WordPress.org
Get WordPress

Plugin Directory

Changeset 3319016


Ignore:
Timestamp:
06/28/2025 03:35:52 AM (6 months ago)
Author:
ninjateam
Message:

Version 1.9

Location:
filester/trunk
Files:
6 edited

Legend:

Unmodified
Added
Removed

  • filester/trunk/assets/js/file_manager_admin.js

    r3186518 r3319016  
    209209      const enable_htaccess = jQuery("#enable_htaccess").is(":checked")
    210210      const enable_trash = jQuery("#enable_trash").is(":checked")
     211      const enable_sensitive_protection = jQuery("#enable_sensitive_protection").is(":checked")
    211212      const data = {
    212213        'nonce': wpData.nonce,
     
    218219        'fm_locale': fm_locale,
    219220        'enable_htaccess': enable_htaccess,
    220         'enable_trash': enable_trash
     221        'enable_trash': enable_trash,
     222        'enable_sensitive_protection': enable_sensitive_protection
    221223
    222224      }

  • filester/trunk/includes/File_manager/FileManager.php

    r3310066 r3319016  
    5353                'njt_fs_file_manager_settings' => array(
    5454                    'root_folder_path' =>  ABSPATH,
    55                     'root_folder_url' => site_url()
     55                    'root_folder_url' => site_url(),
     56                    'enable_sensitive_protection' => '1'
    5657                ),
    5758            );
     
    290291                    'uploadDeny'    => array('htaccess'),
    291292                    //'acceptedName' => 'validName',
    292                     'attributes' => array(
    293                         array(
    294                             'pattern' => '/.htaccess/',
    295                             'read' => true,
    296                             'write' => false,
    297                             'hidden' => false,
    298                             'locked' => true
    299                         )
    300                     ) // default is empty
     293                    'attributes' => array() // default is empty
    301294                ),
    302295            ),
    303296        );
    304297
    305         // .htaccess
    306         if(isset($this->options['njt_fs_file_manager_settings']['enable_htaccess']) && ($this->options['njt_fs_file_manager_settings']['enable_htaccess'] == '1')) {
    307             $attributes = array(
    308                 'pattern' => '/.htaccess/',
    309                 'read' => true,
    310                 'write' => false,
    311                 'hidden' => true,
    312                 'locked' => true
    313             );
    314             array_push($opts['roots'][0]['attributes'], $attributes);
    315         }
     298   
    316299
    317300        //Enable Trash
     
    483466       }
    484467
    485        
     468        // Sensitive files protection
     469        if(isset($this->options['njt_fs_file_manager_settings']['enable_sensitive_protection']) && ($this->options['njt_fs_file_manager_settings']['enable_sensitive_protection'] == '1')) {
     470            $sensitive_files = apply_filters('njt_fs_sensitive_files', array(
     471                '.htaccess',
     472                'wp-config.php',
     473                '.env',
     474                'wp-config-sample.php',
     475                'readme.html',
     476                'license.txt',
     477                'xmlrpc.php'
     478            ));
     479
     480            foreach ($sensitive_files as $file) {
     481                $attributes = array(
     482                    'pattern' => '/' . preg_quote($file, '/') . '/',
     483                    'read' => $this->canAccessSensitiveFiles(),
     484                    'write' => $this->canEditSensitiveFiles(),
     485                    'hidden' => !$this->canAccessSensitiveFiles(),
     486                    'locked' => !$this->canEditSensitiveFiles()
     487                );
     488                array_push($opts['roots'][0]['attributes'], $attributes);
     489            }
     490        }
     491
     492        // .htaccess
     493        if(isset($this->options['njt_fs_file_manager_settings']['enable_htaccess']) && ($this->options['njt_fs_file_manager_settings']['enable_htaccess'] == '1')) {
     494            $attributes = array(
     495                'pattern' => '/.htaccess/',
     496                'read' => true,
     497                'write' => false,
     498                'hidden' => true,
     499                'locked' => true
     500            );
     501            array_push($opts['roots'][0]['attributes'], $attributes);
     502        }
    486503
    487504        //End --setting User Role Restrictions
     
    566583        $enable_htaccess =  isset($_POST['enable_htaccess']) && $_POST['enable_htaccess'] == 'true' ? 1 : 0;
    567584        $enable_trash = isset($_POST['enable_trash']) && $_POST['enable_trash'] == 'true' ? 1 : 0;
     585        $enable_sensitive_protection = isset($_POST['enable_sensitive_protection']) && $_POST['enable_sensitive_protection'] == 'true' ? 1 : 0;
    568586        //save options
    569587        $this->options['njt_fs_file_manager_settings']['root_folder_path'] = $root_folder_path;
     
    574592        $this->options['njt_fs_file_manager_settings']['enable_htaccess'] = $enable_htaccess;
    575593        $this->options['njt_fs_file_manager_settings']['enable_trash'] = $enable_trash;
     594        $this->options['njt_fs_file_manager_settings']['enable_sensitive_protection'] = $enable_sensitive_protection;
    576595        //update options
    577596        update_option('njt_fs_settings', $this->options);
     
    618637    }
    619638
     639    public function canAccessSensitiveFiles() {
     640        // Filter hook for developers
     641        if (apply_filters('njt_fs_allow_sensitive_access', false)) {
     642            return true;
     643        }
     644       
     645        return false;
     646    }
     647
     648    public function canEditSensitiveFiles() {
     649        // Filter hook for developers
     650        if (apply_filters('njt_fs_allow_sensitive_edit', false)) {
     651            return true;
     652        }
     653       
     654        return false;
     655    }
     656
    620657}

  • filester/trunk/includes/File_manager/lib/php/elFinder.class.php

    r3129722 r3319016  
    20092009                    return $a404;
    20102010                }
     2011               
     2012                // SECURITY FIX: Validate $src path to prevent directory traversal
     2013                $realSrc = realpath($src);
     2014                $realTmpDir = realpath($tmpdir);
     2015                if (!$realSrc || !$realTmpDir || strpos($realSrc, $realTmpDir) !== 0) {
     2016                    fclose($fp);
     2017                    return $a403;
     2018                }
     2019               
    20112020                if (strpos($src, $tmpdir) === 0) {
    20122021                    $GLOBALS['elFinderTempFiles'][$src] = true;

  • filester/trunk/ninja-file-manager.php

    r3310066 r3319016  
    44 * Plugin URI: https://ninjateam.org/filester
    55 * Description: Made to help you focus on WordPress file management and avoid being distracted.
    6  * Version: 1.8.9
     6 * Version: 1.9
    77 * Author: Ninja Team
    88 * Author URI: https://ninjateam.org
     
    3636
    3737define('NJT_FS_BN_PREFIX', 'njt-fs');
    38 define('NJT_FS_BN_VERSION', '1.8.9');
     38define('NJT_FS_BN_VERSION', '1.9');
    3939define('NJT_FS_BN_DOMAIN', 'filester');
    4040

  • filester/trunk/readme.txt

    r3310066 r3319016  
    55Requires at least: 3.0
    66Tested up to: 6.8
    7 Stable tag: 1.8.9
     7Stable tag: 1.9
    88License: GPLv2 or later
    99License URI: http://www.gnu.org/licenses/gpl-2.0.html
     
    112112== Changelog ==
    113113
     114= Jun 28, 2025 - Version 1.9 =
     115- Fixed: Authenticated (Subscriber+) Directory Traversal to Arbitrary File Deletion
     116
    114117= Jun 11, 2025 - Version 1.8.9 =
    115118- Fixed: Patchstack security report

  • filester/trunk/views/pages/html-filemanager-settings.php

    r3310066 r3319016  
    141141          </td>
    142142        </tr>
     143        <!-- Sensitive Files Protection -->
     144        <tr>
     145          <th><?php _e("Sensitive Files Protection", 'filester'); ?></th>
     146          <td>
     147            <label class="shortcode-switch" for="enable_sensitive_protection">
     148              <input name="enable_sensitive_protection" type="checkbox" id="enable_sensitive_protection" value="1"
     149                <?php echo isset($this->options['njt_fs_file_manager_settings']['enable_sensitive_protection']) && ($this->options['njt_fs_file_manager_settings']['enable_sensitive_protection'] == '1') ? 'checked="checked"' : '';?>>
     150              <div class="slider round"></div>
     151            </label>
     152            <p class="description njt-settting-width">
     153              <?php _e("Protect sensitive files like wp-config.php, .env, etc. Only administrators can access.", 'filester'); ?>
     154            </p>
     155          </td>
     156        </tr>
    143157        <!-- button submit -->
    144158        <tr>
Note: See TracChangeset for help on using the changeset viewer.