src build elFinder-2.1-1733024

Changelog

@@ -1,3 +1,12 @@
+2022-03-14  Naoki Sawada  <[email protected]>
+	* elFinder (2.1.61):
+		- [security] Fixed #3458 filename bypass leading to RCE on Windows server
+		- [security:CVE-2022-26960] Fixed a path traversal issue
+		- [i18n] Updated ru and fr
+		- [js] Updated CDNs of external libs
+		- And some minor bug fixes
+
+
 2021-11-12  Naoki Sawada  <[email protected]>
 	* elFinder (2.1.60):
 		- [VD:OneDrive] show error on _od_obtainAccessToken()
@@ -6,6 +15,7 @@
 		- [VD:LocalFileSystem] Fixed #3429 RCE on Windows server
 		- [js:core,options] Fixed #3401 add an option workerBaseUrl
 
+
 2021-06-13  Naoki Sawada  <[email protected]>
 	* elFinder (2.1.59):
 		- [Security:php] Fixed multiple vulnerabilities leading to RCE

README.md

@@ -1,7 +1,7 @@
 elFinder
 ========
 
-**WARNING: IF YOU HAVE OLDER (IN PARTICULAR 2.1.58 OR EARLIER) VERSIONS OF ELFINDER ON PUBLIC SERVERS, IT MAY CAUSE SERIOUS DAMAGE TO YOUR SERVER AND VISITED USER. YOU SHOULD UPDATE TO THE LATEST VERSION OR REMOVE IT FROM THE SERVER.**
+**WARNING: IF YOU HAVE OLDER (IN PARTICULAR 2.1.60 OR EARLIER) VERSIONS OF ELFINDER ON PUBLIC SERVERS, IT MAY CAUSE SERIOUS DAMAGE TO YOUR SERVER AND VISITED USER. YOU SHOULD UPDATE TO THE LATEST VERSION OR REMOVE IT FROM THE SERVER.**
 
 [![elFinder file manager for the Web](https://studio-42.github.io/elFinder/images/elFinderScr.png "elFinder file manager for the Web")](https://studio-42.github.io/elFinder/)
 

css/elfinder.full.css

@@ -1,6 +1,6 @@
 /*!
  * elFinder - file manager for web
- * Version 2.1.61 (2022-03-14)
+ * Version 2.1.61 (2.1-src Nightly: 1733024) (2022-03-15)
  * http://elfinder.org
  * 
  * Copyright 2009-2022, Studio 42

js/elfinder.full.js

@@ -1,6 +1,6 @@
 /*!
  * elFinder - file manager for web
- * Version 2.1.61 (2022-03-14)
+ * Version 2.1.61 (2.1-src Nightly: 1733024) (2022-03-15)
  * http://elfinder.org
  * 
  * Copyright 2009-2022, Studio 42
@@ -10730,7 +10730,7 @@ if (!window.cancelAnimationFrame) {
  *
  * @type String
  **/
-elFinder.prototype.version = '2.1.61';
+elFinder.prototype.version = '2.1.61 (2.1-src Nightly: 1733024)';
 
 
 
@@ -11216,27 +11216,27 @@ elFinder.prototype._options = {
 	 */
 	cdns : {
 		// for editor etc.
-		ace        : 'https://cdnjs.cloudflare.com/ajax/libs/ace/1.4.12',
-		codemirror : 'https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.61.1',
-		ckeditor   : 'https://cdnjs.cloudflare.com/ajax/libs/ckeditor/4.16.1',
-		ckeditor5  : 'https://cdn.ckeditor.com/ckeditor5/28.0.0',
-		tinymce    : 'https://cdnjs.cloudflare.com/ajax/libs/tinymce/5.7.1',
+		ace        : 'https://cdnjs.cloudflare.com/ajax/libs/ace/1.4.14',
+		codemirror : 'https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.65.2',
+		ckeditor   : 'https://cdnjs.cloudflare.com/ajax/libs/ckeditor/4.17.2',
+		ckeditor5  : 'https://cdn.ckeditor.com/ckeditor5/33.0.0',
+		tinymce    : 'https://cdnjs.cloudflare.com/ajax/libs/tinymce/6.0.0',
 		simplemde  : 'https://cdnjs.cloudflare.com/ajax/libs/simplemde/1.11.2',
 		fabric     : 'https://cdnjs.cloudflare.com/ajax/libs/fabric.js/4.2.0',
 		fabric16   : 'https://cdnjs.cloudflare.com/ajax/libs/fabric.js/1.6.7',
 		tui        : 'https://uicdn.toast.com',
 		// for quicklook etc.
-		hls        : 'https://cdnjs.cloudflare.com/ajax/libs/hls.js/1.0.2/hls.min.js',
-		dash       : 'https://cdnjs.cloudflare.com/ajax/libs/dashjs/3.2.2/dash.all.min.js',
-		flv        : 'https://cdnjs.cloudflare.com/ajax/libs/flv.js/1.5.0/flv.min.js',
-		videojs    : 'https://cdnjs.cloudflare.com/ajax/libs/video.js/7.12.1',
+		hls        : 'https://cdnjs.cloudflare.com/ajax/libs/hls.js/1.1.5/hls.min.js',
+		dash       : 'https://cdnjs.cloudflare.com/ajax/libs/dashjs/4.3.0/dash.all.min.js',
+		flv        : 'https://cdnjs.cloudflare.com/ajax/libs/flv.js/1.6.2/flv.min.js',
+		videojs    : 'https://cdnjs.cloudflare.com/ajax/libs/video.js/7.18.1',
 		prettify   : 'https://cdn.jsdelivr.net/gh/google/code-prettify@f1c3473acd1e8ea8c8c1a60c56e89f5cdd06f915/loader/run_prettify.js',
-		psd        : 'https://cdnjs.cloudflare.com/ajax/libs/psd.js/3.2.0/psd.min.js',
+		psd        : 'https://cdnjs.cloudflare.com/ajax/libs/psd.js/3.4.0/psd.min.js',
 		rar        : 'https://cdn.jsdelivr.net/gh/nao-pon/rar.js@6cef13ec66dd67992fc7f3ea22f132d770ebaf8b/rar.min.js',
 		zlibUnzip  : 'https://cdn.jsdelivr.net/gh/imaya/[email protected]/bin/unzip.min.js', // need check unzipFiles() in quicklook.plugins.js when update
 		zlibGunzip : 'https://cdn.jsdelivr.net/gh/imaya/[email protected]/bin/gunzip.min.js',
 		bzip2      : 'https://cdn.jsdelivr.net/gh/nao-pon/[email protected]/bzip2.js',
-		marked     : 'https://cdnjs.cloudflare.com/ajax/libs/marked/2.0.3/marked.min.js',
+		marked     : 'https://cdnjs.cloudflare.com/ajax/libs/marked/4.0.2/marked.min.js',
 		sparkmd5   : 'https://cdnjs.cloudflare.com/ajax/libs/spark-md5/3.0.0/spark-md5.min.js',
 		jssha      : 'https://cdnjs.cloudflare.com/ajax/libs/jsSHA/3.2.0/sha.min.js',
 		amr        : 'https://cdn.jsdelivr.net/gh/yxl/opencore-amr-js@dcf3d2b5f384a1d9ded2a54e4c137a81747b222b/js/amrnb.js',
@@ -30111,7 +30111,7 @@ elFinder.prototype.commands.quicklook.plugins = [
 				ql.hideinfo();
 				var doc = $('<iframe class="elfinder-quicklook-preview-html"></iframe>').appendTo(preview)[0].contentWindow.document;
 				doc.open();
-				doc.write(marked(data.content));
+				doc.write((marked.parse || marked)(data.content));
 				doc.close();
 				loading.remove();
 			},

js/extras/editors.default.js

@@ -218,7 +218,7 @@
 					this.disabled = true;
 				} else {
 					this.opts = Object.assign({
-						version: 'v3.14.3'
+						version: 'v3.15.2'
 					}, opts.extraOptions.tuiImgEditOpts || {}, {
 						iconsPath : fm.baseUrl + 'img/tui-',
 						theme : {}
@@ -255,20 +255,7 @@
 										path: $base.data('url'),
 										name: self.file.name
 									},
-									theme: Object.assign(opts.theme, {
-										'menu.normalIcon.path': iconsPath + 'icon-d.svg',
-										'menu.normalIcon.name': 'icon-d',
-										'menu.activeIcon.path': iconsPath + 'icon-b.svg',
-										'menu.activeIcon.name': 'icon-b',
-										'menu.disabledIcon.path': iconsPath + 'icon-a.svg',
-										'menu.disabledIcon.name': 'icon-a',
-										'menu.hoverIcon.path': iconsPath + 'icon-c.svg',
-										'menu.hoverIcon.name': 'icon-c',
-										'submenu.normalIcon.path': iconsPath + 'icon-d.svg',
-										'submenu.normalIcon.name': 'icon-d',
-										'submenu.activeIcon.path': iconsPath + 'icon-c.svg',
-										'submenu.activeIcon.name': 'icon-c'
-									}),
+									theme: opts.theme,
 									initMenu: 'filter',
 									menuBarPosition: 'bottom'
 								},
@@ -283,7 +270,7 @@
 										w = parseInt(c.attr('width')),
 										h = parseInt(c.attr('height')),
 										a = w / h,
-										mw, mh;
+										z, mw, mh;
 									if (v === 0) {
 										mw = w;
 										mh = h;
@@ -295,7 +282,16 @@
 											mh = h;
 										}
 									}
-									per.text(Math.round(mw / w * 100) + '%');
+									z = Math.round(mw / w * 100);
+									// Control zoom button of TUI Image Editor
+									if (z < 100) {
+										iEditor.resetZoom();
+										iEditor.stopDrawingMode();
+										tuiZoomCtrls.hide();
+									} else {
+										tuiZoomCtrls.show();
+									}
+									per.text(z + '%');
 									iEditor.resizeCanvasDimension({width: mw, height: mh});
 									// continually change more
 									if (zoomMore) {
@@ -308,6 +304,7 @@
 							zup = $('<span class="ui-icon ui-icon-plusthick"></span>').data('val', 10),
 							zdown = $('<span class="ui-icon ui-icon-minusthick"></span>').data('val', -10),
 							per = $('<button></button>').css('width', '4em').text('%').attr('title', '100%').data('val', 0),
+							tuiZoomCtrls,
 							quty, qutyTm, zoomTm, zoomMore;
 
 						tmpContainer.remove();
@@ -372,6 +369,8 @@
 									quty.trigger('change');
 								});
 							}
+							// ZOOM controls of TUI Image Editor
+							tuiZoomCtrls = $base.find('.tie-btn-zoomIn,.tie-btn-zoomOut,.tie-btn-hand');
 							// show initial scale
 							zoom(null);
 						}, 100);

php/elFinderVolumeDriver.class.php

@@ -6794,14 +6794,22 @@ protected function getFullPath($path, $base)
             $base = rtrim($base, $separator);
         }
 
-        // 'Here'
-        if ($path === '' || $path === '.' . $separator) return $base;
-
         $sepquoted = preg_quote($separator, '#');
 
+        // normalize `//` to `/`
+        $path = preg_replace('#' . $sepquoted . '+#', $separator, $path); // '#/+#'
+
+        // remove `./`
+        $path = preg_replace('#(?<=^|' . $sepquoted . ')\.' . $sepquoted . '#', '', $path); // '#(?<=^|/)\./#'
+
+        // 'Here'
+        if ($path === '') return $base;
+
+        // join $base to $path if $path start `../`
         if (substr($path, 0, 3) === '..' . $separator) {
             $path = $base . $separator . $path;
         }
+
         // normalize `/../`
         $normreg = '#(' . $sepquoted . ')[^' . $sepquoted . ']+' . $sepquoted . '\.\.' . $sepquoted . '#'; // '#(/)[^\/]+/\.\./#'
         while (preg_match($normreg, $path)) {
@@ -6811,6 +6819,9 @@ protected function getFullPath($path, $base)
             $path = rtrim($path, $separator);
         }
 
+        // discard the surplus `../`
+        $path = str_replace('..' . $separator, '', $path);
+
         // Absolute path
         if ($path[0] === $separator || strpos($path, $systemroot) === 0) {
             return $path;

php/elFinderVolumeLocalFileSystem.class.php

@@ -485,6 +485,7 @@ protected function _abspath($path)
         if ($path === DIRECTORY_SEPARATOR) {
             return $this->root;
         } else {
+            $path = $this->_normpath($path);
             if (strpos($path, $this->systemRoot) === 0) {
                 return $path;
             } else if (DIRECTORY_SEPARATOR !== '/' && preg_match('/^[a-zA-Z]:' . preg_quote(DIRECTORY_SEPARATOR, '/') . '/', $path)) {