diff --git a/app/edit/foldernew.php b/app/edit/foldernew.php index 0f0e002636..65fc532df8 100644 --- a/app/edit/foldernew.php +++ b/app/edit/foldernew.php @@ -17,72 +17,96 @@ The Initial Developer of the Original Code is Mark J Crane - Portions created by the Initial Developer are Copyright (C) 2008-2012 + Portions created by the Initial Developer are Copyright (C) 2008-2019 the Initial Developer. All Rights Reserved. Contributor(s): Mark J Crane James Rose */ -include "root.php"; -require_once "resources/require.php"; -require_once "resources/check_auth.php"; -if (permission_exists('script_editor_save')) { - //access granted -} -else { - echo "access denied"; - exit; -} + +//includes + include "root.php"; + require_once "resources/require.php"; + require_once "resources/check_auth.php"; + + //check permissions + if (permission_exists('script_editor_save')) { + //access granted + } + else { + echo "access denied"; + exit; + } //add multi-lingual support $language = new text; $text = $language->get(); -$folder = $_GET["folder"]; -$folder = str_replace ("\\", "/", $folder); -$foldername = $_GET["foldername"]; +//preparing the directory + $folder = $_REQUEST["folder"]; + $folder = str_replace ("\\", "/", $folder); + $foldername = $_REQUEST["foldername"]; -if (strlen($folder) > 0 && strlen($foldername) > 0) { - //create new folder - mkdir($folder.'/'.$foldername); //, 0700 - header("Location: fileoptions.php"); -} -else { //display form - require_once "header.php"; - echo "
"; - echo "
"; - echo "
"; - echo ""; - echo " "; - echo " "; - echo " "; - echo " "; - echo " "; - echo " "; - echo "
".$text['label-path']."
".$folder."
"; +//create the directory or show the html form + if (strlen($folder) > 0 && strlen($foldername) > 0) { - echo "
"; + //compare the tokens + $key_name = '/app/edit/folder_new'; + $hash = hash_hmac('sha256', $key_name, $_SESSION['keys'][$key_name]); + if (!hash_equals($hash, $_POST['token'])) { + echo "access denied"; + exit; + } - echo ""; - echo " "; - echo " "; - echo " "; + //create new folder + mkdir($folder.'/'.$foldername); //, 0700 + header("Location: fileoptions.php"); + } + else { - echo " "; - echo " "; - echo " "; + //create a token + $key_name = '/app/edit/folder_new'; + $_SESSION['keys'][$key_name] = bin2hex(random_bytes(32)); + $_SESSION['token'] = hash_hmac('sha256', $key_name, $_SESSION['keys'][$key_name]); - echo " "; - echo " "; - echo " "; - echo "
".$text['label-folder-name']."
"; - echo " "; - echo " "; - echo "
"; - echo "
"; - echo "
"; + //display the html form + require_once "header.php"; + echo "
"; + echo "
"; + echo "
"; + echo ""; + echo " "; + echo " "; + echo " "; + echo " "; + echo " "; + echo " "; + echo "
".$text['label-path']."
".$folder."
"; - require_once "footer.php"; -} -?> \ No newline at end of file + echo "
"; + + echo ""; + echo " "; + echo " "; + echo " "; + + echo " "; + echo " "; + echo " "; + + echo " "; + echo " "; + echo " "; + echo "
".$text['label-folder-name']."
"; + echo " "; + echo " "; + echo " "; + echo "
"; + echo "
"; + echo "
"; + + require_once "footer.php"; + } + +?>