diff --git a/app/edit/filerename.php b/app/edit/filerename.php index b526f8b9c1..33058ff60f 100644 --- a/app/edit/filerename.php +++ b/app/edit/filerename.php @@ -17,91 +17,110 @@ The Initial Developer of the Original Code is Mark J Crane - Portions created by the Initial Developer are Copyright (C) 2008-2012 + Portions created by the Initial Developer are Copyright (C) 2008-2019 the Initial Developer. All Rights Reserved. Contributor(s): Mark J Crane James Rose */ -include "root.php"; -require_once "resources/require.php"; -require_once "resources/check_auth.php"; -if (permission_exists('script_editor_save')) { - //access granted -} -else { - echo "access denied"; - exit; -} + +//includes + include "root.php"; + require_once "resources/require.php"; + require_once "resources/check_auth.php"; + +//check permissions + if (permission_exists('script_editor_save')) { + //access granted + } + else { + echo "access denied"; + exit; + } //add multi-lingual support $language = new text; $text = $language->get(); -$folder = $_GET["folder"]; -//$folder = str_replace ("\\", "/", $folder); -//if (substr($folder, -1) != "/") { $folder = $folder.'/'; } -$newfilename = $_GET["newfilename"]; -$filename = $_GET["filename"]; -//echo $folder.$file; +//set the variables + $folder = $_REQUEST["folder"]; + //$folder = str_replace ("\\", "/", $folder); + //if (substr($folder, -1) != "/") { $folder = $folder.'/'; } + $newfilename = $_REQUEST["newfilename"]; + $filename = $_REQUEST["filename"]; +//rename the file or show the html form + if (strlen($folder) > 0 && strlen($newfilename) > 0) { + //compare the tokens + $key_name = '/app/edit/file_new'; + $hash = hash_hmac('sha256', $key_name, $_SESSION['keys'][$key_name]); + if (!hash_equals($hash, $_POST['token'])) { + echo "access denied"; + exit; + } -if (strlen($folder) > 0 && strlen($newfilename) > 0) { - //echo "new file: ".$newfilename."
"; - //echo "folder: ".$folder."
"; - //echo "orig filename: ".$filename."
";; - rename($folder.$filename, $folder.$newfilename); - header("Location: fileoptions.php"); -} -else { //display form + //rename the file + //echo "new file: ".$newfilename."
"; + //echo "folder: ".$folder."
"; + //echo "orig filename: ".$filename."
";; + rename($folder.$filename, $folder.$newfilename); + header("Location: fileoptions.php"); + } + else { + //create the token + $key_name = '/app/edit/file_new'; + $_SESSION['keys'][$key_name] = bin2hex(random_bytes(32)); + $_SESSION['token'] = hash_hmac('sha256', $key_name, $_SESSION['keys'][$key_name]); - require_once "header.php"; - echo "
"; - echo "
"; - echo "
"; - echo ""; - echo " "; - echo " "; - echo " "; - echo " "; - echo " "; - echo " "; - echo " "; - echo " "; - echo " "; - echo " "; - echo " "; - echo " "; - echo " "; - echo " "; - echo " "; - echo "
".$text['label-path']."
".$folder.$filename."

".$text['label-file-name-orig']."
".$filename."
"; + //display the form + require_once "header.php"; + echo "
"; + echo "
"; + echo ""; + echo ""; + echo " "; + echo " "; + echo " "; + echo " "; + echo " "; + echo " "; + echo " "; + echo " "; + echo " "; + echo " "; + echo " "; + echo " "; + echo " "; + echo " "; + echo " "; + echo "
".$text['label-path']."
".$folder.$filename."

".$text['label-file-name-orig']."
".$filename."
"; - echo "
"; + echo "
"; - echo ""; - echo " "; - echo " "; - echo " "; + echo "
".$text['label-rename-file-to']."
"; + echo " "; + echo " "; + echo " "; - echo " "; - echo " "; - echo " "; + echo " "; + echo " "; + echo " "; - echo " "; - echo " "; - echo " "; - echo "
".$text['label-rename-file-to']."
"; - echo " "; - echo " "; - echo " "; - echo "
"; - echo ""; - echo "
"; + echo " "; + echo " "; + echo " "; + echo " "; + echo " "; + echo " "; + echo " "; + echo " "; + echo ""; + echo ""; + echo "
"; - require_once "footer.php"; + require_once "footer.php"; + + } -} - -?> \ No newline at end of file +?>