          $src = "$extractdir/$file";
-          break;
-        }
-      }
-    }
-    */
-
-    // Last step // Copy -R
     $src = escapeshellarg($src);
     $dest = escapeshellarg($dest);
     exec("cp -Rpf $src $dest", $void, $ret);
@@ -718,10 +667,19 @@ class m_bro {
     if (!strpos($file,"/")) {
       $absolute.="/".$file;
       if (file_exists($absolute)) {
-	$content = @file($absolute);
+	$f=fopen($absolute,"rb");
-	for($i=0;$i<count($content);$i++) {
+	if ($f) {
-	  echo str_replace("<","&lt;",str_replace("&","&amp;",$content[$i]));
+	  while ($s=fgets($f,1024)) {
+	    echo str_replace("<","&lt;",str_replace("&","&amp;",$s));
+	  }
+	  fclose($f);
+	} else {
+	  $err->raise("bro",6);
+	  return false;
 	}
+      } else {
+	$err->raise("bro",6);
+	return false;
       }
     } else {
       $err->raise("bro",1);
@@ -783,6 +741,7 @@ class m_bro {
     }
   }
 
+
   /**
    * Return a HTML snippet representing an extraction function only if the mimetype of $name is supported
    */
@@ -810,16 +769,17 @@ class m_bro {
     return false;
   }
 
+
+  /* ------------------------------------------------------------------ */
+  /** Echoes the content of the file $file located in directory $R
+   */
   function content_send($R,$file) {
     global $err;
     $absolute=$this->convertabsolute($R,0);
     if (!strpos($file,"/")) {
       $absolute.="/".$file;
       if (file_exists($absolute)) {
-	$content = @file($absolute);
+	readfile($absolute);
-	for($i=0;$i<count($content);$i++) {
-	  echo stripslashes($content[$i]);
-	}
       }
     } else {
       $err->raise("bro",1);
@@ -827,6 +787,7 @@ class m_bro {
     }
   }
 
+
   /* ----------------------------------------------------------------- */
   /** Sauve le fichier $file dans le dossier $R avec pour contenu $texte
    * le contenu est issu d'un textarea, et ne DOIT PAS contenir de \ ajoutés
@@ -847,6 +808,9 @@ class m_bro {
 	if ($f) {
 	  fputs($f,$texte,strlen($texte));
 	  fclose($f);
+	} else {
+	  $err->raise("bro",5);
+	  return false;
 	}
       }
     } else {
@@ -855,34 +819,36 @@ class m_bro {
     }
   }
 
+
   /* ----------------------------------------------------------------- */
   /** Echo d'un flux .tar.Z contenant tout le contenu du dossier $dir
    * @param string $dir dossier à dumper, relatif à la racine du compte du membre.
    * @return void NE RETOURNE RIEN, et il faut Quitter le script immédiatement après
    */
- function DownloadZ($dir="") {
+  function DownloadZ($dir="") {
-    global $mem;
+    global $mem,$L_ALTERNC_LOC;
     header("Content-Disposition: attachment; filename=".$mem->user["login"].".Z");
     header("Content-Type: application/x-Z");
     header("Content-Transfer-Encoding: binary");
     $d=escapeshellarg(".".$this->convertabsolute($dir,1));
     set_time_limit(0);
-    passthru("/bin/tar -cZ -C /var/alternc/html/".substr($mem->user["login"],0,1)."/".$mem->user["login"]."/ $d");
+    passthru("/bin/tar -cZ -C ".$L_ALTERNC_LOC."/html/".substr($mem->user["login"],0,1)."/".$mem->user["login"]."/ $d");
   }
 
+
   /* ----------------------------------------------------------------- */
   /** Echo d'un flux .tgz contenant tout le contenu du dossier $dir
    * @param string $dir dossier à dumper, relatif à la racine du compte du membre.
    * @return void NE RETOURNE RIEN, et il faut Quitter le script immédiatement après
    */
- function DownloadTGZ($dir="") {
+  function DownloadTGZ($dir="") {
-    global $mem;
+    global $mem,$L_ALTERNC_LOC;
     header("Content-Disposition: attachment; filename=".$mem->user["login"].".tgz");
     header("Content-Type: application/x-tgz");
     header("Content-Transfer-Encoding: binary");
     $d=escapeshellarg(".".$this->convertabsolute($dir,1));
     set_time_limit(0);
-    passthru("/bin/tar -cz -C /var/alternc/html/".substr($mem->user["login"],0,1)."/".$mem->user["login"]."/ $d");
+    passthru("/bin/tar -cz -C ".$L_ALTERNC_LOC."/html/".substr($mem->user["login"],0,1)."/".$mem->user["login"]."/ $d");
   }
   
   
@@ -891,23 +857,24 @@ class m_bro {
    * @param string $dir dossier à dumper, relatif à la racine du compte du membre.
    * @return void NE RETOURNE RIEN, et il faut Quitter le script immédiatement après
    */
- function DownloadTBZ($dir="") {
+  function DownloadTBZ($dir="") {
-    global $mem;
+    global $mem,$L_ALTERNC_LOC;
     header("Content-Disposition: attachment; filename=".$mem->user["login"].".tar.bz2");
     header("Content-Type: application/x-bzip2");
     header("Content-Transfer-Encoding: binary");
     $d=escapeshellarg(".".$this->convertabsolute($dir,1));
     set_time_limit(0);
-    passthru("/bin/tar -cj -C /var/alternc/html/".substr($mem->user["login"],0,1)."/".$mem->user["login"]."/ $d");
+    passthru("/bin/tar -cj -C ".$L_ALTERNC_LOC."/html/".substr($mem->user["login"],0,1)."/".$mem->user["login"]."/ $d");
   }
 
+  
   /* ----------------------------------------------------------------- */
   /** Echo d'un flux .ZIP contenant tout le contenu du dossier $dir
    * @param string $dir dossier à dumper, relatif à la racine du compte du membre.
    * @return void NE RETOURNE RIEN, et il faut Quitter le script immédiatement après
    */
- function DownloadZIP($dir="") {
+  function DownloadZIP($dir="") {
-    global $mem;
+    global $mem,$L_ALTERNC_LOC;
     header("Content-Disposition: attachment; filename=".$mem->user["login"].".zip");
     header("Content-Type: application/x-zip");
     header("Content-Transfer-Encoding: binary");
@@ -916,6 +883,7 @@ class m_bro {
     passthru("/usr/bin/zip -r - $d");
   }
 
+  
   /* ----------------------------------------------------------------- */
   /** Fonction de tri perso utilisé par filelist.
    * @access private
@@ -926,6 +894,7 @@ class m_bro {
     return $a["name"]>$b["name"];
   }
 
+
   /* ----------------------------------------------------------------- */
   /** Efface $file et tous ses sous-dossiers s'il s'agit d'un dossier
    * A UTILISER AVEC PRECAUTION !!!

bureau/locales/en_US/LC_MESSAGES/manual.po

@@ -674,6 +674,22 @@ msgstr "File or folder name is incorrect"
 msgid "err_bro_2"
 msgstr "You cannot move or copy a file to the same folder"
 
+#. Cannot create the requested file. Please check permissions.
+msgid "err_bro_3"
+msgstr "Cannot create the requested file. Please check permissions."
+
+#. Cannot create the requested directory. Please check permissions.
+msgid "err_bro_4"
+msgstr "Cannot create the requested directory. Please check permissions."
+
+#. Cannot edit the requested file. Please check permissions.
+msgid "err_bro_5"
+msgstr "Cannot edit the requested file. Please check permissions."
+
+#. Cannot read the requested file. Please check permissions.
+msgid "err_bro_6"
+msgstr "Cannot read the requested file. Please check permissions."
+
 #. If we manage your DNS <br />You can manage your mails elsewhere if you want 
 #. (MX field).<br />Write <b><code>%s</code></b> in this field if your mail 
 #. must be managed by %s<br />or put the IP address or name of the mail server 
@@ -781,11 +797,6 @@ msgstr "The password is mandatory"
 msgid "err_mysql_21"
 msgstr "The username cannot be empty"
 
-msgid "err_bro_3"
-msgstr ""
-"You don't have the right to write into this folder. Please check the access "
-"rights."
-
 # $d,$m,$y,$h,$i,$hh,$am
 #  1  2  3  4  5  6   7
 #, fuzzy

bureau/locales/fr_FR/LC_MESSAGES/manual.po

@@ -692,6 +692,22 @@ msgstr "R
 msgid "err_bro_2"
 msgstr "Vous ne pouvez pas déplacer un fichier dans le même répertoire !"
 
+#. Cannot create the requested file. Please check permissions.
+msgid "err_bro_3"
+msgstr "Impossible de créer le fichier demandé. Vérifiez les permissions."
+
+#. Cannot create the requested directory. Please check permissions.
+msgid "err_bro_4"
+msgstr "Impossible de créer le répertoire demandé. Vérifiez les permissions."
+
+#. Cannot edit the requested file. Please check permissions.
+msgid "err_bro_5"
+msgstr "Impossible de modifier le fichier demandé. Vérifiez les permissions."
+
+#. Cannot read the requested file. Please check permissions.
+msgid "err_bro_6"
+msgstr "Impossible de lire le fichier demandé. Vérifiez les permissions."
+
 #. If we manage your DNS <br />You can manage your mails elsewhere if you want 
 #. (MX field).<br />Write <b><code>%s</code></b> in this field if your mail 
 #. must be managed by %s<br />or put the IP address or name of the mail server 
@@ -788,11 +804,6 @@ msgstr "Le mot de passe est obligatoire"
 msgid "err_mysql_21"
 msgstr "Le nom d'utilisateur ne peut pas être vide"
 
-msgid "err_bro_3"
-msgstr ""
-"Vous n'avez pas le droit d'écrire dans ce répertoire. Vérifiez les droits "
-"d'accès !"
-
 # $d,$m,$y
 #  1  2  3 
 msgid "%3$d-%2$d-%1$d"