diff --git a/.gitignore b/.gitignore index f00fed8e8..c932383a7 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ +.idea/* data/* !data/.gitkeep plugins/* diff --git a/README.md b/README.md index 2abc35efb..d6ed4183f 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,14 @@ +# ICEcoder is for sale! Please contact info@icecoder.net. Serious offers only. + +--- + # ICEcoder ## Code editor awesomeness ...in your browser ICEcoder is a browser based code editor, which provides a modern approach to building websites. By allowing you to code directly within the web browser, online or offline, it means you only need one program (your browser) to develop sites, plus can test on actual web servers. After development, you can also maintain the website easily, all of which make for speedy and smart development. -ICEcoder code editor +ICEcoder code editor ### Requirements diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..f2562d0da --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,5 @@ +# Security Policy + +## Reporting a Vulnerability + +Please report security issues to `info@icecoder.net` \ No newline at end of file diff --git a/assets/css/icecoder.css b/assets/css/icecoder.css index 02b207aff..56983d306 100644 --- a/assets/css/icecoder.css +++ b/assets/css/icecoder.css @@ -13,6 +13,7 @@ h2 {font-size: 18px; font-weight: normal; color: #fff} .blackMask {position: fixed; display: table; width: 100%; height: 100%; top: 0; left: 0; visibility: hidden; background-color: rgba(0,0,0,0.8); text-align: center; z-index: 100} .blackMask .popupVCenter {#position: absolute; display: table-cell; #top: 50%; vertical-align: middle; text-align: center} .popupVCenter .popup {#position: relative; #top: -50%; text-align: center; color: #fff; font-size: 10px} +.popupVCenter .popup .imgDisplay {border: solid 10px #fff; max-width: 700px; max-height: 500px; background-color: #000; background-image: url('http://github.com/images/checkerboard.png')} .floatingContainer {position: absolute; top: 0; left: 0; width: 55px; height: 55px; visibility: hidden; border: solid 1px #444; image-rendering: pixelated} .floatingContainer:before {position: absolute; display: inline-block; width: 3px; height: 3px; left: 25px; top: 25px; content: ''; border: solid 1px #b00} @@ -74,7 +75,7 @@ h2 {font-size: 18px; font-weight: normal; color: #fff} .files .tools .error {background: #800} .files .tools .info {background: #080} -.editor {position: absolute; display: inline-block; top: 0; left: 15px; width: 2400px} +.editor {position: fixed; display: inline-block; top: 0; left: 15px; width: 2400px} .editor .tabsBar {display: inline-block; height: 27px; width: 2400px; margin-top: 15px; padding-left: 53px; background: #fff} .tabsBar .tab {position: absolute; display: none; height: 15px; padding: 6px 8px 6px 9px; border-right: 1px solid #ddd; color: #fff; white-space: nowrap; overflow: hidden; cursor: pointer; z-index: 1; transition: width, left 0.15s ease-in-out; diff --git a/assets/js/icecoder.js b/assets/js/icecoder.js index 4c224b640..da7c4b4e2 100644 --- a/assets/js/icecoder.js +++ b/assets/js/icecoder.js @@ -10,8 +10,9 @@ var ICEcoder = { // INIT // ==== - // URL we're viewing ICEcoder from + // URLs we're viewing ICEcoder and its assets from iceLoc: window.location.origin + window.location.pathname.replace(/\/$/, ""), + assetsLoc: get('icecoderJSFile').dataset.assetsRoot, // Define settings filesW: 250, // Width of files pane @@ -2899,10 +2900,14 @@ var ICEcoder = { }, findOnInput: function() { + let thisCM, selectNext; // Realtime finding - only action for finding in current doc if ("" !== get('find').value && t['this document'] === document.findAndReplace.target.value) { - // Considers selecting next on value input, according to user setting - ICEcoder.findReplace(get('find').value, true === ICEcoder.selectNextOnFindInput, false, false); + // Get CM pane + thisCM = this.getThisCM(); + // Consider selecting next on value input, according to not having result selected already and user setting + selectNext = thisCM.getSelection() !== get('find').value && true === ICEcoder.selectNextOnFindInput; + ICEcoder.findReplace(get('find').value, selectNext, false, false); get("find").focus(); // Reset results display } else { @@ -4425,7 +4430,7 @@ var ICEcoder = { this.openFiles.push(shortURL); // Setup a new tab - closeTabLink = ''; + closeTabLink = ''; get('tab' + (this.openFiles.length)).style.display = "inline-block"; fileName = this.openFiles[this.openFiles.length - 1]; fileExt = fileName.substr(fileName.lastIndexOf(".") + 1); @@ -4473,7 +4478,7 @@ var ICEcoder = { this.openFiles[tabNum - 1] = newName; // Setup a new tab - closeTabLink = ''; + closeTabLink = ''; fileName = this.openFiles[tabNum - 1]; fileExt = fileName.substr(fileName.lastIndexOf(".") + 1); get('tab' + tabNum).innerHTML = closeTabLink + "" + fileName.slice(fileName.lastIndexOf("/")).replace(/\//, ""); @@ -5297,7 +5302,7 @@ var ICEcoder = { "height": 55, "top": -55, "left": 0, - "title": "

Code editor awesomeness ...in your browser", + "title": "

Code editor awesomeness ...in your browser", "message": "View the quick start tutorial? (Well worthwhile!) or skip it.", "button": "view tutorial" }, diff --git a/classes/File.php b/classes/File.php index e9522a058..c7177e424 100644 --- a/classes/File.php +++ b/classes/File.php @@ -111,7 +111,7 @@ public function updateFileManager($action, $fileLoc, $fileName, $perms, $oldFile public function load() { global $file, $fileLoc, $fileName, $t, $lineNumber; echo 'action="http://github.com/load";'; - $lineNumber = max(isset($_REQUEST['lineNumber']) ? intval($_REQUEST['lineNumber']) : 1, 1); + $lineNumber = max(isset($_GET['lineNumber']) ? intval($_GET['lineNumber']) : 1, 1); // Check this file isn't on the banned list at all $canOpen = true; for ($i = 0; $i < count($_SESSION['bannedFiles']); $i++) { @@ -234,7 +234,7 @@ public function returnLoadImageScript() { parent.parent.document.getElementById(\'blackMask\').style.visibility = "visible"; parent.parent.document.getElementById(\'mediaContainer\').innerHTML = "" + - " 700 || this.naturalHeight > 500) ? \', ' .$t['displayed at'] . '\' + this.width + \' x \' + this.height : \'\'; document.getElementById(\'imgInfo\').innerHTML += \' (\' + this.naturalWidth + \' x \' + this.naturalHeight + reducedImgMsg + \')\'; ICEcoder.initCanvasImage(this); ICEcoder.interactCanvasImage(this)\">
" + + " 700 || this.naturalHeight > 500) ? \', ' .$t['displayed at'] . '\' + this.width + \' x \' + this.height : \'\'; document.getElementById(\'imgInfo\').innerHTML += \' (\' + this.naturalWidth + \' x \' + this.naturalHeight + reducedImgMsg + \')\'; ICEcoder.initCanvasImage(this); ICEcoder.interactCanvasImage(this)\">
" + "
" + "' . $fileLoc . "/" . $fileName . '" + "

" + diff --git a/classes/Settings.php b/classes/Settings.php index e7172b037..4c82d2614 100644 --- a/classes/Settings.php +++ b/classes/Settings.php @@ -7,8 +7,10 @@ class Settings public function __construct() { // Set version number and document root as core settings - $this->versionNo = "8.1"; - $this->docRoot = $_SERVER['DOCUMENT_ROOT']; + // Defaults to the right + $this->versionNo = "8.1"; // "8.1"; + $this->docRoot = $_SERVER['DOCUMENT_ROOT']; // $_SERVER['DOCUMENT_ROOT'] + $this->assetsRoot = "assets"; // "assets" (relative or absolute) } public function getCoreDetails() @@ -16,6 +18,7 @@ public function getCoreDetails() return [ "versionNo" => $this->versionNo, "docRoot" => $this->docRoot, + "assetsRoot" => $this->assetsRoot, ]; } diff --git a/editor.php b/editor.php index 417ba43fa..e9160a0a8 100644 --- a/editor.php +++ b/editor.php @@ -10,16 +10,16 @@ ICEcoder <?php echo $ICEcoder["versionNo"];?> editor - - - + + + - + "> - - - + + + - - - + + + @@ -150,7 +150,7 @@ ?>


-

+

diff --git a/files.php b/files.php index 95a9ad88a..4ae7e4408 100644 --- a/files.php +++ b/files.php @@ -9,10 +9,10 @@ ICEcoder <?php echo $ICEcoder["versionNo"];?> file manager - - - - + + + + - - + + diff --git a/lib/bug-report.php b/lib/bug-report.php index 03aeb9276..ac7242725 100644 --- a/lib/bug-report.php +++ b/lib/bug-report.php @@ -2,6 +2,10 @@ include "headers.php"; include "settings.php" ; $t = $text['bug-report']; + +$assetsPath = "assets" === $settingsClass->assetsRoot + ? "../" . $settingsClass->assetsRoot + : $settingsClass->assetsRoot; ?> @@ -10,8 +14,8 @@ ICEcoder <?php echo $ICEcoder["versionNo"];?> bug report - - + + diff --git a/lib/headers.php b/lib/headers.php index c3ee924e7..0311bd2be 100644 --- a/lib/headers.php +++ b/lib/headers.php @@ -18,15 +18,17 @@ $_SESSION["csrf"] = md5(uniqid(mt_rand(), true)); } -if (($_GET || $_POST) && (!isset($_REQUEST["csrf"]) || $_REQUEST["csrf"] !== $_SESSION["csrf"])) { - $req = isset($_REQUEST["csrf"]) ? xssClean($_REQUEST["csrf"], "html") : ""; - die($t['Bad CSRF token...'] . "

- CSRF issue:
- REQUEST: " . $req . "
- SESSION: " . xssClean($_SESSION["csrf"], "html") . "
- FILE: " . xssClean($_SERVER["SCRIPT_NAME"], "html") . "
- GET: " . xssClean(var_export($_GET, true), "html") . "
- POST: " . xssClean(var_export($_POST, true), "html")); +if (($_POST || $_GET) && !$_POST["csrf"] && !$_GET["csrf"]) { + $req = xssClean($_POST["csrf"] ?? $_GET['csrf'] ?? "", "html"); + if ($req !== $_SESSION["csrf"]) { + die($t['Bad CSRF token...'] . "

+ CSRF issue:
+ REQUEST: " . $req . "
+ SESSION: " . xssClean($_SESSION["csrf"], "html") . "
+ FILE: " . xssClean($_SERVER["SCRIPT_NAME"], "html") . "
+ GET: " . xssClean(var_export($_GET, true), "html") . "
+ POST: " . xssClean(var_export($_POST, true), "html")); + } } if (!headers_sent()) { diff --git a/lib/help.php b/lib/help.php index 9d7e0d75a..9db374d38 100644 --- a/lib/help.php +++ b/lib/help.php @@ -2,6 +2,10 @@ include "headers.php"; include "settings.php"; $t = $text['help']; + +$assetsPath = "assets" === $settingsClass->assetsRoot + ? "../" . $settingsClass->assetsRoot + : $settingsClass->assetsRoot; ?> @@ -10,8 +14,8 @@ ICEcoder <?php echo $ICEcoder["versionNo"];?> help - - + + diff --git a/lib/icecoder.php b/lib/icecoder.php index b95823a49..c43fe1f4e 100644 --- a/lib/icecoder.php +++ b/lib/icecoder.php @@ -1,12 +1,12 @@ assetsRoot + ? "../" . $settingsClass->assetsRoot + : $settingsClass->assetsRoot ?> @@ -37,9 +41,9 @@ - - - + + + setTimeout(function(){document.getElementById('screenContainer').style.opacity = '1'}, 50)"> @@ -47,7 +51,7 @@
- ICEcoder + ICEcoder
onsubmit="return checkCanSubmit();"> @@ -61,7 +65,7 @@ if (true === $ICEcoder["multiUser"]) { // Also set value to "admin" if only 1 user (has to be admin) $showAdminValue = 1 === count($configUsernames) ? ' value="admin"' : ''; - echo '

'; + echo '

'; }; ?> ' . $t['disable further registrations'] . '
'; } if ("" === $ICEcoder["password"] || true === $ICEcoder["multiUser"]) { - echo '
' . $t['auto-check for updates'] . '
'; + $tickCheckUpdates = true === $ICEcoder['checkUpdates'] ? " checked" : ""; + echo '
' . $t['auto-check for updates'] . '
'; } if (false === $ICEcoder["multiUser"]) { echo '
' . $t['multi-user'] . '?
';}; ?> @@ -123,6 +128,21 @@ return document.getElementById(elem); }; +// Check keydown in username field meets simple rules (alphanums, underscore and hyphen only) +const checkUsernameKey = function(key) { + return /[\w_\-]/g.test(key); +} + +// Check username value meets simple rules (alphanums, underscore and hyphen only) +const checkUsername = function(username, amend) { + // Amend username if OK to do this + if (true === amend) { + get("username").value = username.replace(/[^\w_\-]/g, ""); + } + // Return a bool based on meeting the requirements + return username.replace(/[^\w_\-]/g, "").length === username.length; +}; + // Check password strength and color requirements not met const pwStrength = function(pw) { // Set variables @@ -160,7 +180,16 @@ // Check if we can submit, else shake requirements const checkCanSubmit = function() { - // Password isn't strong enough, shake requirements + // Username isn't simple, can't submit + if(false === checkUsername(get("username").value, false)) { + return false; + } + // Password isn't strong enough, shake requirements if(false === pwStrength(get("password").value)) { var posArray = [24, -24, 12, -12, 6, -6, 3, -3, 0]; var pos = -1; diff --git a/lib/multiple-results.php b/lib/multiple-results.php index c8712332f..04af6d803 100644 --- a/lib/multiple-results.php +++ b/lib/multiple-results.php @@ -8,6 +8,10 @@ $selectedFiles = true === isset($_GET['selectedFiles']) ? explode(":", $_GET['selectedFiles']) : []; + +$assetsPath = "assets" === $settingsClass->assetsRoot + ? "../" . $settingsClass->assetsRoot + : $settingsClass->assetsRoot ?> @@ -16,8 +20,8 @@ ICEcoder <?php echo $ICEcoder["versionNo"];?> multiple results screen - - + + diff --git a/lib/plugins-manager.php b/lib/plugins-manager.php index 0d18d03be..29b80c678 100644 --- a/lib/plugins-manager.php +++ b/lib/plugins-manager.php @@ -63,7 +63,7 @@ $ICEcoder["plugins"][] = [ $pluginsData[$_GET['plugin']]['name'], - $pluginsData[$_GET['plugin']]['icon'], + str_replace("images/", "plugins/", $pluginsData[$_GET['plugin']]['icon']), $pluginsData[$_GET['plugin']]['style'], $pluginsData[$_GET['plugin']]['URL'], $pluginsData[$_GET['plugin']]['target'], @@ -149,6 +149,10 @@ function deletePlugin($dir) { closedir($theDir); rmdir($dir); } + +$assetsPath = "assets" === $settingsClass->assetsRoot + ? "../" . $settingsClass->assetsRoot + : $settingsClass->assetsRoot ?> @@ -157,8 +161,8 @@ function deletePlugin($dir) { ICEcoder <?php echo $ICEcoder["versionNo"];?> plugins manager - - + + @@ -242,7 +246,7 @@ function deletePlugin($dir) { } $reloadExtra = "true" === $pluginsData[$i]['reload'] ? '
' . $t['Reload after install...'] . '' : ''; - echo ''.$pluginsData[$i]['name'] . ''; + echo ''.$pluginsData[$i]['name'] . ''; echo '' . $pluginsData[$i]['name'] . $reloadExtra . ''; $styleExtra = (1 === $i % 2 || $i === count($pluginsData) - 1) ? "0" : "30px"; echo '' . $installUninstallButton . ''; diff --git a/lib/properties.php b/lib/properties.php index a4e9b20e3..95cd70be8 100644 --- a/lib/properties.php +++ b/lib/properties.php @@ -9,6 +9,10 @@ if (!file_exists($fileName) || 0 !== strpos(str_replace("\\", "/", $fileName),$docRoot)) { die(""); } + +$assetsPath = "assets" === $settingsClass->assetsRoot + ? "../" . $settingsClass->assetsRoot + : $settingsClass->assetsRoot ?> @@ -17,8 +21,8 @@ ICEcoder <?php echo $ICEcoder["versionNo"];?> file/folder properties - - + + diff --git a/lib/requirements.php b/lib/requirements.php index 4b1f69c2c..836b42272 100644 --- a/lib/requirements.php +++ b/lib/requirements.php @@ -32,9 +32,9 @@ - - - + + + @@ -42,7 +42,7 @@
- ICEcoder + ICEcoder
versionNo;?>
diff --git a/lib/settings-common.php b/lib/settings-common.php index e3ede92cc..2985a0ac0 100644 --- a/lib/settings-common.php +++ b/lib/settings-common.php @@ -25,18 +25,15 @@ ini_set('session.httponly', true); // Only allow http protocol (ie, not JS) access to the cookie ini_set('session.cookie_httponly', true); // Only allow cookie via http protocol (ie, not JS) access to the cookie // ini_set('session.save_path', dirname(__FILE__) . '/../tmp'); // Localise the session files to /tmp - if(false === isset($_COOKIE['ICEcoder'])) { - $_COOKIE['ICEcoder'] = session_create_id(); - } - session_id($_COOKIE['ICEcoder']); if (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') { ini_set('session.cookie_secure', '1'); // Only allows access to session ID when protocol is HTTPS, switched on under 'if https' condition } - session_start(); // Finally, start the session! + if (false === isset($_SESSION)) { + session_start(); + } if (false === isset($_SESSION['csrf'])){ - session_regenerate_id(true); // Create a new ID to help prevent fixation & hijacking - $_COOKIE['ICEcoder'] = session_id(); + session_regenerate_id(true); // Create a new ID to help prevent fixation & hijacking } } diff --git a/lib/settings-screen.php b/lib/settings-screen.php index c4a8a73bd..3f187e8a1 100644 --- a/lib/settings-screen.php +++ b/lib/settings-screen.php @@ -2,6 +2,10 @@ include "headers.php"; include "settings.php"; $t = $text['settings-screen']; + +$assetsPath = "assets" === $settingsClass->assetsRoot + ? "../" . $settingsClass->assetsRoot + : $settingsClass->assetsRoot ?> @@ -10,9 +14,9 @@ ICEcoder <?php echo $ICEcoder["versionNo"];?> settings screen - - - + + + - + ' . PHP_EOL; + echo '' . PHP_EOL; } -// Do we have a tab to switch to? -$tabSwitchExtra = ""; -if (true === isset($_GET['tab'])) { - $tabSwitchExtra = "switchTab('" . $_GET['tab'] . "');"; -} ?> - + - +
- +

@@ -205,13 +204,17 @@ // Display number of days backups available $backupDirBase = str_replace("\\", "/", dirname(__FILE__)) . "/../data/backups/"; $backupDirHost = "localhost"; - $backupDirsList = scandir($backupDirBase . $backupDirHost); - // Remove . and .. from array - for ($i = 0; $i < count($backupDirsList); $i++) { - if ($backupDirsList[$i] === "." || $backupDirsList[$i] === "..") { - array_splice($backupDirsList, $i, 1); - $i--; + if (true === is_dir($backupDirBase . $backupDirHost)) { + $backupDirsList = scandir($backupDirBase . $backupDirHost); + // Remove . and .. from array + for ($i = 0; $i < count($backupDirsList); $i++) { + if ($backupDirsList[$i] === "." || $backupDirsList[$i] === "..") { + array_splice($backupDirsList, $i, 1); + $i--; + } } + } else { + $backupDirsList = []; } // Display text re the number of days backups have taken place $backupNumDays = "" != $backupDirsList[0] && count($backupDirsList) > 0 ? count($backupDirsList) : 0; @@ -594,6 +597,12 @@ function switchTab(tab) { function submitSettings() { ; } +
update
diff --git a/lib/settings-update.php b/lib/settings-update.php index 969782818..0ec5b2ea1 100644 --- a/lib/settings-update.php +++ b/lib/settings-update.php @@ -95,7 +95,8 @@ // Work out the theme to use now $themeURL = - "assets/css/theme/" . + $settingsClass->assetsRoot . + "/css/theme/" . ("default" === $ICEcoder["theme"] ? 'icecoder.css' : $ICEcoder["theme"] . '.css') . "?microtime=" . microtime(true); diff --git a/lib/settings.php b/lib/settings.php index 25bbbba92..5aea2e139 100644 --- a/lib/settings.php +++ b/lib/settings.php @@ -19,7 +19,7 @@ include dirname(__FILE__) . "/requirements.php"; } -if (false === $settingsClass->getDataDirDetails()['writable']) { +if (false === $ICEcoder["demoMode"] && false === $settingsClass->getDataDirDetails()['writable']) { $reqsFailures = ["phpDataDirNotWritable"]; include dirname(__FILE__) . "/requirements.php"; } @@ -46,7 +46,7 @@ } // Check we can write global config settings file -if (false === $settingsClass->getConfigGlobalFileDetails()['writable']) { +if (false === $ICEcoder["demoMode"] && false === $settingsClass->getConfigGlobalFileDetails()['writable']) { $reqsFailures = ["phpGlobalConfigWriteFile"]; include dirname(__FILE__) . "/requirements.php"; } @@ -57,9 +57,13 @@ // Load common functions include_once dirname(__FILE__) . "/settings-common.php"; +$postUsername = true === isset($_POST['username']) && is_string($_POST['username']) + ? preg_replace("/[^\w_\-]/", "", $_POST['username']) + : ""; + // Establish user settings file $username = "admin-"; -if (true === isset($_POST['username']) && "" !== $_POST['username']) {$username = $_POST['username'] . "-";}; +if ("" !== $postUsername) {$username = $postUsername . "-";}; if (true === isset($_SESSION['username']) && "" !== $_SESSION['username']) {$username = $_SESSION['username'] . "-";}; $settingsFile = 'config-' . $username . str_replace(".", "_", str_replace("www.", "", $_SERVER['SERVER_NAME'])) . '.php'; @@ -101,7 +105,7 @@ } // Check we can write users config settings file -if (false === $settingsClass->getConfigUsersFileDetails($settingsFile)['writable']) { +if (false === $ICEcoder["demoMode"] && false === $settingsClass->getConfigUsersFileDetails($settingsFile)['writable']) { $reqsFailures = ["phpUsersConfigWriteFile"]; include dirname(__FILE__) . "/requirements.php"; } @@ -164,7 +168,7 @@ if (verifyHash($_POST['password'], $ICEcoder["password"]) === $ICEcoder["password"]) { session_regenerate_id(); if ($ICEcoder["multiUser"]) { - $_SESSION['username'] = $_POST['username']; + $_SESSION['username'] = $postUsername; } $_SESSION['loggedIn'] = true; $extraProcessesClass = new ExtraProcesses(); @@ -182,9 +186,6 @@ $serverType = $systemClass->getOS(); $docRoot = rtrim(str_replace("\\", "/", $ICEcoder['docRoot'])); $iceRoot = rtrim(str_replace("\\", "/", $ICEcoder["root"])); -if ($_SESSION['loggedIn'] && "index.php" === basename($_SERVER['SCRIPT_NAME'])) { - echo ""; -} // Establish the dir ICEcoders running from $ICEcoderDirFullPath = rtrim(str_replace("\\", "/", dirname($_SERVER['SCRIPT_FILENAME'])), "/lib"); @@ -228,14 +229,14 @@ // If the password hasn't been set and we're setting it if ("" === $ICEcoder["password"] && true === isset($_POST['submit']) && -1 < strpos($_POST['submit'], "set password")) { $password = generateHash($_POST['password']); - $settingsClass->updateConfigUsersSettings($settingsFile, ["password" => $password, "checkUpdates" => $_POST["checkUpdates"]]); + $settingsClass->updateConfigUsersSettings($settingsFile, ["password" => $password, "checkUpdates" => isset($_POST["checkUpdates"])]); $settingsClass->createIPSettingsFileIfNotExist(); if (true === isset($_POST['disableFurtherRegistration'])) { $settingsClass->updateConfigGlobalSettings(['enableRegistration' => false]); } // Set the session user level if ($ICEcoder["multiUser"]) { - $_SESSION['username'] = $_POST['username']; + $_SESSION['username'] = $postUsername; } $_SESSION['loggedIn'] = true; $extraProcessesClass = new ExtraProcesses(); diff --git a/lib/terminal-xhr.php b/lib/terminal-xhr.php index 38a408385..6cedd938c 100644 --- a/lib/terminal-xhr.php +++ b/lib/terminal-xhr.php @@ -45,7 +45,7 @@ function returnHTMLPromptCommand($cmd) { // If proc_open isn't enabled, display prompt, command and a message re needing this enabled if (false === proc_open_enabled()) { echo json_encode([ - "output" => returnHTMLPromptCommand($_REQUEST['command'] . "

Sorry but you can't use this terminal if your proc_open is disabled"), + "output" => returnHTMLPromptCommand($_POST['command'] . "

Sorry but you can't use this terminal if your proc_open is disabled"), "user" => $user, "cwd" => $cwd ]); @@ -55,7 +55,7 @@ function returnHTMLPromptCommand($cmd) { // If in demo mode, display message and go no further if (true === $demoMode) { echo json_encode([ - "output" => returnHTMLPromptCommand($_REQUEST['command'] . "

Sorry, shell usage not enabled in demo mode"), + "output" => returnHTMLPromptCommand($_POST['command'] . "

Sorry, shell usage not enabled in demo mode"), "user" => $user, "cwd" => $cwd ]); @@ -63,9 +63,9 @@ function returnHTMLPromptCommand($cmd) { } // If no command, display message and go no further -if (false === isset($_REQUEST['command'])) { +if (false === isset($_POST['command'])) { echo json_encode([ - "output" => returnHTMLPromptCommand($_REQUEST['command'] . "

Sorry, no command received"), + "output" => returnHTMLPromptCommand($_POST['command'] . "

Sorry, no command received"), "user" => $user, "cwd" => $cwd ]); @@ -73,16 +73,16 @@ function returnHTMLPromptCommand($cmd) { } // Strip any slashes from command -$_REQUEST['command'] = stripslashes($_REQUEST['command']); +$_POST['command'] = stripslashes($_POST['command']); // Start output with the prompt and command they provided last -$output = returnHTMLPromptCommand($_REQUEST['command']); +$output = returnHTMLPromptCommand($_POST['command']); // If command contains cd but no dir -if (preg_match('/^[[:blank:]]*cd[[:blank:]]*$/', $_REQUEST['command'])) { +if (preg_match('/^[[:blank:]]*cd[[:blank:]]*$/', $_POST['command'])) { $_SESSION['cwd'] = $cwd; // Else cd to a dir -} elseif (preg_match('/^[[:blank:]]*cd[[:blank:]]+([^;]+)$/', $_REQUEST['command'], $regs)) { +} elseif (preg_match('/^[[:blank:]]*cd[[:blank:]]+([^;]+)$/', $_POST['command'], $regs)) { // The current command is 'cd', which we have to handle as an internal shell command $newDir = "/" === $regs[1][0] ? $regs[1] : $_SESSION['cwd'] . "/" . $regs[1]; @@ -110,15 +110,15 @@ function returnHTMLPromptCommand($cmd) { // The command is not a 'cd' command // Alias expansion - $length = strcspn($_REQUEST['command'], " \t"); - $token = substr($_REQUEST['command'], 0, $length); + $length = strcspn($_POST['command'], " \t"); + $token = substr($_POST['command'], 0, $length); if (true === isset($aliases[$token])) { - $_REQUEST['command'] = $aliases[$token] . substr($_REQUEST['command'], $length); + $_POST['command'] = $aliases[$token] . substr($_POST['command'], $length); } // Open a proc with array and $io return $p = proc_open( - $_REQUEST['command'], + $_POST['command'], array( 1 => array('pipe', 'w'), 2 => array('pipe', 'w') diff --git a/terminal.php b/terminal.php index 0c51e389d..12477a7fc 100644 --- a/terminal.php +++ b/terminal.php @@ -9,7 +9,7 @@ - +