Changeset 2452008

Timestamp:

01/07/2021 03:18:08 PM (5 years ago)

Author:

themexa

Message:

v2.6 - Security nonces added and verified

Location:

secure-file-manager/trunk

Files:

• includes/assets.php (modified) (2 diffs)
• readme.txt (modified) (2 diffs)
• secure-file-manager.php (modified) (2 diffs)
• vendor/elfinder/js/script.js (modified) (1 diff)
• vendor/elfinder/php/connector.minimal.php (modified) (2 diffs)

secure-file-manager/trunk/includes/assets.php

@@ -17 +17 @@
         return;
     }
+
+    $sfmp_nonce_key = wp_create_nonce( 'secure-file-manager-pro' );
 
     wp_enqueue_style( 'sfm-admin-normalize',  plugin_dir_url( dirname( __FILE__ ) ) . 'assets/admin/css/normalize.css' );
@@ -40 +42 @@
     wp_localize_script('sfm-admin-vendor-script', 'elfScript', array(
         'pluginsDirUrl' => plugin_dir_url( dirname( __FILE__ ) ),
+        'sfmpNonceKey' => $sfmp_nonce_key
     ));
     wp_enqueue_script( 'sfm-admin-script',  plugin_dir_url( dirname( __FILE__ ) ) . 'assets/admin/js/plugin-admin-script.js' );

secure-file-manager/trunk/readme.txt

@@ -4 +4 @@
 Donate link: https://www.themexa.com
 Requires at least: 4.0
-Tested up to: 5.4.2
-Requires PHP: 5.6
-Stable tag: 2.5
+Tested up to: 5.6
+Requires PHP: 7.1
+Stable tag: 2.6
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
@@ -111 +111 @@
 * Compatible with WordPress 5.4.2
 
+= 2.6 =
+* Security nonces added to AJAX requests
+
 == Upgrade Notice ==
 = 1.0 =

secure-file-manager/trunk/secure-file-manager.php

@@ -3 +3 @@
 /**
  * @package Secure File Manager
- * @version 2.5
+ * @version 2.6
  */
 
@@ -11 +11 @@
 Description: Most Beautiful and Secure WordPress File Manager
 Author: Themexa
-Version: 2.5
+Version: 2.6
 Author URI: https://www.themexa.com
 License: GPL2

secure-file-manager/trunk/vendor/elfinder/js/script.js

@@ -6 +6 @@
                 cssAutoLoad : false,               // Disable CSS auto loading
                 baseUrl : './',                    // Base URL to css/*, js/*
-                url : elfScript.pluginsDirUrl + '/vendor/elfinder/php/connector.minimal.php'
+                url : elfScript.pluginsDirUrl + '/vendor/elfinder/php/connector.minimal.php',
+                customData : {_wpnonce: elfScript.sfmpNonceKey },
                 // , lang: 'ru'                    // language (OPTIONAL)
             },

secure-file-manager/trunk/vendor/elfinder/php/connector.minimal.php

@@ -259 +259 @@
 function runConnector() {
 
+    $nonce = $_REQUEST['_wpnonce'];
+
+    if ( wp_verify_nonce( $nonce, 'secure-file-manager-pro' ) ){
+        $connectorOptions = array(
+            'driver'     => 'LocalFileSystem',
+            'path'       => getcwd().'../../../../../../../',
+            'startPath'  => getcwd().'../../../../../../../',
+            'URL'        => dirname($_SERVER['PHP_SELF']) . '/../files/',
+            'trashHash'  => 't1_Lw',                     // elFinder's hash of trash folder
+            'winHashFix' => DIRECTORY_SEPARATOR !== '/', // to make hash same to Linux one on windows too
+            'mimeDetect' => 'internal',
+            'tmbPath'    => '.tmb',
+            'utf8fix'    => true,
+            'tmbCrop'    => false,
+            'tmbBgColor' => 'transparent',
+            'accessControl' => 'access',
+            'acceptedName'    => '/^[^\.].*$/',
+            'attributes' => array(
+                array(
+                    'pattern' => '/\.js$/',
+                    'read' => true,
+                    'write' => false
+                ),
+                array(
+                    'pattern' => '/^\/icons$/',
+                    'read' => true,
+                    'write' => false
+                )
+            ),
+            'uploadDeny'  => array('all'),                // All Mimetypes not allowed to upload
+            'uploadAllow' => array('image/x-ms-bmp', 'image/gif', 'image/jpeg', 'image/png', 'image/x-icon', 'text/plain', 'text/x-php', 'application/zip', 'application/pdf', 'text/css'), // Mimetype `image` and `text/plain` allowed to upload
+            'uploadOrder' => array('deny', 'allow'),      // allowed Mimetype `image` and `text/plain` only
+        );
+    } else {
+        $connectorOptions = array(
+            'driver'     => 'LocalFileSystem',
+            'path'       => getcwd().'../../../../../../../',
+            'startPath'  => getcwd().'../../../../../../../',
+            'URL'        => dirname($_SERVER['PHP_SELF']) . '/../files/',
+            'trashHash'  => 't1_Lw',                     // elFinder's hash of trash folder
+            'winHashFix' => DIRECTORY_SEPARATOR !== '/', // to make hash same to Linux one on windows too
+            'mimeDetect' => 'internal',
+            'tmbPath'    => '.tmb',
+            'utf8fix'    => true,
+            'tmbCrop'    => false,
+            'tmbBgColor' => 'transparent',
+            'accessControl' => 'access',
+            'acceptedName'    => '/^[^\.].*$/',
+            'disabled' => array('abort','archive','callback','chmod','dim','duplicate','editor','extract','file','get','info','ls','mkdir','mkfile','netmount','open','parents','paste','ping','put','rename','resize','rm','search','size','tmb','tree','upload','url','zipdl'),
+            'attributes' => array(
+                array(
+                    'pattern' => '/\.js$/',
+                    'read' => true,
+                    'write' => false
+                ),
+                array(
+                    'pattern' => '/^\/icons$/',
+                    'read' => true,
+                    'write' => false
+                )
+            ),
+            'uploadDeny'  => array('all'),                // All Mimetypes not allowed to upload
+            'uploadAllow' => array('image/x-ms-bmp', 'image/gif', 'image/jpeg', 'image/png', 'image/x-icon', 'text/plain', 'text/x-php', 'application/zip', 'application/pdf', 'text/css'), // Mimetype `image` and `text/plain` allowed to upload
+            'uploadOrder' => array('deny', 'allow'),      // allowed Mimetype `image` and `text/plain` only
+        );
+    }
+
     $opts = array(
         'locale' => 'en_US.UTF-8',
@@ -268 +335 @@
         'netVolumesSessionKey' => 'netVolumes',
         'roots' => array(
-            array(
-                'driver'     => 'LocalFileSystem',
-                'path'       => getcwd().'../../../../../../../',
-                'startPath'  => getcwd().'../../../../../../../',
-                'URL'        => dirname($_SERVER['PHP_SELF']) . '/../files/',
-                'trashHash'  => 't1_Lw',                     // elFinder's hash of trash folder
-                'winHashFix' => DIRECTORY_SEPARATOR !== '/', // to make hash same to Linux one on windows too
-                // 'treeDeep'   => 3,
-                // 'alias'      => 'File system',
-                'mimeDetect' => 'internal',
-                'tmbPath'    => '.tmb',
-                'utf8fix'    => true,
-                'tmbCrop'    => false,
-                'tmbBgColor' => 'transparent',
-                'accessControl' => 'access',
-                'acceptedName'    => '/^[^\.].*$/',
-                // 'disabled' => array('extract', 'archive'),
-                // 'tmbSize' => 128,
-                'attributes' => array(
-                    array(
-                        'pattern' => '/\.js$/',
-                        'read' => true,
-                        'write' => false
-                    ),
-                    array(
-                        'pattern' => '/^\/icons$/',
-                        'read' => true,
-                        'write' => false
-                    )
-                ),
-                'uploadDeny'  => array('all'),                // All Mimetypes not allowed to upload
-                'uploadAllow' => array('image/x-ms-bmp', 'image/gif', 'image/jpeg', 'image/png', 'image/x-icon', 'text/plain', 'text/x-php', 'application/zip', 'application/pdf', 'text/css'), // Mimetype `image` and `text/plain` allowed to upload
-                'uploadOrder' => array('deny', 'allow'),      // allowed Mimetype `image` and `text/plain` only
-            ),
+            $connectorOptions,
             // Trash volume
             array(