pcanterino [Sun, 13 Feb 2005 09:42:39 +0000 (09:42 +0000)]
- For security reasons, I completely changed the handling of symbolic links:
Symbolic links are now treated as files, no matter where they point to. The
user is just allowed to see the path where the link points to, he is allowed
to delete the link, to rename it and to overwrite it by renaming an other
file. Nothing else is allowed.
Accessing a symbolic link pointing to a directory caused also a very strange
effect: It was possible to access this directory, but you could not access the
objects in it.
I had to do it in this way because of the very stupid behaviour of abs_path()
from the Cwd module: This function is just able to detect the absolute path of
directories.
Hard links are not affected by this, because it is not possible to detect them
(at least I don't know how to detect them).
- Changed the names of two error messages:
dircopy -> dir_copy
editdir -> dir_edit
- Fixed various errors in some template files
pcanterino [Thu, 10 Feb 2005 18:42:10 +0000 (18:42 +0000)]
- Check if unlocking of the list of files in use was successful
- Check if a file could be successfully added to the list of files in use
- Check if a file could be successfully removed from the list of files in use
pcanterino [Sat, 8 Jan 2005 10:18:18 +0000 (10:18 +0000)]
- NOW check_path() should work properly
I removed my self-written code to resolve "..", "...", "...." and so on and
replaced it by a single call to abs_path(). That is more reliable!
- file_name() and upper_path() now take care of a
"multiple-slash-root-directory" and Windows drive letters
pcanterino [Thu, 6 Jan 2005 14:28:00 +0000 (14:28 +0000)]
- Fixed a bug occuring if the "curdir" CGI parameter had no trailing slash and
the "newfile" parameter had no leading slash
- On Windows systems it was possible to access the directories above the root
directory by accessing a path ending with "..." or "...." and so on
pcanterino [Thu, 6 Jan 2005 11:25:46 +0000 (11:25 +0000)]
- When composing the temporary virtual path for a new file, don't call
clean_path(). It is unnecessary and it also caused a problem if this path
would begin with /../, because on UNIX systems, canonpath() removes /../ at
the beginning of a path. So if a user wanted to create the file /../file.ext
(which he wasn't allowed to), he created /file.ext.
- file_name() and upper_path() now remove multiple trailing slashes
- Improved configuration file parser:
- Allow configuration options with empty values
- If a option is defined twice, the line number is shown in the error message
- Static values are now surrounded by single quotes. Maybe it helps to increase
the speed of Dev-Editor, because Perl doesn't have to try to interpolate
variables in the values.
pcanterino [Tue, 4 Jan 2005 12:53:57 +0000 (12:53 +0000)]
- In the virtual directory string, check_path() converts backslashes to slashes
before removing slashes at the beginning (not really necessary, but I want to
be sure)
- check_path() and equal_url() now remove multiple disturbing slashes in strings
pcanterino [Wed, 29 Dec 2004 20:39:59 +0000 (20:39 +0000)]
If locking of the uselist file failed, get the template variables directly from
the File::UseList object, because the name of the lock file could have been
composed by File::UseList.
pcanterino [Tue, 21 Dec 2004 13:40:34 +0000 (13:40 +0000)]
- While processing a file upload, check if the user wants to replace a directory
or overwrite a write-protected file
- If the user wants to copy or rename a file, check if he wants to overwrite a
write-protected file
pcanterino [Fri, 17 Dec 2004 17:05:45 +0000 (17:05 +0000)]
- Dev-Editor now uses flock(). flock() is called using a wrapper function which
checks if it is really available.
- file_save() in File::Access is now able to open a file in binary mode. Thus,
the file saving process in the file upload code in Command.pm has been
replaced by a single file_save() call.
pcanterino [Thu, 16 Dec 2004 15:45:32 +0000 (15:45 +0000)]
- Entities in some more strings are now encoded
- The Hash Reference for devedit_reload() is now optional
- Removed "use Data::Dumper;" in Command.pm. I forgot to remove it after debugging.
pcanterino [Mon, 13 Dec 2004 15:17:44 +0000 (15:17 +0000)]
- exec_chprop() should have a proper coding style, but it made the routine hard
to maintain. Thus, I changed its structure.
- Don't allow to change the properties of a file in use
- Don't allow to upload a file if a file with the same virtual name is currently
in use
pcanterino [Fri, 3 Dec 2004 14:04:28 +0000 (14:04 +0000)]
Version 1.3:
- Replaced open() by sysopen()
- Added method remove_all() to remove all files from the list (maybe we will
need it...)
- Changed my email address
pcanterino [Sat, 27 Nov 2004 09:57:23 +0000 (09:57 +0000)]
Changed my email address (patshaping@gmx.net -> patrick@patshaping.de) in all
files except the Template and the File::UseList modules (they are seperate
software).
pcanterino [Fri, 26 Nov 2004 17:35:58 +0000 (17:35 +0000)]
- Don't display the file upload link in directory listing if Dev-Editor has no
write access to this directory.
- Wrong variable "{DIRECTORY}" in error message "dir_no_create" - it should be
"{DIR}".
pcanterino [Fri, 26 Nov 2004 16:00:27 +0000 (16:00 +0000)]
- Check if we have enough permissions to write in directory at the following
points:
- Before executing a command which creates a new file
- Before uploading a file
- Before removing or moving/renaming a file or directory
- oct() does not care about leading zeros, the resulting value is always the
same.
- The name of the variable which will be replaced by a directory to go back to
in error.htm was renamed from "{DIR}" to "{BACK}". "{DIR}" caused some
problems.
- Changed the names of some error messages:
nocopy -> no_copy
noedit -> no_edit
noview -> no_view
pcanterino [Wed, 24 Nov 2004 16:35:20 +0000 (16:35 +0000)]
- Added new if blocks to the templates about.htm and chprop.htm: The blocks are
named "group_detected" and "user_detected" and show if Dev-Editor could
successfully convert a group or user ID into the corresponding name.
- Cleaned exec_beginedit() and exec_endedit()
- More proper encoding of HTML entities at some points (still needs work)
pcanterino [Sat, 13 Nov 2004 09:13:02 +0000 (09:13 +0000)]
The path the user wants to access must now BEGIN with the root directory. The
old check made it possible to access a directory structure outside the root
directory similar to the root directory.
pcanterino [Sat, 13 Nov 2004 08:56:34 +0000 (08:56 +0000)]
- The abort() routine from the Output module is now also able to display a link
at the bottom of the error message. It is a direct wrapper to the error()
routine.
Thus, the following error messages now contain a link at the bottom:
- File not found
- Accessing above the virtual root directory
- Creating an object above the virtual root directory
- Directory where Dev-Editor should create an object does not exist
- It was possible to access the directory containing the virtual root directory.
Well, it was only read-access.
pcanterino [Fri, 5 Nov 2004 12:54:06 +0000 (12:54 +0000)]
- Dev-Editor now checks if it is able to access a directory: Directories that
are not accessible are greyed in directory listing. Accessing such a directory
causes an error message.
- Dev-Editor checks if it has read access to the virtual root directory. Having
no access to this directory would cause Dev-Editor to show the contents of the
real root directory!
pcanterino [Sat, 30 Oct 2004 17:32:26 +0000 (17:32 +0000)]
Because of the ugly behaviour of $(, I'm now using the getgid() function from
the POSIX module to detect the process GID. For being consistent, I'm now using
getuid() (also from the POSIX module) to detect the process UID.
pcanterino [Sat, 23 Oct 2004 13:29:13 +0000 (13:29 +0000)]
When viewing a file, insert the contents of the file into the template AFTER
parsing the "editable" {IF}-block.
(Ever tried to view the viewfile.htm template file using Dev-Editor? Oh my god!)
pcanterino [Fri, 22 Oct 2004 09:40:22 +0000 (09:40 +0000)]
Now we already unlock the file at the begining of exec_endedit(), because if an
error occurs during saving, the file keeps locked.
This is not a perfect solution, there are still problems. I have to figure out
another one.
pcanterino [Tue, 5 Oct 2004 17:43:11 +0000 (17:43 +0000)]
exec_unlock() now checks if the file is really in use. Otherwise, we return to
directory view (maybe we change this behaviour and display an error message...).
pcanterino [Mon, 4 Oct 2004 17:50:05 +0000 (17:50 +0000)]
Improved file editing using another filename:
- If the user just entered spaces as filename (detection works for other
commands using the "newfile" CGI parameter too), we use the original filename
- Saving even works if the file has to be created first
pcanterino [Mon, 4 Oct 2004 17:50:04 +0000 (17:50 +0000)]
Improved file editing using another filename:
- If the user just entered spaces as filename (detection works for other
commands using the "newfile" CGI parameter too), we use the original filename
- Saving even works, if the file has to be created first
Something definitely went wrong when I remade the copy and the rename functions.
They printed a wrong error message if the destination already existed and if it
was a file.
Dev-Editor also didn't deny copying a directory.
pcanterino [Thu, 5 Aug 2004 10:06:49 +0000 (10:06 +0000)]
Removed the race condition in file_create() which could set a file to 0 if it
already exist.
I wanted to use O_EXCL, but `perldoc -f sysopen` doesn't say that O_EXCL is
avaiable in _every_ system. So I use O_RDONLY and O_CREAT.
Additionally, I replaced all the open() calls in this module by sysopen() calls.
pcanterino [Sun, 1 Aug 2004 11:39:56 +0000 (11:39 +0000)]
Allow to change the group of a file using the Group ID
(Let's hope nobody will define a group composed only of numbers - let's hope it
isn't allowed at all - I should install Linux at home...)
Replaced the code of mode_string() by some self-written code that I also
understand
(The previous code was grabbed from Sven Rautenberg's SELFHTML Developer
internal PHP Dev-Editor)
- Detection of SSL encrypted HTTP (HTTPS) by checking the HTTPS environment
variable
- Check if the server listens on the default port or not
- Support for query string parameters with multiple values - thanks a lot to
Andre Malo (n.d. parker)!
- Encode non-ASCII-chars and special chars in the query string
- Using virtual_host() from the CGI module (has some advantages)
In directory listing, when clicking on the buttons next to the fields for
creating new files and directories without entering a file or directory name,
the user got an error message which is a little bit strange.
Now, the user will see a form for creating new files or directories.
Well, this is not perfect, but at least, this error will be catched.
Small improvement for the JavaScript code which activates the checkbox for
saving under a different file name:
If the field for the file name is empty, the checkbox will be deactivated.
Splitted the configuration file into three parts:
- devedit.dat: The main configuration file
- errors.dat: Contains the error messages
- templates.dat: Contains the path to the templates files
pcanterino [Sun, 14 Mar 2004 09:41:57 +0000 (09:41 +0000)]
Added an "About" dialogue, which shows some (more or less useful) information about Dev-Editor.
Additionally, the $VERSION variable in devedit.pl is back again.