????
Current Path : /home/multihiv/www/store/wp-content/plugins/fileorganizer/main/ |
Current File : /home/multihiv/www/store/wp-content/plugins/fileorganizer/main/ajax.php |
<?php /* * FILEORGANIZER * https://fileorganizer.net/ * (c) FileOrganizer Team */ if(!defined('FILEORGANIZER_VERSION')){ die('Hacking Attempt!'); } add_action('wp_ajax_fileorganizer_file_folder_manager', 'fileorganizer_ajax_handler'); function fileorganizer_ajax_handler(){ global $fileorganizer; // Check nonce check_admin_referer( 'fileorganizer_ajax' , 'fileorganizer_nonce' ); // Check capability $capability = fileorganizer_get_capability(); if(!current_user_can($capability)){ return; } // Load saved settings $url = site_url(); $path = !empty($fileorganizer->options['root_path']) ? fileorganizer_cleanpath($fileorganizer->options['root_path']) : ABSPATH; if(!defined('FILEORGANIZER_PRO') || empty($fileorganizer->options['disable_path_restriction'])){ $path = fileorganizer_validate_path($path) ? $path : ABSPATH; } if(is_multisite()){ $url = network_home_url(); } // Set restrictions $restrictions = [ array( 'pattern' => '/.tmb/', 'read' => false, 'write' => false, 'hidden' => true, 'locked' => false, ), array( 'pattern' => '/.quarantine/', 'read' => false, 'write' => false, 'hidden' => true, 'locked' => false, ) ]; // Hide .htaccess? if(!empty($fileorganizer->options['hide_htaccess'])) { $restrictions[] = array( 'pattern' => '/.htaccess/', 'read' => false, 'write' => false, 'hidden' => true, 'locked' => false ); } $disable_commands = array('help', 'preference', 'hide', 'netmount'); $config = array(); // Configure elfinder $config[0] = array( 'driver' => 'LocalFileSystem', 'path' => $path, 'URL' => $url, 'winHashFix' => DIRECTORY_SEPARATOR !== '/', 'accessControl' => 'access', 'acceptedName' => 'validName', 'uploadMaxSize' => 0, 'disabled' => $disable_commands, 'attributes' => $restrictions ); // Is trash enabled? if (!empty($fileorganizer->options['enable_trash'])) { $uploads_dir = wp_upload_dir(); $trash_dir = fileorganizer_cleanpath($uploads_dir['basedir'].'/fileorganizer/.trash'); $trash_glob = glob($trash_dir . '-*/', GLOB_ONLYDIR); if(!empty($trash_glob) && !empty($trash_glob[0])){ $trash_dir = $trash_glob[0]; $trash_name = basename($trash_dir); } if(empty($trash_name) || !file_exists($trash_dir)){ $randomness = wp_generate_password(12, false); $trash_dir .= '-' . $randomness; $trash_name = basename($trash_dir); mkdir($trash_dir . '/.tmb', 0755, true); } if(!file_exists($trash_dir . '/index.php')){ file_put_contents($trash_dir . '/index.php', '<?php //Silence is golden'); chmod($trash_dir . '/index.php', 0444); } // Configure trash $config[1] = array( 'id' => '1', 'driver' => 'Trash', 'path' => $trash_dir, 'tmbURL' => $uploads_dir['baseurl'].'/fileorganizer/'.$trash_name.'/.tmb/', 'winHashFix' => DIRECTORY_SEPARATOR !== '/', 'uploadDeny' => array(''), 'uploadAllow' => array(''), 'uploadOrder' => array('deny', 'allow'), 'accessControl' => 'access', 'disabled' => $disable_commands, 'attributes' => $restrictions, ); $config[0]['trashHash'] = 't1_Lw'; } $config = apply_filters('fileorganizer_manager_config', $config); $el_config = array( 'locale' => 'zh_CN', 'debug' => false, 'roots' => $config, 'bind' => array( 'mkdir' => function(&$path, &$name, $src, $elfinder, $volume){ global $fileorganizer; if(empty($fileorganizer->options['enable_trash']) || empty($name['added']) || !is_array($name['added']) || empty($volume)){ return; } foreach($name['added'] as $added){ $dir_path = $volume->realpath($added['hash']); if(empty($dir_path) || strpos($dir_path, '.trash-') === FALSE){ return; } if(!file_exists($dir_path . '/index.php')){ file_put_contents($dir_path . '/index.php', '<?php //Silence is golden'); chmod($dir_path . '/index.php', 0444); } } }, 'upload.presave' => function(&$path, &$name, $src, $elfinder, $volume) { if( !current_user_can('activate_plugins') ) { $validate = wp_check_filetype( $name ); if( $validate['type'] == false ){ return array( 'error' => __('File type is not allowed.', 'fileorganizer')); } } if( !current_user_can('unfiltered_html') ) { $content = file_get_contents($src); $is_xss = ''; while(true){ $found = fileorganizer_xss_content($content); if(strlen($found) > 0){ // Check if the file is an SVG then allow 'svg', 'xml' tags if( in_array($found, array('svg', 'xml')) && ( mime_content_type($src) == 'image/svg+xml' || in_array(pathinfo($name, PATHINFO_EXTENSION), array('svg', 'svgz') ) ) ){ $content = str_replace($found, '', $content); continue; } $is_xss = $found; } break; } // Unfiltered_html cap needs to be checked if(strlen($is_xss) > 0 ){ return array( 'error' => __('Following not allowed content found ').' : -"'. $is_xss .'" in file '.$name); } } return true; } ) ); // Load autoloader require FILEORGANIZER_DIR.'/manager/php/autoload.php'; // Load FTP driver? if(defined('FILEORGANIZER_PRO') && !empty($fileorganizer->options['enable_ftp'])){ elFinder::$netDrivers['ftp'] = 'FTP'; } // run elFinder $connector = new elFinderConnector(new elFinder($el_config)); $connector->run(); } // Change fileorganizer theme add_action('wp_ajax_fileorganizer_switch_theme', 'fileorganizer_switch_theme'); function fileorganizer_switch_theme(){ //Check nonce check_admin_referer( 'fileorganizer_ajax' , 'fileorganizer_nonce' ); if(!current_user_can('manage_options')){ wp_send_json(array( 'error' => 'Permision Denide!' ), 400); } $theme = fileorganizer_optpost('theme'); $options = get_option('fileorganizer_options', array()); $options['theme'] = $theme; update_option('fileorganizer_options', $options); $theme_path = !empty($theme) ? '/themes/'.$theme : ''; // Return requested theme path $path = FILEORGANIZER_URL.'/manager'.$theme_path.'/css/theme.css'; $response = array( 'success' => true, 'stylesheet' => $path ); wp_send_json($response, 200); } add_action('wp_ajax_fileorganizer_hide_promo', 'fileorganizer_hide_promo'); function fileorganizer_hide_promo(){ //Check nonce check_admin_referer( 'fileorganizer_promo_nonce' , 'security' ); // Save value in minus update_option('fileorganizer_promo_time', (0 - time())); die('DONE'); } // As per the JS specification function fileorganizer_unescapeHTML($str){ $replace = [ '#93' => ']', '#91' => '[', //'#61' => '=', 'lt' => '<', 'gt' => '>', 'quot' => '"', //'amp' => '&', '#39' => '\'', '#92' => '\\' ]; foreach($replace as $k => $v){ $str = str_replace('&'.$k.';', $v, $str); } return $str; } // Check for XSS codes in our shortcodes submitted function fileorganizer_xss_content($data){ $data = fileorganizer_unescapeHTML($data); $data = preg_split('/\s/', $data); $data = implode('', $data); //echo $data; // For PDF file if(preg_match('/\/JavaScript/is', $data)){ return '/JavaScript'; } // This is also for PDF file if(preg_match('/\/JS/is', $data)){ return '/JS'; } if(preg_match('/["\']javascript\:/is', $data)){ return 'javascript'; } if(preg_match('/["\']vbscript\:/is', $data)){ return 'vbscript'; } if(preg_match('/\-moz\-binding\:/is', $data)){ return '-moz-binding'; } if(preg_match('/expression\(/is', $data)){ return 'expression'; } if(preg_match('/\<(iframe|frame|script|style|link|applet|embed|xml|svg|object|layer|ilayer|meta)/is', $data, $matches)){ return $matches[1]; } // These events not start with on $not_allowed = array('click', 'dblclick', 'mousedown', 'mousemove', 'mouseout', 'mouseover', 'mouseup', 'load', 'unload', 'change', 'submit', 'reset', 'select', 'blur', 'focus', 'keydown', 'keypress', 'keyup', 'afterprint', 'beforeprint', 'beforeunload', 'error', 'hashchange', 'message', 'offline', 'online', 'pagehide', 'pageshow', 'popstate', 'resize', 'storage', 'contextmenu', 'input', 'invalid', 'search', 'mousewheel', 'wheel', 'drag', 'dragend', 'dragenter', 'dragleave', 'dragover', 'dragstart', 'drop', 'scroll', 'copy', 'cut', 'paste', 'abort', 'canplay', 'canplaythrough', 'cuechange', 'durationchange', 'emptied', 'ended', 'loadeddata', 'loadedmetadata', 'loadstart', 'pause', 'play', 'playing', 'progress', 'ratechange', 'seeked', 'seeking', 'stalled', 'suspend', 'timeupdate', 'volumechange', 'waiting', 'toggle', 'animationstart', 'animationcancel', 'animationend', 'animationiteration', 'auxclick', 'beforeinput', 'beforematch', 'beforexrselect', 'compositionend', 'compositionstart', 'compositionupdate', 'contentvisibilityautostatechange', 'focusout', 'focusin', 'fullscreenchange', 'fullscreenerror', 'gotpointercapture', 'lostpointercapture', 'mouseenter', 'mouseleave', 'pointercancel', 'pointerdown', 'pointerenter', 'pointerleave', 'pointermove', 'pointerout', 'pointerover', 'pointerrawupdate', 'pointerup', 'scrollend', 'securitypolicyviolation', 'touchcancel', 'touchend', 'touchmove', 'touchstart', 'transitioncancel', 'transitionend', 'transitionrun', 'transitionstart', 'MozMousePixelScroll', 'DOMActivate', 'afterscriptexecute', 'beforescriptexecute', 'DOMMouseScroll', 'willreveal', 'gesturechange', 'gestureend', 'gesturestart', 'mouseforcechanged', 'mouseforcedown', 'mouseforceup', 'mouseforceup'); $not_allowed = implode('|', $not_allowed); if(preg_match('/(on|onwebkit)+('.($not_allowed).')=/is', $data, $matches)){ return $matches[1]+$matches[2]; } return; }