Update filerename.php

filerename.php

@@ -17,91 +17,110 @@
 
 	The Initial Developer of the Original Code is
 	Mark J Crane <[email protected]>
-	Portions created by the Initial Developer are Copyright (C) 2008-2012
+	Portions created by the Initial Developer are Copyright (C) 2008-2019
 	the Initial Developer. All Rights Reserved.
 
 	Contributor(s):
 	Mark J Crane <[email protected]>
 	James Rose <[email protected]>
 */
-include "root.php";
-require_once "resources/require.php";
-require_once "resources/check_auth.php";
-if (permission_exists('script_editor_save')) {
-	//access granted
-}
-else {
-	echo "access denied";
-	exit;
-}
+
+//includes
+	include "root.php";
+	require_once "resources/require.php";
+	require_once "resources/check_auth.php";
+
+//check permissions
+	if (permission_exists('script_editor_save')) {
+		//access granted
+	}
+	else {
+		echo "access denied";
+		exit;
+	}
 
 //add multi-lingual support
 	$language = new text;
 	$text = $language->get();
 
-$folder = $_GET["folder"];
-//$folder = str_replace ("\\", "/", $folder);
-//if (substr($folder, -1) != "/") { $folder = $folder.'/'; }
-$newfilename = $_GET["newfilename"];
-$filename = $_GET["filename"];
-//echo $folder.$file;
-
-
-if (strlen($folder) > 0 && strlen($newfilename) > 0) {
-	//echo "new file: ".$newfilename."<br>";
-	//echo "folder: ".$folder."<br>";
-	//echo "orig filename: ".$filename."<br>";;
-	rename($folder.$filename, $folder.$newfilename);
-	header("Location: fileoptions.php");
-}
-else { //display form
-
-	require_once "header.php";
-	echo "<br>";
-	echo "<div align='left'>";
-	echo "<form method='get' action=''>";
-	echo "<table>";
-	echo "	<tr>";
-	echo "		<td>".$text['label-path']."</td>";
-	echo "	</tr>";
-	echo "	<tr>";
-	echo "		<td>".$folder.$filename."</td>";
-	echo "	</tr>";
-	echo "	<tr>";
-	echo "		<td><br></td>";
-	echo "	</tr>";
-	echo "	<tr>";
-	echo "		<td>".$text['label-file-name-orig']."</td>";
-	echo "	</tr>";
-	echo "	<tr>";
-	echo "		<td>".$filename."</td>";
-	echo "	</tr>";
-	echo "</table>";
-
-	echo "<br />";
-
-	echo "<table>";
-	echo "	<tr>";
-	echo "	  <td>".$text['label-rename-file-to']."</td>";
-	echo "	</tr>";
-
-	echo "	<tr>";
-	echo "		<td><input type='text' name='newfilename' value=''></td>";
-	echo "	</tr>";
-
-	echo "	<tr>";
-	echo "	  <td colspan='1' align='right'>";
-	echo "          <input type='hidden' name='folder' value='$folder'>";
-	echo "          <input type='hidden' name='filename' value='$filename'>";
-	echo "		    <input type='button' value='".$text['button-back']."' onclick='history.back()'><input type='submit' value='".$text['button-rename-file']."'>";
-	echo "    </td>";
-	echo "	</tr>";
-	echo "</table>";
-	echo "</form>";
-	echo "</div>";
-
-	require_once "footer.php";
-
-}
-
-?>
+//set the variables
+	$folder = $_REQUEST["folder"];
+	//$folder = str_replace ("\\", "/", $folder);
+	//if (substr($folder, -1) != "/") { $folder = $folder.'/'; }
+	$newfilename = $_REQUEST["newfilename"];
+	$filename = $_REQUEST["filename"];
+
+//rename the file or show the html form
+	if (strlen($folder) > 0 && strlen($newfilename) > 0) {
+		//compare the tokens
+		$key_name = '/app/edit/file_new';
+		$hash = hash_hmac('sha256', $key_name, $_SESSION['keys'][$key_name]);
+		if (!hash_equals($hash, $_POST['token'])) {
+			echo "access denied";
+			exit;
+		}
+
+		//rename the file
+		//echo "new file: ".$newfilename."<br>";
+		//echo "folder: ".$folder."<br>";
+		//echo "orig filename: ".$filename."<br>";;
+		rename($folder.$filename, $folder.$newfilename);
+		header("Location: fileoptions.php");
+	}
+	else {
+		//create the token
+		$key_name = '/app/edit/file_new';
+		$_SESSION['keys'][$key_name] = bin2hex(random_bytes(32));
+		$_SESSION['token'] = hash_hmac('sha256', $key_name, $_SESSION['keys'][$key_name]);
+
+		//display the form
+		require_once "header.php";
+		echo "<br>";
+		echo "<div align='left'>";
+		echo "<form method='POST' action=''>";
+		echo "<table>";
+		echo "	<tr>";
+		echo "		<td>".$text['label-path']."</td>";
+		echo "	</tr>";
+		echo "	<tr>";
+		echo "		<td>".$folder.$filename."</td>";
+		echo "	</tr>";
+		echo "	<tr>";
+		echo "		<td><br></td>";
+		echo "	</tr>";
+		echo "	<tr>";
+		echo "		<td>".$text['label-file-name-orig']."</td>";
+		echo "	</tr>";
+		echo "	<tr>";
+		echo "		<td>".$filename."</td>";
+		echo "	</tr>";
+		echo "</table>";
+
+		echo "<br />";
+
+		echo "<table>";
+		echo "	<tr>";
+		echo "	  <td>".$text['label-rename-file-to']."</td>";
+		echo "	</tr>";
+
+		echo "	<tr>";
+		echo "		<td><input type='text' name='newfilename' value=''></td>";
+		echo "	</tr>";
+
+		echo "	<tr>";
+		echo "		<td colspan='1' align='right'>";
+		echo "			<input type='hidden' name='folder' value='$folder'>";
+		echo "			<input type='hidden' name='filename' value='$filename'>";
+		echo "			<input type='hidden' name='token' id='token' value='". $_SESSION['token']. "'>";
+		echo "			<input type='button' value='".$text['button-back']."' onclick='history.back()'><input type='submit' value='".$text['button-rename-file']."'>";
+		echo "		</td>";
+		echo "	</tr>";
+		echo "</table>";
+		echo "</form>";
+		echo "</div>";
+
+		require_once "footer.php";
+	
+	}
+
+?>