From 4fb80b78acb8c336200b5fe20403bcb94c0aed98 Mon Sep 17 00:00:00 2001 From: pcanterino <> Date: Fri, 26 Nov 2004 16:00:27 +0000 Subject: [PATCH 1/1] - Check if we have enough permissions to write in directory at the following points: - Before executing a command which creates a new file - Before uploading a file - Before removing or moving/renaming a file or directory - oct() does not care about leading zeros, the resulting value is always the same. - The name of the variable which will be replaced by a directory to go back to in error.htm was renamed from "{DIR}" to "{BACK}". "{DIR}" caused some problems. - Changed the names of some error messages: nocopy -> no_copy noedit -> no_edit noview -> no_view --- devedit.pl | 10 +++++++++- errors.dat | 9 ++++++--- modules/Command.pm | 30 +++++++++++++++++------------- modules/Output.pm | 4 ++-- templates/chprop.htm | 2 +- templates/dirlist_dir.htm | 2 +- templates/dirlist_file.htm | 2 +- templates/error.htm | 2 +- 8 files changed, 38 insertions(+), 23 deletions(-) diff --git a/devedit.pl b/devedit.pl index aa7a3ca..3ec92df 100644 --- a/devedit.pl +++ b/devedit.pl @@ -6,7 +6,7 @@ # Dev-Editor's main program # # Author: Patrick Canterino -# Last modified: 2004-11-13 +# Last modified: 2004-11-26 # use strict; @@ -82,6 +82,14 @@ if($newfile ne '' && $newfile !~ /^\s+$/) abort($config->{'errors'}->{'create_ar'},"/"); } + # Check if we have enough permissions to create a file + # in this directory + + unless(-r $new_physical && -w $new_physical && -x $new_physical) + { + abort($config->{'errors'}->{'dir_no_create'},"/",{DIR => $new_virtual}); + } + # Create the physical and the virtual path $new_physical = File::Spec->canonpath($new_physical."/".$file); diff --git a/errors.dat b/errors.dat index b09148f..995e5f8 100644 --- a/errors.dat +++ b/errors.dat @@ -7,6 +7,7 @@ copy_failed = Could not copy '{FILE}' to '{NEW_FILE}'. create_ar = You aren't allowed to create files and directories above the virtual root directory. delete_failed = Could not delete file '{FILE}'. dircopy = This editor is not able to copy directories. +dir_no_create = You have not enough permissions to create a file in the directory '{DIRECTORY}'. dir_not_exist = The directory where you want to create this file or directory doesn't exist. dir_read_fail = Reading of directory '{DIR}' failed. dir_replace = You are not allowed to replace a directory. @@ -21,14 +22,16 @@ invalid_group = '{GROUP}' seems to be an invalid group name. Please check it an lock_failed = Locking of '{USELIST}' failed. Try it again in a moment. If the problem persists, ask someone to recreate the lock file ('{LOCK_FILE}'). mkdir_failed = Could not create directory '{DIR}'. mkfile_failed = Could not create file '{FILE}'. -noedit = You have not enough permissions to edit this file. -nocopy = You have not enough permissions to copy this file. -noview = You have not enough permissions to view this file. +no_copy = You have not enough permissions to copy this file. +no_delete = You have not enough permissions to delete this file. no_dir_access = You have not enough permissions to access this directory. no_directory = '{FILE}' is not a directory. +no_edit = You have not enough permissions to edit this file. +no_rename = You have not enough permissions to move/rename this file. no_root_access = You have not enough permissions to access the root directory. no_root_dir = The root directory does not exist or is not a directory. no_users = It seems that your system doesn't support users and groups. +no_view = You have not enough permissions to view this file. not_exist = File/directory does not exist. not_owner = You are not the owner of '{FILE}', so you are not allowed to change the mode and the group. remove_root = You are not allowed to remove the root directory. diff --git a/modules/Command.pm b/modules/Command.pm index f2b1a04..83739f0 100644 --- a/modules/Command.pm +++ b/modules/Command.pm @@ -6,7 +6,7 @@ package Command; # Execute Dev-Editor's commands # # Author: Patrick Canterino -# Last modified: 2004-11-25 +# Last modified: 2004-11-26 # use strict; @@ -106,6 +106,8 @@ sub exec_show($$) my $files = $direntries->{'files'}; my $dirs = $direntries->{'dirs'}; + my $dir_writeable = -w $physical; + my $dirlist = ""; # Create the link to the upper directory @@ -156,6 +158,7 @@ sub exec_show($$) my @stat = stat($phys_path); my $in_use = $uselist->in_use($virtual.$file); + my $too_large = $config->{'max_file_size'} && $stat[7] > $config->{'max_file_size'}; my $ftpl = new Template; $ftpl->read_file($config->{'templates'}->{'dirlist_file'}); @@ -170,8 +173,8 @@ sub exec_show($$) $ftpl->parse_if_block("binary",-B $phys_path); $ftpl->parse_if_block("readonly",not -w $phys_path); - $ftpl->parse_if_block("viewable",-r $phys_path && -T $phys_path && not ($config->{'max_file_size'} && $stat[7] > $config->{'max_file_size'})); - $ftpl->parse_if_block("editable",-r $phys_path && -w $phys_path && -T $phys_path && not ($config->{'max_file_size'} && $stat[7] > $config->{'max_file_size'}) && not $in_use); + $ftpl->parse_if_block("viewable",-r $phys_path && -T $phys_path && not $too_large); + $ftpl->parse_if_block("editable",-r $phys_path && -w $phys_path && -T $phys_path && not $too_large && not $in_use); $ftpl->parse_if_block("in_use",$in_use); $ftpl->parse_if_block("unused",not $in_use); @@ -189,12 +192,14 @@ sub exec_show($$) $tpl->fillin("DIR",$virtual); $tpl->fillin("SCRIPT",$script); $tpl->fillin("URL",equal_url($config->{'httproot'},$virtual)); + + $tpl->parse_if_block("dir_writeable",$dir_writeable); } else { # View a file - return error($config->{'errors'}->{'noview'},$upper_path) unless(-r $physical); + return error($config->{'errors'}->{'no_view'},$upper_path) unless(-r $physical); # Check on binary files # We have to do it in this way, or empty files @@ -258,7 +263,7 @@ sub exec_beginedit($$) return error($config->{'errors'}->{'editdir'},$dir) if(-d $physical); return error($config->{'errors'}->{'in_use'}, $dir,{FILE => $virtual}) if($uselist->in_use($virtual)); - return error($config->{'errors'}->{'noedit'}, $dir) unless(-r $physical && -w $physical); + return error($config->{'errors'}->{'no_edit'},$dir) unless(-r $physical && -w $physical); # Check on binary files @@ -370,7 +375,7 @@ sub exec_endedit($$) return error($config->{'errors'}->{'text_to_binary'},$dir) unless(-T $physical); return error($config->{'errors'}->{'editdir'},$dir) if(-d $physical); - return error($config->{'errors'}->{'noedit'}, $dir) if(-e $physical && !(-r $physical && -w $physical)); + return error($config->{'errors'}->{'no_edit'},$dir) if(-e $physical && !(-r $physical && -w $physical)); if(file_save($physical,\$content)) { @@ -479,6 +484,7 @@ sub exec_upload($$) my $cgi = $data->{'cgi'}; return error($config->{'errors'}->{'no_directory'},upper_path($virtual),{FILE => $virtual}) unless(-d $physical); + return error($config->{'errors'}->{'dir_no_create'},$virtual,{DIR => $virtual}); if(my $uploaded_file = $cgi->param('uploaded_file')) { @@ -541,7 +547,7 @@ sub exec_copy($$) my $new_physical = $data->{'new_physical'}; return error($config->{'errors'}->{'dircopy'},upper_path($virtual)) if(-d $physical); - return error($config->{'errors'}->{'nocopy'},upper_path($virtual)) unless(-r $physical); + return error($config->{'errors'}->{'no_copy'},upper_path($virtual)) unless(-r $physical); if($new_physical) { @@ -616,6 +622,7 @@ sub exec_rename($$) my $new_physical = $data->{'new_physical'}; return error($config->{'errors'}->{'rename_root'},"/") if($virtual eq "/"); + return error($config->{'errors'}->{'no_rename'},upper_path($virtual)) unless(-w upper_path($physical)); return error($config->{'errors'}->{'in_use'},upper_path($virtual),{FILE => $virtual}) if($data->{'uselist'}->in_use($virtual)); if($new_physical) @@ -689,7 +696,8 @@ sub exec_remove($$) my $physical = $data->{'physical'}; my $virtual = $data->{'virtual'}; - return error($config->{'errors'}->{'remove_root'},"/") if($virtual eq "/"); + return error($config->{'errors'}->{'remove_root'},"/") if($virtual eq "/"); + return error($config->{'errors'}->{'no_delete'},upper_path($virtual)) unless(-w upper_path($physical)); if(-d $physical) { @@ -778,11 +786,7 @@ sub exec_chprop($$) { # Change the mode - my $oct_mode = $mode; - $oct_mode = "0".$oct_mode if(length($oct_mode) == 3); - $oct_mode = oct($oct_mode); - - chmod($oct_mode,$physical); + chmod(oct($mode),$physical); } if($group) diff --git a/modules/Output.pm b/modules/Output.pm index 5fd22bf..9ab8697 100644 --- a/modules/Output.pm +++ b/modules/Output.pm @@ -6,7 +6,7 @@ package Output; # HTML generating routines # # Author: Patrick Canterino -# Last modified: 2004-11-13 +# Last modified: 2004-11-26 # use strict; @@ -59,7 +59,7 @@ sub error($;$$) $tpl->read_file($tpl_error); $tpl->fillin("ERROR",$message); - $tpl->fillin("DIR",$path); + $tpl->fillin("BACK",$path); $tpl->fillin("SCRIPT",encode_entities($ENV{'SCRIPT_NAME'})); $tpl->parse_if_block("dir",defined $path); diff --git a/templates/chprop.htm b/templates/chprop.htm index 4a9fc3f..e5ed8f5 100644 --- a/templates/chprop.htm +++ b/templates/chprop.htm @@ -43,7 +43,7 @@
  • Change mode:
    -Use an octal number to change the mode of the file. You may use the three or four number form. For this, SetUID, SetGID and Sticky Bit are also supported.
  • +Use an octal number to change the mode of the file. SetUID, SetGID and Sticky Bit are also supported.
  • Change group:
    Enter the group name or the group ID the file should be assigned to. If a group name is also a numeric group ID, the value is used as a group name.
diff --git a/templates/dirlist_dir.htm b/templates/dirlist_dir.htm index 6a1a740..cfac797 100644 --- a/templates/dirlist_dir.htm +++ b/templates/dirlist_dir.htm @@ -2,5 +2,5 @@ [SUBDIR] {DATE} {IF readable}{DIR_NAME}/{ELSE}{DIR_NAME}/{ENDIF} -(Rename | Delete |{IF users} Chmod/Chgrp |{ENDIF} View in Browser) +({IF dir_writeable}Rename | Delete | {ENDIF}{IF users}Chmod/Chgrp | {ENDIF}View in Browser) diff --git a/templates/dirlist_file.htm b/templates/dirlist_file.htm index 1de43ca..720ae17 100644 --- a/templates/dirlist_file.htm +++ b/templates/dirlist_file.htm @@ -2,5 +2,5 @@ {SIZE} {DATE} {FILE_NAME} -({IF viewable}View{ELSE}View{ENDIF} | {IF editable}Edit{ELSE}Edit{ENDIF} | Copy{IF unused} | Rename | Delete{ENDIF}{IF in_use} | Unlock{ENDIF} |{IF users} Chmod/Chgrp |{ENDIF} View in Browser) +({IF viewable}View{ELSE}View{ENDIF} | {IF editable}Edit{ELSE}Edit{ENDIF} | Copy{IF unused}{IF dir_writeable} | Rename | Delete{ENDIF}{ENDIF}{IF in_use} | Unlock{ENDIF} |{IF users} Chmod/Chgrp |{ENDIF} View in Browser) diff --git a/templates/error.htm b/templates/error.htm index 5698904..17abf7f 100644 --- a/templates/error.htm +++ b/templates/error.htm @@ -12,6 +12,6 @@

{ERROR}

{IF dir} -

Back to {DIR}

{ENDIF} +

Back to {BACK}

{ENDIF} \ No newline at end of file -- 2.34.1