From: pcanterino <>
Date: Fri, 10 Jun 2005 12:38:36 +0000 (+0000)
Subject: - Dev-Editor is now able to forbid accessing a file using the configuration file
X-Git-Tag: version_3_0~20
X-Git-Url: https://git.p6c8.net/devedit.git/commitdiff_plain/1fbf10bec35aeb289a9cf3e1c65a826883bffdea

- Dev-Editor is now able to forbid accessing a file using the configuration file
- Added ReadMe file, Change Log and a copy of the Artistic License to the
  repository
---

diff --git a/CHANGELOG b/CHANGELOG
new file mode 100644
index 0000000..8b2be5e
--- /dev/null
+++ b/CHANGELOG
@@ -0,0 +1,494 @@
+Change Log for Dev-Editor
+=========================
+
+New in version 2.3.2 (2005-04-23)
+---------------------------------
+
+ Copying a file out of a directory:
+ ----------------------------------
+ Fixed a really strange bug occuring only on Windows systems.
+ Dev-Editor was not able to copy (or move) a file out of a directory if the
+ path, the user entered in the corresponding dialogue, was beginning with "../".
+
+ Empty root directory causes incomplete HTML table:
+ --------------------------------------------------
+ Dev-Editor now does not create an incomplete HTML table if the root directory
+ is completely empty or no files are matching against the current wildcard.
+
+ move() instead of rename():
+ ---------------------------
+ Dev-Editor now uses the move() function from the File::Copy module to move or
+ rename files and directories. move() is more reliable than the rename()
+ function.
+
+ No error message if reading of a directory failed:
+ --------------------------------------------------
+ If reading of a directory failed, no error message was shown. I thought this
+ bug was fixed...
+
+ Template class updated:
+ -----------------------
+ The template class was updated to version 1.4a.
+
+New in version 2.3.1 (2005-02-19)
+---------------------------------
+
+ Handling of symbolic links changed:
+ -----------------------------------
+ For security reasons, I completely changed the handling of symbolic links:
+ Symbolic links are now treated as files, no matter where they point to. The
+ user is just allowed to see the path where the link points to, he is allowed to
+ delete the link, to rename it and to overwrite it by renaming an other file.
+ Nothing else is allowed.
+ Accessing a symbolic link pointing to a directory caused also a very strange
+ effect: It was possible to access this directory, but you could not access
+ the objects in it.
+ I had to do it in this way because of the very stupid behaviour of abs_path()
+ from the Cwd module: This function is just able to detect the absolute path of
+ directories.
+ Hard links are not affected by this, because it is not possible to detect them
+ (at least I don't know how to detect them).
+
+ Root directory must not be a symbolic link:
+ -------------------------------------------
+ Now, the root directory must not be a symbolic link.
+ Sorry for this, I really would have liked to allow the root directory to be a
+ symbolic link, but if I would allow this, Dev-Editor would not be able to
+ create files in the root directory. I'm looking for an alternative...
+
+ Use Greenwich Mean Time:
+ ------------------------
+ You may now use Greenwich Mean Time (GMT/UTC) in dates instead of the local
+ time.
+ I don't know if anyone needs this, but it could be useful.
+
+ Handle errors produced by File::UseList:
+ ----------------------------------------
+ - Check if unlocking of the list of files in use was successful
+ - Check if a file could be successfully added to the list of files in use
+ - Check if a file could be successfully removed from the list of files in use
+
+ Saving to non-existing files:
+ -----------------------------
+ The file saving process was aborted if the user wanted to write text data using
+ the edit function into a file that does not exists.
+ The reason was that Dev-Editor thought that this non-existing file was a binary
+ file.
+
+ Template class updated:
+ -----------------------
+ The template class was updated to version 1.4.
+ This fixes the problem of the infinitive loops produced by incorrectly nested
+ {IF} blocks.
+
+ Small changes:
+ --------------
+ - Files locked with the flock() function are now unlocked by the close()
+   function due to security reasons (see
+   http://forum.de.selfhtml.org/?t=101375&m=622582)
+ - Changed the names of two error messages:
+   dircopy -> dir_copy
+   editdir -> dir_edit
+ - Fixed various small errors in some template files
+ - The regular expression used by file_name() and upper_path() to detect Windows
+   drive letters was not case-insensitive
+
+New in version 2.3 (2005-01-08)
+-------------------------------
+
+ Filter directory listing:
+ -------------------------
+ Dev-Editor is now able to filter the directory listing using DOS-style
+ wildcards.
+ I think that is a little bit incomplete, Dev-Editor should be able to
+ "remember" the filter wildcard during the actions.
+ The code for parsing DOS-style wildcards is from the File::DosGlob module by
+ Gurusamy Sarathy.
+
+ flock():
+ --------
+ Dev-Editor now uses flock().
+ flock() is called using a wrapper function which checks if it is really
+ available.
+
+ check_path() broken on Windows:
+ -------------------------------
+ On Windows systems the check_path() routine was heavily broken (this routine
+ checks if someone tries to access a path above the virtual root directory). It
+ was possible to access files above the root directory by accessing a path with
+ "..." or "...." or something like that as the last path component. This bug was
+ caused by the rewrite of check_path() in Dev-Editor 2.2.
+
+ "." or ".." as end of a path:
+ -----------------------------
+ If you enter a path with "." or ".." as the last path component, Dev-Editor
+ showed a really strange behaviour by allowing to enter a path like
+ "something/." or "something/..". This was also caused by the (poor) rewrite of
+ check_path(). The problem is fixed now.
+
+ Paths beginning with "/../" caused problems:
+ --------------------------------------------
+ When composing the temporary virtual path for a new file, don't call
+ clean_path(). It is unnecessary and it also caused a problem if this path would
+ begin with /../, because on UNIX systems, canonpath() removes /../ at the
+ beginning of a path. So if a user wanted to create the file /../file.ext (but
+ he wasn't allowed to), he created /file.ext.
+
+ Deny changing file properties in some cases:
+ --------------------------------------------
+ - Do not allow to change the properties of the root directory
+ - Do not allow to change the properties of a file in use
+
+ Deny overwriting files:
+ -----------------------
+ - While processing a file upload, check if the user wants to replace a
+   directory or overwrite a write-protected file
+ - If the user wants to copy or rename a file, check if he wants to overwrite a
+   write-protected file
+ - Do not allow to upload a file if a file with the same virtual name is
+   currently in use
+
+ Validate file uploads:
+ ----------------------
+ Dev-Editor now tries to validate a file upload by checking the handle created
+ by the CGI module.
+
+ Improved configuration file parser:
+ -----------------------------------
+ - The parser now ignores lines like that:
+      = Value
+   Such lines could lead to properties with empty keys in the configuration
+   hash.
+ - Allow configuration options with empty values
+ - If a option is defined twice, the line number of the second one is shown in
+   the error message
+
+ Output changes:
+ ---------------
+ - More encoding of HTML entities
+ - In directory listing, the "Edit" link of files in use were not greyed (very
+   nasty)
+ - Show the name of the lock file in error messages even if it has not been
+   defined in the configuration file
+
+ Small internal changes:
+ -----------------------
+ - The file saving process is now completely centralized in File::Access
+ - When generating a redirection header, check if we really have to create a
+   query string
+ - Fixed a bug occuring if the "curdir" CGI parameter had no trailing slash and
+   the "newfile" parameter had no leading slash
+ - Dev-Editor now takes more care of Windows drive letters
+ - Trying to increase speed of the script by surrounding static values by single
+   quotes
+ - Code cleaning
+
+New in version 2.2a (2004-11-29)
+--------------------------------
+
+ File uploads did not work:
+ --------------------------
+ Dev-Editor normally tests if it has enough permissions to upload a file to a
+ directory. But the condition was missing and so Dev-Editor always aborted file
+ uploads and didn't even display the dialogue.
+
+New in version 2.2 (2004-11-27)
+-------------------------------
+
+ `chgrp` system command and numerical group names:
+ -------------------------------------------------
+ When changing the group, Dev-Editor is now using the `chgrp` system command.
+ This allows to use numerical group names. Before, Dev-Editor handled numerical
+ values as group IDs.
+
+ Checking root directory:
+ ------------------------
+ Dev-Editor now checks if the root directory exists and if it may be accessed.
+ This fixed also bug where it was possible to access the physical root directory
+ if Dev-Editor could not enter the virtual root directory.
+
+ Checking directory permissions:
+ -------------------------------
+ Dev-Editor does some simple checks of directory permissions now:
+ - Inaccessible directories are greyed in directory listing. You cannot access
+   them, but the actions are not disabled, because they may work.
+ - Actions needing write access to a directory are aborted if Dev-Editor has no
+   write access.
+
+ Access a directory structure similar to the root directory:
+ -----------------------------------------------------------
+ The path the user wants to access must now BEGIN with the root directory. The
+ old check made it possible to access a directory structure outside the root
+ directory similar to the root directory.
+
+ Changing mode of a directory with mode 000:
+ -------------------------------------------
+ It was not possible to change the mode of a directory with mode 000.
+
+ Upload only to directories:
+ ---------------------------
+ Dev-Editor now checks if the user really uploads a file to a directory.
+
+ Improved About dialogue:
+ ------------------------
+ - Dev-Editor now only shows the main group ID of the process user.
+ - Dev-Editor also shows the current umask of the process.
+ - Special chars in most values are now encoded to entities.
+
+ Added <label> tags:
+ -------------------
+ For a better usability in some browsers, I added <label> tags for the
+ checkboxes and radio buttons in file edit and file upload dialogue.
+
+ Directory links in error messages:
+ ----------------------------------
+ Some error messages generated by the main program now contain a link to the
+ root directory.
+
+ Bugs in HTML generation:
+ ------------------------
+ - If Dev-Editor could not read a directory, it did neither display an error
+   message nor a directory link.
+ - Some error messages had problems with {DIR} variables. Thus the variable in
+   error.htm which will be replaced by a back link is now called "{BACK}".
+ - When viewing a file, Dev-Editor inserts the contents of the file into the
+   viewfile.htm template file AFTER parsing the "editable" {IF}-block, because
+   Dev-Editor showed a very ugly behaviour when viewing this template file.
+
+ Code cleaning:
+ --------------
+ I tried to clean the source code of Dev-Editor a little bit. Some parts of the
+ code were optimized.
+
+New in version 2.1a (2004-10-22)
+--------------------------------
+
+ Changed file saving error handling:
+ -----------------------------------
+ Now we already unlock the file saving process, because if an error occurs
+ during this process, the file keeps locked.
+ This is not a perfect solution, there are still problems. I have to figure out
+ another one.
+
+New in version 2.1 (2004-10-14)
+-------------------------------
+
+ Overwrite files during file upload:
+ -----------------------------------
+ In file upload dialogue, there is a new checkbox which allows to overwrite
+ files during file upload if they already exist.
+
+ Improved file saving:
+ ---------------------
+ The process of file saving has been improved:
+ - Saving even works if the file has to be created first.
+ - Dev-Editor is now checking if the user wants to write text data into a binary
+   file.
+ - If the user just entered spaces as filename (detection works for other
+   commands using the "newfile" CGI parameter too), we use the original
+   filename.
+
+ Don't copy a directory:
+ -----------------------
+ Dev-Editor now denies copying a directory.
+
+ Check before manually unlocking:
+ --------------------------------
+ Dev-Editor now checks if the file is really locked before displaying the
+ dialogue for manually unlocking a file. If it is not locked, Dev-Editor returns
+ to directory view. Dev-Editor also behaves in this way if it is trying to
+ unlock a file.
+
+ Wrong error messages:
+ ---------------------
+ Something definitely went wrong when I remade the copy and the rename
+ functions: They printed a wrong error message if the destination already
+ existed and if it was a file.
+
+New in version 2.0 (2004-08-10)
+-------------------------------
+
+ File uploads:
+ -------------
+ Dev-Editor is now able to process HTTP file uploads. The files may be
+ transferred in ASCII or binary mode (similar to FTP).
+
+ Change mode and group:
+ ----------------------
+ Dev-Editor is now able to change the mode and the group of a file or a
+ directory.
+
+ HTTPS support and non-default ports:
+ ------------------------------------
+ Dev-Editor is now able to detect a HTTPS connection and if the web server
+ doesn't listen on the default ports (necessary for reloading Dev-Editor).
+
+ Do not allow removing or renaming the root directory:
+ -----------------------------------------------------
+ Dev-Editor now denies removing or renaming the root directory.
+
+ Renaming files outside the root directory:
+ ------------------------------------------
+ There was a bug which caused Dev-Editor not to rename files outside the root
+ directory if they already exist.
+
+ Improved file editing:
+ ----------------------
+ When the user wants to save an edited file using a different file name,
+ Dev-Editor now unlocks the original file and checks if a file with this
+ different name already exists and if it is locked.
+
+ Improved file creating:
+ -----------------------
+ The routine which creates empty files had a race condition which could set
+ files to 0 if they already exist.
+
+ Maximum size for files:
+ -----------------------
+ The administrator may now define a maximum size for files in the main
+ configuration file. If the user wants to view or edit a file larger than this
+ defined size, Dev-Editor denies file access (but the file can still be copied,
+ renamed or removed).
+
+ Form for creating new files or directories:
+ -------------------------------------------
+ In directory listing, when clicking on the buttons next to the fields for
+ creating new files and directories without entering a file or directory name,
+ the user got an error message which is a little bit strange.
+ Now, the user will see a form for creating new files or directories.
+
+ Newlines are converted while reading:
+ -------------------------------------
+ Whenever Dev-Editor now reads a file for output, it converts any line separator
+ to the system specific one.
+
+ Case-insensitive commands:
+ --------------------------
+ The commands are now case-insensitive, so the command "ShOw" is the same as
+ "show".
+
+ About screen:
+ -------------
+ There is now a small "About" screen which shows some more or less useful
+ information about Dev-Editor and the system.
+
+ Improvements for user interface:
+ --------------------------------
+ Made a lot of improvements for the user interface:
+ - The directory listing is now built using tables.
+ - When editing a file and the user wants to save a file using a different file
+   name, the checkbox for saving the file using a different file name is
+   activated using JavaScript.
+ - In directory listing or when viewing a file, there is a new field for quickly
+   jumping to a file or to a directory.
+ - Separated "Work with directory" and "Work with file" into different options
+   in directory listing ("Copy", "Rename", "Delete", "Unlock"). The options also
+   have their own dialogues.
+ - In directory listing, there is a new link for viewing a file or a directory
+   in the browser.
+ - When viewing a file and if the file is editable, there is a new link to edit
+   this  file.
+ - Files and directories in directory listing are now sorted case-insensitively.
+
+ Configuration files:
+ --------------------
+ The settings of Dev-Editor are now stored in extern configuration files: There
+ is one file for general settings, one for the error messages and one for the
+ paths to the template files.
+
+ Templates:
+ ----------
+ The output of Dev-Editor is now controlled by template files. The source code
+ became much cleaner :-)
+
+New in version 1.2 (2003-12-29)
+-------------------------------
+
+ Removing directories:
+ ---------------------
+ Dev-Editor is now able to completely remove a directory.
+
+ "Work with directories":
+ ------------------------
+ In directory listing, next do a directory, there is a new link called "Work
+ with directory". When you select this link, you get a form to remove or
+ rename/move the directory.
+ Additionally, the link "Do other stuff" was renamed to "Work with file".
+
+ Overwriting existing files:
+ ---------------------------
+ If you want to copy a file, and the destination file already exists, you will
+ be asked to overwrite the file. If the destination points to a directory,
+ copying will be aborted completely.
+ If you want to rename a file or a directory, and the destination file already
+ exists, you will be asked to overwrite the file. If the destination points to a
+ directory, renaming will be aborted completely.
+
+ Confirmation for removing files:
+ --------------------------------
+ If you want to remove a file, a confirmation dialog will be displayed first.
+
+ Fixed open() calls:
+ -------------------
+ It seems that some systems don't support the FILEHANDLE,MODE,FILENAME version
+ of open(). Now we don't use it any more.
+
+ Default permissions for mkdir():
+ --------------------------------
+ Set the permissions for mkdir() to 0777. I thought it is optional (as described
+ in "perlfunc"), but some systems need it.
+
+New in version 1.1 (2003-11-15)
+-------------------------------
+
+ Newlines are converted:
+ -----------------------
+ Any line seperator will now be converted to the system specific line seperator
+ if you save a text file.
+
+ File permissions are checked:
+ -----------------------------
+ Dev-Editor now runs some simple checks on the file permissions when it creates
+ a directory listing, tries to view or edit a file and when it copies a file.
+
+ Tool tips for file status:
+ --------------------------
+ In directory listing, when a file cannot be viewed or edited, a tool tip on the
+ "View" or "Edit" link will show the reason why it is so.
+
+ File permissions are saved:
+ ---------------------------
+ When the user saves a text file, the file permissions were destroyed. The
+ reason was that a temporary file was used, which was renamed to the originally
+ file. Now this is fixed, but if saving of the file now fails, the file could be
+ damaged...
+
+ Links in error messages:
+ ------------------------
+ Some error messages now contain a link to go back to the directory containing
+ the file which caused the error.
+
+ Typos fixed:
+ ------------
+ There were a lot of typos in the output, the comments and the ReadMe file.
+
+ Dates fixed:
+ ------------
+ The dates of the last modification in the head comment of the files had the
+ wrong format. They had the format MM-DD-YYYY, but they should have YYYY-MM-DD.
+ Sorry, that was VERY embarassing...
+
+New in version 1.0 (2003-10-08)
+-------------------------------
+
+ First public release:
+ ---------------------
+ This is the first public release of Dev-Editor.
+
+------------------------------------------------
+
+(C) 1999-2000 Roland Bluethgen, Frank Schoenmann
+(C) 2003-2005 Patrick Canterino
+
+E-Mail: patrick@patshaping.de
+WWW:    http://devedit.sourceforge.net/
\ No newline at end of file
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..5a5ed1b
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,127 @@
+			 The "Artistic License"
+
+				Preamble
+
+The intent of this document is to state the conditions under which a
+Package may be copied, such that the Copyright Holder maintains some
+semblance of artistic control over the development of the package,
+while giving the users of the package the right to use and distribute
+the Package in a more-or-less customary fashion, plus the right to make
+reasonable modifications.
+
+Definitions:
+
+	"Package" refers to the collection of files distributed by the
+	Copyright Holder, and derivatives of that collection of files
+	created through textual modification.
+
+	"Standard Version" refers to such a Package if it has not been
+	modified, or has been modified in accordance with the wishes
+	of the Copyright Holder as specified below.
+
+	"Copyright Holder" is whoever is named in the copyright or
+	copyrights for the package.
+
+	"You" is you, if you're thinking about copying or distributing
+	this Package.
+
+	"Reasonable copying fee" is whatever you can justify on the
+	basis of media cost, duplication charges, time of people involved,
+	and so on.  (You will not be required to justify it to the
+	Copyright Holder, but only to the computing community at large
+	as a market that must bear the fee.)
+
+	"Freely Available" means that no fee is charged for the item
+	itself, though there may be fees involved in handling the item.
+	It also means that recipients of the item may redistribute it
+	under the same conditions they received it.
+
+1. You may make and give away verbatim copies of the source form of the
+Standard Version of this Package without restriction, provided that you
+duplicate all of the original copyright notices and associated disclaimers.
+
+2. You may apply bug fixes, portability fixes and other modifications
+derived from the Public Domain or from the Copyright Holder.  A Package
+modified in such a way shall still be considered the Standard Version.
+
+3. You may otherwise modify your copy of this Package in any way, provided
+that you insert a prominent notice in each changed file stating how and
+when you changed that file, and provided that you do at least ONE of the
+following:
+
+    a) place your modifications in the Public Domain or otherwise make them
+    Freely Available, such as by posting said modifications to Usenet or
+    an equivalent medium, or placing the modifications on a major archive
+    site such as uunet.uu.net, or by allowing the Copyright Holder to include
+    your modifications in the Standard Version of the Package.
+
+    b) use the modified Package only within your corporation or organization.
+
+    c) rename any non-standard executables so the names do not conflict
+    with standard executables, which must also be provided, and provide
+    a separate manual page for each non-standard executable that clearly
+    documents how it differs from the Standard Version.
+
+    d) make other distribution arrangements with the Copyright Holder.
+
+4. You may distribute the programs of this Package in object code or
+executable form, provided that you do at least ONE of the following:
+
+    a) distribute a Standard Version of the executables and library files,
+    together with instructions (in the manual page or equivalent) on where
+    to get the Standard Version.
+
+    b) accompany the distribution with the machine-readable source of
+    the Package with your modifications.
+
+    c) give non-standard executables non-standard names, and clearly
+    document the differences in manual pages (or equivalent), together
+    with instructions on where to get the Standard Version.
+
+    d) make other distribution arrangements with the Copyright Holder.
+
+5. You may charge a reasonable copying fee for any distribution of this
+Package.  You may charge any fee you choose for support of this
+Package.  You may not charge a fee for this Package itself.  However,
+you may distribute this Package in aggregate with other (possibly
+commercial) programs as part of a larger (possibly commercial) software
+distribution provided that you do not advertise this Package as a
+product of your own.  You may embed this Package's interpreter within
+an executable of yours (by linking); this shall be construed as a mere
+form of aggregation, provided that the complete Standard Version of the
+interpreter is so embedded.
+
+6. The scripts and library files supplied as input to or produced as
+output from the programs of this Package do not automatically fall
+under the copyright of this Package, but belong to whoever generated
+them, and may be sold commercially, and may be aggregated with this
+Package.  If such scripts or library files are aggregated with this
+Package via the so-called "undump" or "unexec" methods of producing a
+binary executable image, then distribution of such an image shall
+neither be construed as a distribution of this Package nor shall it
+fall under the restrictions of Paragraphs 3 and 4, provided that you do
+not represent such an executable image as a Standard Version of this
+Package.
+
+7. C subroutines (or comparably compiled subroutines in other
+languages) supplied by you and linked into this Package in order to
+emulate subroutines and variables of the language defined by this
+Package shall not be considered part of this Package, but are the
+equivalent of input as in Paragraph 6, provided these subroutines do
+not change the language in any way that would cause it to fail the
+regression tests for the language.
+
+8. Aggregation of this Package with a commercial distribution is always
+permitted provided that the use of this Package is embedded; that is,
+when no overt attempt is made to make this Package's interfaces visible
+to the end user of the commercial distribution.  Such use shall not be
+construed as a distribution of this Package.
+
+9. The name of the Copyright Holder may not be used to endorse or promote
+products derived from this software without specific prior written permission.
+
+10. THIS PACKAGE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR
+IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+
+				The End
\ No newline at end of file
diff --git a/README b/README
new file mode 100644
index 0000000..c20d6fa
--- /dev/null
+++ b/README
@@ -0,0 +1,117 @@
+ReadMe for Dev-Editor 3.0 (CVS)
+===============================
+
+Description
+-----------
+
+Dev-Editor is a simple CGI based editor written in Perl and licensed under the
+terms of the Artistic License, which allows remote changes to files and
+directory structures on a web server. That's useful if you aren't able to access
+the files on your homepage directly, for example if you are on holiday.
+
+Installation
+------------
+
+First, you have to copy the files into a directory on your web server where you
+are able to execute scripts (in most cases, this is "cgi-bin"). I suggest to
+create a sub directory for Dev-Editor.
+Then, you have to change the first line of devedit.pl: Just replace
+/usr/bin/perl by the path to your Perl interpreter.
+If you are on a UNIX based system, you have to set devedit.pl as executable
+(chmod 755 in most cases).
+You will also need to configure Dev-Editor. See the next section for details.
+
+Note, that the directory where you installed Dev-Editor should be protected by
+HTTP Authentication. If you don't do that, everybody will be able to access
+Dev-Editor and use it for evil purposes.
+
+Configuration
+-------------
+
+Open the file devedit.conf. This file contains keys and values separated by a
+"=" sign.
+Here is a list of the configuration options currently available:
+
+Option                   Description
+------                   -----------
+
+fileroot                 The root directory Dev-Editor is allowed to access.
+                         Nobody is allowed to access the files and directories
+                         above this directory. Dev-Editor needs write access to
+                         this directory and to the sub directories.
+
+httproot                 This is the equivalent HTTP URL to the root directory.
+                         It's just used for visual output, so it doesn't need to
+                         be correct.
+
+max_file_size            Here you may define a maximum size for files (Bytes).
+                         If the user wants to view or edit a file larger than
+                         this defined size, Dev-Editor denies file access (but
+                         the file can still be copied, renamed or removed).
+                         If this is empty or 0, any file can be viewed or
+                         edited.
+
+timeformat               The format of the time shown in directory listings.
+                         These are the most important placeholders:
+
+                         %a - short day name (Sun to Sat)
+                         %A - long day name (Sunday to Saturday)
+                         %b - short month name (Jan to Dec)
+                         %B - long month name (January to December)
+                         %d - day of the month (01 to 31)
+                         %H - hour in 24 hour clock (00 to 23)
+                         %I - hour in 12 hour clock (01 to 12)
+                         %m - month of the year (01 to 12)
+                         %M - minutes (00 to 59)
+                         %p - AM or PM
+                         %S - seconds (00 to 59)
+                         %y - two digit year (03)
+                         %Y - four digit year (2003)
+                         %% - percent sign
+
+                         There are a lot of other placeholders. A complete list
+                         is found at:
+                         http://www.opengroup.org/onlinepubs/7908799/xsh/strftime.html
+                         Note that some systems don't support some of the
+                         placeholders (for example %T on Windows).
+
+                         This format is also used to format the system time in
+                         the About dialogue.
+
+use_gmt                  Set this option to 1 if you want to use Greenwich Mean
+                         Time (GMT/UTC) in directory listing and in the About
+                         dialogue instead of the local time.
+
+forbidden                Specify . The filenames have to be separated by space characters.
+                         If a filename contains space characters, you have to
+                         put it into double quotation marks ("/filename").
+
+error_file               The path to the file which defines the error messages.
+                         The file has the same format as this one.
+
+template_file            The path to the file which defines the paths to the
+                         template files. The file has the same format as this
+                         one.
+
+Notes
+-----
+
+Symbolic links are treated as files, no matter where they point to. The user is
+just allowed to see the path where the link points to, he is allowed to delete
+the link, to rename it and to overwrite it by renaming an other file. Nothing
+else is allowed.
+Accessing a symbolic link pointing to a directory also caused a very strange
+effect: It was possible to access this directory, but you could not access the
+objects in it.
+I had to do it in this way because of the very stupid behaviour of abs_path()
+from the Cwd module: This function is just able to detect the absolute path of
+directories.
+Hard links are not affected by this.
+
+------------------------------------------------
+
+(C) 1999-2000 Roland Bluethgen, Frank Schoenmann
+(C) 2003-2005 Patrick Canterino
+
+E-Mail: patrick@patshaping.de
+WWW:    http://devedit.sourceforge.net/
\ No newline at end of file
diff --git a/devedit.pl b/devedit.pl
index 3fd8641..f6d59c9 100644
--- a/devedit.pl
+++ b/devedit.pl
@@ -6,7 +6,7 @@
 # Dev-Editor's main program
 #
 # Author:        Patrick Canterino <patrick@patshaping.de>
-# Last modified: 2005-04-22
+# Last modified: 2005-06-09
 #
 
 use strict;
@@ -94,6 +94,13 @@ if($newfile ne '' && $newfile !~ /^\s+$/)
 
  $new_physical = File::Spec->canonpath($new_physical.'/'.$file);
  $new_virtual .= $file;
+
+ # Check if the file is denied by configuration
+
+ if(is_forbidden_file($config->{'forbidden'},$new_virtual))
+ {
+  abort($config->{'errors'}->{'forbidden_file'},'/');
+ }
 }
 
 # This check has to be performed first or abs_path() will be confused
@@ -104,24 +111,31 @@ if(-e $temp_path || -l $temp_path)
 {
  if(my ($physical,$virtual) = check_path($config->{'fileroot'},$file))
  {
-  # Create a hash containing data submitted by the user
-  # (some other necessary information are also included)
-
-  my %data = (physical     => $physical,
-              virtual      => $virtual,
-              new_physical => $new_physical,
-              new_virtual  => $new_virtual,
-              cgi          => $cgi,
-              version      => $VERSION,
-              configfile   => CONFIGFILE);
-
-  # Execute the command...
-
-  my $output = exec_command($command,\%data,$config);
-
-  # ... and show its output
-
-  print $$output;
+  if(is_forbidden_file($config->{'forbidden'},$virtual))
+  {
+   abort($config->{'errors'}->{'forbidden_file'},'/');
+  }
+  else
+  {
+   # Create a hash containing data submitted by the user
+   # (some other necessary information are also included)
+
+   my %data = (physical     => $physical,
+               virtual      => $virtual,
+               new_physical => $new_physical,
+               new_virtual  => $new_virtual,
+               cgi          => $cgi,
+               version      => $VERSION,
+               configfile   => CONFIGFILE);
+
+   # Execute the command...
+
+   my $output = exec_command($command,\%data,$config);
+
+   # ... and show its output
+
+   print $$output;
+  }
  }
  else
  {
diff --git a/errors.conf b/errors.conf
index 4775be3..78913e9 100644
--- a/errors.conf
+++ b/errors.conf
@@ -19,6 +19,7 @@ edit_file_changed = The file you want to edit changed meanwhile. Now, it looks l
 exist_no_write    = The target file '{FILE}' already exists and you have not enough permissions to replace it.
 file_exists       = A file or directory called '{FILE}' already exists.
 file_too_large    = The file you want to view or edit is too large (max. {SIZE}&nbsp;Bytes).
+forbidden_file    = Dev-Editor is configued to forbid accessing this file.
 invalid_group     = '{GROUP}' seems to be an invalid group name. Please check it and try again.
 invalid_mode      = To change the group of a file or directory, you have to enter an octal number which has at least three digits.
 invalid_upload    = It seems that something is wrong with the file upload you want to submit.
diff --git a/modules/Command.pm b/modules/Command.pm
index e5be161..b827368 100644
--- a/modules/Command.pm
+++ b/modules/Command.pm
@@ -6,7 +6,7 @@ package Command;
 # Execute Dev-Editor's commands
 #
 # Author:        Patrick Canterino <patrick@patshaping.de>
-# Last modified: 2005-05-29
+# Last modified: 2005-06-09
 #
 
 use strict;
@@ -148,6 +148,7 @@ sub exec_show($$)
    $dtpl->fillin('DATE',encode_html(strftime($config->{'timeformat'},($config->{'use_gmt'}) ? gmtime($stat[9]) : localtime($stat[9]))));
    $dtpl->fillin('URL',equal_url(encode_html($config->{'httproot'}),$virt_path->{'html'}));
 
+   $dtpl->parse_if_block('forbidden',is_forbidden_file($config->{'forbidden'},$virt_path->{'normal'}));
    $dtpl->parse_if_block('readable',-r $phys_path && -x $phys_path);
    $dtpl->parse_if_block('users',$users && -o $phys_path);
 
@@ -182,6 +183,7 @@ sub exec_show($$)
    $ftpl->parse_if_block('writeable',-w $phys_path);
    $ftpl->parse_if_block('binary',-B $phys_path);
 
+   $ftpl->parse_if_block('forbidden',is_forbidden_file($config->{'forbidden'},$virt_path->{'normal'}));
    $ftpl->parse_if_block('viewable',(-r $phys_path && -T $phys_path && not $too_large) || -l $phys_path);
    $ftpl->parse_if_block('editable',(-r $phys_path && -w $phys_path && -T $phys_path && not $too_large) && not -l $phys_path);
 
diff --git a/modules/Config/DevEdit.pm b/modules/Config/DevEdit.pm
index 7402ff1..c387514 100644
--- a/modules/Config/DevEdit.pm
+++ b/modules/Config/DevEdit.pm
@@ -6,7 +6,7 @@ package Config::DevEdit;
 # Read and parse the configuration files
 #
 # Author:        Patrick Canterino <patrick@patshaping.de>
-# Last modified: 2005-01-06
+# Last modified: 2005-06-09
 #
 
 use strict;
@@ -14,6 +14,8 @@ use strict;
 use vars qw(@EXPORT);
 use Carp qw(croak);
 
+use Text::ParseWords;
+
 ### Export ###
 
 use base qw(Exporter);
@@ -37,6 +39,25 @@ sub read_config($)
  $config->{'errors'}    = parse_config($config->{'error_file'});
  $config->{'templates'} = parse_config($config->{'template_file'});
 
+ # Parse list of forbidden files
+
+ if($config->{'forbidden'})
+ {
+  my @files;
+
+  foreach my $file(parse_line('\s+',0,$config->{'forbidden'}))
+  {
+   $file =~ tr!\\!/!;
+
+   $file =  '/'.$file unless($file =~ m!^/!);
+   $file =~ s!/+$!!g;
+
+   push(@files,$file);
+  }
+
+  $config->{'forbidden'} = \@files;
+ }
+
  return $config;
 }
 
diff --git a/modules/Tool.pm b/modules/Tool.pm
index e1407a1..d9a20f7 100644
--- a/modules/Tool.pm
+++ b/modules/Tool.pm
@@ -6,7 +6,7 @@ package Tool;
 # Some shared sub routines
 #
 # Author:        Patrick Canterino <patrick@patshaping.de>
-# Last modified: 2005-05-07
+# Last modified: 2005-06-10
 #
 
 use strict;
@@ -32,6 +32,7 @@ use base qw(Exporter);
              encode_html
              equal_url
              file_name
+             is_forbidden_file
              mode_string
              multi_string
              upper_path);
@@ -254,6 +255,29 @@ sub file_name($)
  return $path;
 }
 
+# is_forbidden_file()
+#
+# Check if a file is in the list of forbidden files
+#
+# Params: 1. Array Reference containing the list
+#         2. Filename to check
+#
+# Return: Status code (Boolean)
+
+sub is_forbidden_file($$)
+{
+ my ($list,$file) = @_;
+ $file =~ s!/+$!!g;
+
+ foreach my $entry(@$list)
+ {
+  return 1 if($file eq $entry);
+  return 1 if(index($file,$entry.'/') == 0);
+ }
+
+ return;
+}
+
 # mode_string()
 #
 # Convert a file mode number into a human readable string (rwxr-x-r-x)
diff --git a/templates/dirlist_dir.htm b/templates/dirlist_dir.htm
index 4a57acb..8c30d44 100644
--- a/templates/dirlist_dir.htm
+++ b/templates/dirlist_dir.htm
@@ -1,6 +1,6 @@
 <tr>
 <td align="right" style="white-space:nowrap">[SUBDIR]</td>
 <td style="padding-left:15pt;white-space:nowrap;">{DATE}{IF gmt} (GMT){ENDIF}</td>
-<td style="padding-left:15pt;white-space:nowrap;">{IF readable}<a href="{SCRIPT}?command=show&amp;file={DIR_URL}{IF filter}&amp;filter={FILTER_URL}{ENDIF}">{DIR_NAME}/</a>{ELSE}<span style="color:#C0C0C0" title="Not accessible">{DIR_NAME}/</span>{ENDIF}</td>
-<td style="padding-left:15pt;white-space:nowrap;">({IF dir_writeable}<a href="{SCRIPT}?command=rename&amp;file={DIR_URL}">Rename</a> | <a href="{SCRIPT}?command=remove&amp;file={DIR_URL}">Delete</a> | {ENDIF}{IF users}<a href="{SCRIPT}?command=chprop&amp;file={DIR_URL}">Chmod/Chgrp</a> | {ENDIF}<a href="{URL}" target="_blank">View in Browser</a>)</td>
+<td style="padding-left:15pt;white-space:nowrap;">{IF !forbidden}{IF readable}<a href="{SCRIPT}?command=show&amp;file={DIR_URL}{IF filter}&amp;filter={FILTER_URL}{ENDIF}">{DIR_NAME}/</a>{ELSE}<span style="color:#C0C0C0" title="Not accessible">{DIR_NAME}/</span>{ENDIF}{ELSE}<span style="color:#C0C0C0" title="File access forbidden by Dev-Editor's configuration">{DIR_NAME}/</span>{ENDIF}</td>
+<td style="padding-left:15pt;white-space:nowrap;">({IF !forbidden}{IF dir_writeable}<a href="{SCRIPT}?command=rename&amp;file={DIR_URL}">Rename</a> | <a href="{SCRIPT}?command=remove&amp;file={DIR_URL}">Delete</a> | {ENDIF}{IF users}<a href="{SCRIPT}?command=chprop&amp;file={DIR_URL}">Chmod/Chgrp</a> | {ENDIF}{ENDIF}<a href="{URL}" target="_blank">View in Browser</a>)</td>
 </tr>
diff --git a/templates/dirlist_file.htm b/templates/dirlist_file.htm
index f267856..9a535dd 100644
--- a/templates/dirlist_file.htm
+++ b/templates/dirlist_file.htm
@@ -1,6 +1,6 @@
 <tr>
 <td align="right" style="white-space:nowrap">{SIZE}</td>
 <td style="padding-left:15pt;white-space:nowrap;">{DATE}{IF gmt} (GMT){ENDIF}</td>
-<td style="padding-left:15pt;white-space:nowrap;">{FILE_NAME}</td>
-<td style="padding-left:15pt;white-space:nowrap;">({IF viewable}<a href="{SCRIPT}?command=show&amp;file={FILE_URL}">View</a>{ELSE}<span style="color:#C0C0C0" title="{IF !readable}Not readable{ELSE}{IF binary}Binary file{ELSE}{IF too_large}File too large{ENDIF}{ENDIF}{ENDIF}">View</span>{ENDIF} | {IF editable}<a href="{SCRIPT}?command=beginedit&amp;file={FILE_URL}">Edit</a>{ELSE}<span style="color:#C0C0C0" title="{IF link}Symbolic link{ELSE}{IF !readable}Not readable{ELSE}{IF !writeable}Read only{ELSE}{IF binary}Binary file{ELSE}{IF too_large}File too large{ENDIF}{ENDIF}{ENDIF}{ENDIF}{ENDIF}">Edit</span>{ENDIF}{IF !link}{IF readable} | <a href="{SCRIPT}?command=copy&amp;file={FILE_URL}">Copy</a>{ENDIF}{ENDIF}{IF dir_writeable} | <a href="{SCRIPT}?command=rename&amp;file={FILE_URL}">Rename</a> | <a href="{SCRIPT}?command=remove&amp;file={FILE_URL}">Delete</a>{ENDIF} |{IF !link}{IF users} <a href="{SCRIPT}?command=chprop&amp;file={FILE_URL}">Chmod/Chgrp</a> |{ENDIF}{ENDIF} <a href="{URL}" target="_blank">View in Browser</a>)</td>
+<td style="padding-left:15pt;white-space:nowrap;">{IF forbidden}<span style="color:#C0C0C0" title="File access forbidden by Dev-Editor's configuration">{FILE_NAME}</span>{ELSE}{FILE_NAME}{ENDIF}</td>
+<td style="padding-left:15pt;white-space:nowrap;">({IF !forbidden}{IF viewable}<a href="{SCRIPT}?command=show&amp;file={FILE_URL}">View</a>{ELSE}<span style="color:#C0C0C0" title="{IF !readable}Not readable{ELSE}{IF binary}Binary file{ELSE}{IF too_large}File too large{ENDIF}{ENDIF}{ENDIF}">View</span>{ENDIF} | {IF editable}<a href="{SCRIPT}?command=beginedit&amp;file={FILE_URL}">Edit</a>{ELSE}<span style="color:#C0C0C0" title="{IF link}Symbolic link{ELSE}{IF !readable}Not readable{ELSE}{IF !writeable}Read only{ELSE}{IF binary}Binary file{ELSE}{IF too_large}File too large{ENDIF}{ENDIF}{ENDIF}{ENDIF}{ENDIF}">Edit</span>{ENDIF}{IF !link}{IF readable} | <a href="{SCRIPT}?command=copy&amp;file={FILE_URL}">Copy</a>{ENDIF}{ENDIF}{IF dir_writeable} | <a href="{SCRIPT}?command=rename&amp;file={FILE_URL}">Rename</a> | <a href="{SCRIPT}?command=remove&amp;file={FILE_URL}">Delete</a>{ENDIF} |{IF !link}{IF users} <a href="{SCRIPT}?command=chprop&amp;file={FILE_URL}">Chmod/Chgrp</a> |{ENDIF}{ENDIF} {ENDIF}<a href="{URL}" target="_blank">View in Browser</a>)</td>
 </tr>