From bb83d25c563aed4a94a1b129acc993c2887111a7 Mon Sep 17 00:00:00 2001 From: Alberto Date: Thu, 25 Jan 2018 12:24:16 +0100 Subject: [PATCH] Version 9.11.2 - fixed a security vulnerability (thanks to sashaptrw) - fixed other minor problems --- filemanager/include/utils.php | 6 +- resources/assets/js/include.js | 121 +++++++++++++++++---------------- 2 files changed, 66 insertions(+), 61 deletions(-) diff --git a/filemanager/include/utils.php b/filemanager/include/utils.php index ec78342d..ce399b94 100755 --- a/filemanager/include/utils.php +++ b/filemanager/include/utils.php @@ -465,7 +465,11 @@ function create_folder($path = null, $path_thumbs = null,$ftp = null,$config = n $oldumask = umask(0); if ($path && ! file_exists($path)) { - mkdir($path, 0755, true); + $permission = 0755; + if(isset($config['folderPermission'])){ + $permission = $config['folderPermission']; + } + mkdir($path, $permission, true); } // or even 01777 so you get the sticky bit set if ($path_thumbs && ! file_exists($path_thumbs)) { diff --git a/resources/assets/js/include.js b/resources/assets/js/include.js index ffb69826..d561ea52 100755 --- a/resources/assets/js/include.js +++ b/resources/assets/js/include.js @@ -3,7 +3,7 @@ var encodeURL,show_animation,hide_animation,apply,apply_none,apply_img,apply_any { "use strict"; - var version = "9.12.1"; + var version = "9.12.2"; var active_contextmenu = true; var myLazyLoad = null; var clipboard = null; @@ -619,29 +619,30 @@ var encodeURL,show_animation,hide_animation,apply,apply_none,apply_img,apply_any makeUploader: function() { jQuery('#fileupload').fileupload({ - // Uncomment the following to send cross-domain cookies: - //xhrFields: {withCredentials: true}, - url: 'upload.php', - maxChunkSize: 2 * 1024 * 1024 // 2 MB - }); + // Uncomment the following to send cross-domain cookies: + //xhrFields: {withCredentials: true}, + url: 'upload.php', + maxChunkSize: 2 * 1024 * 1024 // 2 MB + }); jQuery('#fileupload').bind('fileuploaddrop', function (e, data) { + console.log(data); jQuery('.uploader').show(200); }); - jQuery('#fileupload').bind('fileuploadsubmit', function (e, data) { - // The example input, doesn't have to be part of the upload form: - data.formData = {fldr: jQuery('#sub_folder').val() + jQuery('#fldr_value').val()+data.files[0].relativePath}; + jQuery('#fileupload').bind('fileuploadsubmit', function (e, data) { + // The example input, doesn't have to be part of the upload form: + data.formData = {fldr: jQuery('#sub_folder').val() + jQuery('#fldr_value').val()+data.files[0].relativePath}; + }); + // Load existing files: + jQuery('#fileupload').addClass('fileupload-processing'); + $.ajax({ + // Uncomment the following to send cross-domain cookies: + //xhrFields: {withCredentials: true}, + url: jQuery('#fileupload').fileupload('option', 'url'), + dataType: 'json', + context: jQuery('#fileupload')[0] + }).always(function () { + jQuery(this).removeClass('fileupload-processing'); }); - // Load existing files: - jQuery('#fileupload').addClass('fileupload-processing'); - $.ajax({ - // Uncomment the following to send cross-domain cookies: - //xhrFields: {withCredentials: true}, - url: jQuery('#fileupload').fileupload('option', 'url'), - dataType: 'json', - context: jQuery('#fileupload')[0] - }).always(function () { - jQuery(this).removeClass('fileupload-processing'); - }); // upload btn jQuery('.upload-btn').on('click', function () { @@ -2056,33 +2057,33 @@ var encodeURL,show_animation,hide_animation,apply,apply_none,apply_img,apply_any } } function close_window() - { - if (jQuery('#popup').val() == 1) - { - window.close(); - } - else - { - if (typeof parent.jQuery(".modal:has(iframe)").modal == "function"){ - parent.jQuery(".modal:has(iframe)").modal("hide"); - } - if (typeof parent.jQuery !== "undefined" && parent.jQuery) - { - if (typeof parent.jQuery.fancybox == 'object'){ - parent.jQuery.fancybox.getInstance().close(); - } - else if(typeof parent.jQuery.fancybox == 'function'){ - parent.jQuery.fancybox.close(); - } - } - else - { - if(typeof parent.$.fancybox == 'function'){ - parent.$.fancybox.close(); - } - } - } - } + { + if (jQuery('#popup').val() == 1) + { + window.close(); + } + else + { + if (typeof parent.jQuery(".modal:has(iframe)").modal == "function"){ + parent.jQuery(".modal:has(iframe)").modal("hide"); + } + if (typeof parent.jQuery !== "undefined" && parent.jQuery) + { + if (typeof parent.jQuery.fancybox == 'object'){ + parent.jQuery.fancybox.getInstance().close(); + } + else if(typeof parent.jQuery.fancybox == 'function'){ + parent.jQuery.fancybox.close(); + } + } + else + { + if(typeof parent.$.fancybox == 'function'){ + parent.$.fancybox.close(); + } + } + } + } apply_file_duplicate = function(container, name) { @@ -2398,17 +2399,17 @@ var encodeURL,show_animation,hide_animation,apply,apply_none,apply_img,apply_any //IE enable (function () { - if (typeof window.CustomEvent === "function") { - return false; - } - - function CustomEvent(event, params) { - params = params || {bubbles: false, cancelable: false, detail: undefined}; - var evt = document.createEvent("CustomEvent"); - evt.initCustomEvent (event, params.bubbles, params.cancelable, params.detail); - return evt; - } - - CustomEvent.prototype = window.Event.prototype; - window.CustomEvent = CustomEvent; + if (typeof window.CustomEvent === "function") { + return false; + } + + function CustomEvent(event, params) { + params = params || {bubbles: false, cancelable: false, detail: undefined}; + var evt = document.createEvent("CustomEvent"); + evt.initCustomEvent (event, params.bubbles, params.cancelable, params.detail); + return evt; + } + + CustomEvent.prototype = window.Event.prototype; + window.CustomEvent = CustomEvent; })();