WordPress.org

Plugin Directory

Changeset 1676599


Ignore:
Timestamp:
06/12/17 11:33:01 (7 weeks ago)
Author:
mndpsingh287
Message:

fixed security bug

Location:
wp-file-manager/trunk
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • wp-file-manager/trunk/file_folder_manager.php

    r1647973 r1676599  
    104104        public function mk_file_folder_manager_action_callback() 
    105105        { 
    106                     require 'lib/php/autoload.php'; 
    107                     $opts = array( 
    108                    'debug' => false, 
    109                    'roots' => array( 
    110                     array( 
    111                         'driver'        => 'LocalFileSystem',           // driver for accessing file system (REQUIRED) 
    112                         'path'          => ABSPATH, // path to files (REQUIRED) 
    113                         'URL'           => site_url(), // URL to files (REQUIRED) 
    114                         'uploadDeny'    => array(),                // All Mimetypes not allowed to upload 
    115                         'uploadAllow'   => array('image', 'text/plain'),// Mimetype `image` and `text/plain` allowed to upload 
    116                         'uploadOrder'   => array('deny', 'allow'),      // allowed Mimetype `image` and `text/plain` only 
    117                         'accessControl' => 'access',                     // disable and hide dot starting files (OPTIONAL) 
    118                         'acceptedName' => 'validName' 
     106            $nonce = $_REQUEST['_wpnonce']; 
     107            if ( wp_verify_nonce( $nonce, 'wp-file-manager' ) ) { 
     108                 require 'lib/php/autoload.php'; 
     109                        $opts = array( 
     110                       'debug' => false, 
     111                       'roots' => array( 
     112                        array( 
     113                            'driver'        => 'LocalFileSystem',           // driver for accessing file system (REQUIRED) 
     114                            'path'          => ABSPATH, // path to files (REQUIRED) 
     115                            'URL'           => site_url(), // URL to files (REQUIRED) 
     116                            'uploadDeny'    => array(),                // All Mimetypes not allowed to upload 
     117                            'uploadAllow'   => array('image', 'text/plain'),// Mimetype `image` and `text/plain` allowed to upload 
     118                            'uploadOrder'   => array('deny', 'allow'),      // allowed Mimetype `image` and `text/plain` only 
     119                            'accessControl' => 'access',                     // disable and hide dot starting files (OPTIONAL) 
     120                            'acceptedName' => 'validName' 
     121                        ) 
    119122                    ) 
    120                 ) 
    121             ); 
    122             //run elFinder 
    123             $connector = new elFinderConnector(new elFinder($opts)); 
    124             $connector->run(); 
     123                ); 
     124                //run elFinder 
     125                $connector = new elFinderConnector(new elFinder($opts)); 
     126                $connector->run(); 
     127            } 
    125128            die; 
    126129        } 
     
    132135        public function load_help_desk() { 
    133136            $mkcontent = ''; 
    134             $mkcontent .='<div class="wfmrs" style="display:none">'; 
     137            $mkcontent .='<div class="wfmrs">'; 
    135138            $mkcontent .='<div class="l_wfmrs">'; 
    136139            $mkcontent .=''; 
    137140            $mkcontent .='</div>'; 
    138             $mkcontent .='<div class="r_wfmrs">';            
    139               $mkcontent .='<a class="close_fm_help fm_close_btn" href="javascript:void(0)" data-ct="rate_later" title="close">X</a><strong>WP File Manager</strong><p>We love and care about you. Our team is putting maximum efforts to provide you the best functionalities. It would be highly appreciable if you could spend a couple of seconds to give a Nice Review to the plugin to appreciate our efforts. So we can work hard to provide new features regularly :)</p></div><a class="close_fm_help fm_close_btn_1" href="javascript:void(0)" data-ct="rate_later" title="Remind me later">Later</a> <a class="close_fm_help fm_close_btn_2" href="https://wordpress.org/support/plugin/wp-file-manager/reviews/?filter=5" data-ct="rate_now" title="Rate us now" target="_blank">Rate Us</a> <a class="close_fm_help fm_close_btn_3" href="javascript:void(0)" data-ct="rate_never" title="Not interested">Never</a>'; 
    140             $mkcontent .='<div class="clear"></div></div>';      
     141            $mkcontent .='<div class="r_wfmrs">'; 
     142            $mkcontent .='<a class="close_fm_help fm_close_btn" href="javascript:void(0)" data-ct="rate_later" title="close">X</a><strong>WP File Manager</strong><p>We love and care about you. Our team is putting maximum efforts to provide you the best functionalities. It would be highly appreciable if you could spend a couple of seconds to give a Nice Review to the plugin to appreciate our efforts. So we can work hard to provide new features regularly :)</p><a class="close_fm_help fm_close_btn_1" href="javascript:void(0)" data-ct="rate_later" title="Remind me later">Later</a> <a class="close_fm_help fm_close_btn_2" href="https://wordpress.org/support/plugin/wp-file-manager/reviews/?filter=5" data-ct="rate_now" title="Rate us now" target="_blank">Rate Us</a> <a class="close_fm_help fm_close_btn_3" href="javascript:void(0)" data-ct="rate_never" title="Not interested">Never</a>'; 
     143            $mkcontent .='</div></div>'; 
    141144           if ( false === ( $mk_fm_close_fm_help_c = get_transient( 'mk_fm_close_fm_help_c' ) ) ) { 
    142145                echo apply_filters('the_content', $mkcontent);   
  • wp-file-manager/trunk/js/fm_script.js

    r1641247 r1676599  
    44   jQuery(document).ready(function() { 
    55                jQuery('#wp_file_manager').elfinder({ 
    6                     url : ajaxurl+'?action=mk_file_folder_manager', 
     6                    url : ajaxurl, 
     7                    customData : {action: 'mk_file_folder_manager', _wpnonce: security_key }, 
    78                    uploadMaxChunkSize : 1048576000000, 
    89                });              
  • wp-file-manager/trunk/lib/wpfilemanager.php

    r1641238 r1676599  
    11<?php if ( ! defined( 'ABSPATH' ) ) exit; ?>      
    22<div class="wrap"> 
    3 <?php  
     3<?php $fm_nonce = wp_create_nonce( 'wp-file-manager' ); ?> 
     4<script> 
     5var security_key = "<?php echo $fm_nonce;?>"; 
     6</script> 
     7<?php 
    48$this->load_custom_assets(); 
    59$this->load_help_desk();?> 
  • wp-file-manager/trunk/readme.txt

    r1641238 r1676599  
    44Tags: wp-file-manager, elfinder,file manager, ftp, wordpress file manager,file manager, Upload Files, WP File Manager, File Manage, Edit Files, Delete Files, FTP, filemanager, wpfilemanager, ftp, file transfer, update, create, delete, view, rename, editor, Cpanel, Control Panel, Admin, Shortcode 
    55Requires at least: 4.0 
    6 Tested up to: 4.7.3 
     6Tested up to: 4.8 
    77Stable tag: 1.6 
    88License: GPLv2 or later 
Note: See TracChangeset for help on using the changeset viewer.