From 885ab67cc891da78ede5bc26f184a9c9d143f314 Mon Sep 17 00:00:00 2001
From: tianya <yanghuxiao@vip.qq.com>
Date: Thu, 21 Sep 2023 22:42:37 +0800
Subject: [PATCH] =?UTF-8?q?=E5=B8=B8=E8=A7=84=E5=AE=89=E5=85=A8=E9=97=AE?=
 =?UTF-8?q?=E9=A2=98=E4=BF=AE=E5=A4=8D?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/admin/file_class.php          |  2 +-
 src/admin/file_manage_control.php | 44 +++++++++++++++++++++++++++++++
 2 files changed, 45 insertions(+), 1 deletion(-)

diff --git a/src/admin/file_class.php b/src/admin/file_class.php
index fc5fe2f9..ca72191d 100644
--- a/src/admin/file_class.php
+++ b/src/admin/file_class.php
@@ -30,7 +30,7 @@ class FileManagement
         $oldext = pathinfo($oldname)['extension'];
         $newext = pathinfo($newname)['extension'];
         if ($oldext != $newext) {
-            if (preg_match('#\.(php|pl|cgi|asp|aspx|jsp|php5|php4|php3|shtm|shtml)$#i', trim($newname))) {
+            if (preg_match('#\.(php|pl|cgi|asp|aspx|jsp|php5|php4|php3|shtm|shtml|inc|htm)$#i', trim($newname))) {
                 ShowMsg("文件扩展名已被系统禁止", "javascript:;");
                 exit();
             }
diff --git a/src/admin/file_manage_control.php b/src/admin/file_manage_control.php
index 3e540648..3d7375b0 100644
--- a/src/admin/file_manage_control.php
+++ b/src/admin/file_manage_control.php
@@ -17,10 +17,32 @@ $activepath = preg_replace("#^\/{1,}#", "/", $activepath);
 if ($activepath == "/") $activepath = "";
 if ($activepath == "") $inpath = $cfg_basedir;
 else $inpath = $cfg_basedir.$activepath;
+$files = json_decode(file_get_contents(DEDEDATA.'/admin/files.txt'));
+$currentFolder = basename(__DIR__);
+$realFiles = array();
+foreach ($files as $ff) {
+    $rfi = preg_replace("#^admin/#",$currentFolder.'/',$ff->filename);
+    $realFiles[] = $rfi;
+}
+function realdir($path) {
+    return dirname(realpath($path));
+}
+
 //文件管理器交互与逻辑控制文件
 $fmm = new FileManagement();
 $fmm->Init();
 if ($fmdo == "rename") {
+    $f = str_replace("..", "", $oldfilename);
+    $f = $cfg_basedir.$activepath."/$oldfilename";
+    if (!file_exists(dirname(__FILE__).'/../license.txt')) {
+        ShowMsg("许可协议不存在，无法重名文件", "javascript:;");
+        exit();
+    }
+    $f = str_replace(realdir(dirname(__FILE__).'/../license.txt').'/', "", $f);
+    if (in_array($f,$realFiles)) {
+        ShowMsg("系统文件禁止重名", "javascript:;");
+        exit();
+    }
     $oldfilename = str_replace("..","",$oldfilename);
     $newfilename = str_replace("..","",$newfilename);
     $fmm->RenameFile($oldfilename, $newfilename);
@@ -32,10 +54,32 @@ else if ($fmdo == "newdir") {
 }
 //移动文件
 else if ($fmdo == "move") {
+    $f = str_replace("..", "", $filename);
+    $f = $cfg_basedir.$activepath."/$filename";
+    if (!file_exists(dirname(__FILE__).'/../license.txt')) {
+        ShowMsg("许可协议不存在，无法移动文件", "javascript:;");
+        exit();
+    }
+    $f = str_replace(realdir(dirname(__FILE__).'/../license.txt').'/', "", $f);
+    if (in_array($f,$realFiles)) {
+        ShowMsg("系统文件禁止移动", "javascript:;");
+        exit();
+    }
     $fmm->MoveFile($filename, $newpath);
 }
 //删除文件
 else if ($fmdo == "del") {
+    $f = str_replace("..", "", $filename);
+    $f = $cfg_basedir.$activepath."/$filename";
+    if (!file_exists(dirname(__FILE__).'/../license.txt')) {
+        ShowMsg("许可协议不存在，无法删除", "javascript:;");
+        exit();
+    }
+    $f = str_replace(realdir(dirname(__FILE__).'/../license.txt').'/', "", $f);
+    if (in_array($f,$realFiles)) {
+        ShowMsg("系统文件禁止删除", "javascript:;");
+        exit();
+    }
     $fmm->DeleteFile($filename);
 }
 //文件修改