From aef4f58e8a6a0c0d267e16b6204acd9be8a69d90 Mon Sep 17 00:00:00 2001
From: Benjamin Sonntag <benjamin@sonntag.fr>
Date: Mon, 23 May 2016 16:08:23 +0200
Subject: [PATCH] [wip] fixing errors brought by the big security changes...
 update browser preferences fix + some post/get/request messup + zip not
 working properly

---
 bureau/admin/adm_login.php        | 2 +-
 bureau/admin/bro_editor.php       | 8 ++++----
 bureau/admin/browseforfolder2.php | 6 +++---
 bureau/admin/ftp_doedit.php       | 4 ++++
 bureau/admin/hta_add.php          | 2 +-
 bureau/class/m_bro.php            | 7 ++++---
 6 files changed, 17 insertions(+), 12 deletions(-)

diff --git a/bureau/admin/adm_login.php b/bureau/admin/adm_login.php
index 512425ee..8c98d268 100644
--- a/bureau/admin/adm_login.php
+++ b/bureau/admin/adm_login.php
@@ -36,7 +36,7 @@ require_once("../class/config.php");
  */
 
 $fields = array (
-        "id"                => array ("post", "integer", ""),
+        "id"                => array ("get", "integer", ""),
 );
 getFields($fields);
 
diff --git a/bureau/admin/bro_editor.php b/bureau/admin/bro_editor.php
index 953c0c54..536ca192 100755
--- a/bureau/admin/bro_editor.php
+++ b/bureau/admin/bro_editor.php
@@ -30,12 +30,12 @@
 require_once("../class/config.php");
 
 $fields = array (
-	"editfile"    		=> array ("post", "string", ""),
+	"editfile"    		=> array ("request", "string", ""),
 	"texte"    		=> array ("post", "string", ""),
 	"save"    		=> array ("post", "string", ""),
 	"saveret"    		=> array ("post", "string", ""),
 	"cancel"    		=> array ("post", "string", ""),
-	"R"	    		=> array ("post", "string", ""),
+	"R"	    		=> array ("request", "string", ""),
 );
 getFields($fields);
 
@@ -72,7 +72,7 @@ include_once("head.php");
 ?>
 <p>
 <?php if (isset($error) && $error) echo "<p class=\"alert alert-danger\">$error</p>"; ?>
-<h3><?php echo _("File editing")." <code>$R/<b>$editfile</b></code><br />"; ?></h3>
+<h3><?php echo _("File editing")." <code>".ehe($R,false)."/<b>".ehe($editfile,false)."</b></code><br />"; ?></h3>
 </p>
 
 <?php
@@ -106,7 +106,7 @@ echo "<pre class='prettyprint' id='file_content_view' >$content</pre>";
 <br/>
 <?php if (!empty($error)) echo "<p class=\"alert alert-danger\">".$error."</p>"; ?>
 	<input type="hidden" name="editfile" value="<?php ehe($editfile); ?>" />
-	<input type="hidden" name="R" value="<?php echo ehe($R); ?>" />
+	<input type="hidden" name="R" value="<?php ehe($R); ?>" />
 
 	<input type="submit" class="inb" value="<?php __("Save"); ?>" name="save" />
 	<input type="submit" class="inb" value="<?php __("Save &amp; Quit"); ?>" name="saveret" />
diff --git a/bureau/admin/browseforfolder2.php b/bureau/admin/browseforfolder2.php
index 5db25788..1c56f64e 100755
--- a/bureau/admin/browseforfolder2.php
+++ b/bureau/admin/browseforfolder2.php
@@ -141,9 +141,9 @@ if ($errbrowsefold) {
     <form method="post" id="main" name="main" action="browseforfolder2.php">
        <?php csrf_get(); ?>
     <p>
-    <input type="hidden" name="caller" value="<?php echo ehe($caller); ?>" />
-    <input type="hidden" name="lastcurdir" value="<?php echo ehe($curdir); ?>" />
-    <input type="hidden" name="bid" value="<?php echo ehe($bid); ?>" />
+    <input type="hidden" name="caller" value="<?php ehe($caller); ?>" />
+    <input type="hidden" name="lastcurdir" value="<?php ehe($curdir); ?>" />
+    <input type="hidden" name="bid" value="<?php ehe($bid); ?>" />
 
     <input type="text" class="int" id="file" name="file" size="20" value="<?php ehe($file); ?>" /><br />
 
diff --git a/bureau/admin/ftp_doedit.php b/bureau/admin/ftp_doedit.php
index 35697bf3..4cee5a72 100755
--- a/bureau/admin/ftp_doedit.php
+++ b/bureau/admin/ftp_doedit.php
@@ -67,8 +67,12 @@ if (!$r) {
   $rr[0]["dir"]=$dir;
   include_once("ftp_edit.php");
   exit();
+} else {
+if ($create) {
+  $error=_("The ftp account has been successfully created");
 } else {
   $error=_("The ftp account has been successfully saved");
+}
   include("ftp_list.php");
   exit();
 }
diff --git a/bureau/admin/hta_add.php b/bureau/admin/hta_add.php
index 1b18ba1e..27ceb961 100755
--- a/bureau/admin/hta_add.php
+++ b/bureau/admin/hta_add.php
@@ -31,7 +31,7 @@ require_once("../class/config.php");
 include_once("head.php");
 
 $fields = array (
-	"dir"      => array ("post", "string", ""),
+	"dir"      => array ("request", "string", ""),
 );
 getFields($fields);
 
diff --git a/bureau/class/m_bro.php b/bureau/class/m_bro.php
index ced5666b..9d970068 100644
--- a/bureau/class/m_bro.php
+++ b/bureau/class/m_bro.php
@@ -275,7 +275,7 @@ class m_bro {
         if ($db->num_rows() == 0) {
             $db->query("INSERT INTO browser (editsizex, editsizey, listmode, showicons, downfmt, createfile, showtype, uid, editor_font, editor_size, golastdir) VALUES (70, 21, 0, 0, 0, 0, 0, ?,'Arial, Helvetica, Sans-serif','12px',1);", array(intval($cuid)));
         }
-        $db->query("UPDATE browser SET editsizex= ?, editsizey= ?, listmode= ?, showicons= ?, downfmt= ?, createfile= ?, showtype= ?, editor_font= ?, editor_size= e, golastdir= ? WHERE uid= ?;", array($editsizex, $editsizey, $downfmt, $createfile, $showtype, $editor_font, $editor_size, $golastdir, intval($cuid)));
+        $db->query("UPDATE browser SET editsizex= ?, editsizey= ?, listmode= ?, showicons= ?, downfmt= ?, createfile= ?, showtype= ?, editor_font= ?, editor_size= ?, golastdir= ? WHERE uid= ?;", array($editsizex, $editsizey, $listmode, $showicons, $downfmt, $createfile, $showtype, $editor_font, $editor_size, $golastdir, intval($cuid)));
         return true;
     }
 
@@ -1070,9 +1070,10 @@ class m_bro {
         header("Content-Disposition: attachment; filename=" . $mem->user["login"] . ".zip");
         header("Content-Type: application/x-zip");
         header("Content-Transfer-Encoding: binary");
-        $d = escapeshellarg($this->convertabsolute($dir, false));
+        $d = $this->convertabsolute($dir, false);
         set_time_limit(0);
-        passthru("/usr/bin/zip -r - $d");
+	chdir(dirname($d));
+        passthru("/usr/bin/zip -r - ".escapeshellarg(basename($d)));
     }
 
     /**