Preparing version 2.1.15

- fixed a critical security issue reported by shimmeris
- PHP 8 compatibility

CHANGELOG.txt

@@ -1,7 +1,9 @@
 ****************************
 Changelog for eXtplorer
-Version $Id: CHANGELOG.txt 249 2016-12-11 16:11:03Z soeren $
 ****************************
+--- version 2.1.15 ---
+- fixed a critical security issue reported by shimmeris
+- PHP 8 compatibility
 
 --- version 2.1.14 ---
 - fixed various security issues reported by Sander Bos:

admin.extplorer.php

@@ -3,11 +3,9 @@
 if( !defined( '_JEXEC' ) && !defined( '_VALID_MOS' ) ) die( 'Restricted access' );
 /**
  * MAIN FILE! (formerly known as index.php)
- * 
- * @version $Id: admin.extplorer.php 247 2016-02-23 10:06:18Z soeren $
- * 
+ * #
  * @package eXtplorer
- * @copyright soeren 2007-2021
+ * @copyright soeren 2007-2022
  * @author The eXtplorer project (http://extplorer.net)
  * @author The	The QuiX project (http://quixplorer.sourceforge.net)
  * @license
@@ -39,7 +37,7 @@
 **/
 
 // The eXtplorer version number
-$GLOBALS['ext_version'] = '2.1.14';
+$GLOBALS['ext_version'] = '2.1.15';
 $GLOBALS['ext_home'] = 'http://extplorer.net';
 $dir = '';
 //------------------------------------------------------------------------------

extplorer.j15.xml

@@ -4,12 +4,12 @@
 <!-- Joomla! 1.5 Installer XML File
 $Id: extplorer.j15.xml 249 2016-12-11 16:11:03Z soeren $ -->
     <name>eXtplorer</name>
-    <creationDate>21.01.2021</creationDate>
+    <creationDate>06.01.2022</creationDate>
     <author>soeren, QuiX Project</author>
     <copyright>Soeren Eberhardt-Biermann, QuiX Project</copyright>
     <authorEmail>info|-at|-extplorer.net</authorEmail>
     <authorUrl>https://extplorer.net/</authorUrl>
-    <version>2.1.14</version>
+    <version>2.1.15</version>
     <description><![CDATA[
 	<div align="left"><img src="components/com_extplorer/images/eXtplorer_logo.png" alt="eXtplorer Logo" /></div>
 	<h2>Successfully installed eXtplorer&nbsp;</h2>

extplorer.j30.xml

@@ -3,12 +3,12 @@
 <!-- Joomla! 3.0 Installer XML File 
 $Id: extplorer.j30.xml 249 2016-12-11 16:11:03Z soeren $ -->
     <name>eXtplorer</name>
-    <creationDate>21.01.2021</creationDate>
+    <creationDate>06.01.2022</creationDate>
     <author>soeren, QuiX Project</author>
     <copyright>Soeren Eberhardt-Biermann, QuiX Project</copyright>
     <authorEmail>info|-at|-extplorer.net</authorEmail>
     <authorUrl>http://extplorer.net/</authorUrl>
-    <version>2.1.14</version>
+    <version>2.1.15</version>
     <description><![CDATA[
 	<div align="left"><img src="components/com_extplorer/images/eXtplorer_logo.png" alt="eXtplorer Logo" /></div>
 	<h2>Successfully installed eXtplorer&nbsp;</h2>

extplorer.xml

@@ -3,12 +3,12 @@
 <!-- Joomla! 1.0 Installer XML File 
 $Id: extplorer.xml 249 2016-12-11 16:11:03Z soeren $ -->
     <name>eXtplorer</name>
-    <creationDate>21.01.2021</creationDate>
+    <creationDate>06.01.2022</creationDate>
     <author>soeren, QuiX Project</author>
     <copyright>Soeren Eberhardt-Biermann, QuiX Project</copyright>
     <authorEmail>info|-at|-extplorer.net</authorEmail>
     <authorUrl>https://extplorer.net/</authorUrl>
-    <version>2.1.14</version>
+    <version>2.1.15</version>
     <description><![CDATA[
 	<div align="left"><img src="components/com_extplorer/images/eXtplorer_logo.png" alt="eXtplorer Logo" /></div>
 	<h2>Successfully installed eXtplorer&nbsp;</h2>

include/authentication/extplorer.php

@@ -2,9 +2,8 @@
 // ensure this file is being included by a parent file
 if( !defined( '_JEXEC' ) && !defined( '_VALID_MOS' ) ) die( 'Restricted access' );
 /**
- * @version $Id: extplorer.php 201 2011-06-27 09:45:09Z soeren $
  * @package eXtplorer
- * @copyright soeren 2007-2010
+ * @copyright soeren 2007-2022
  * @author The eXtplorer project (http://extplorer.net)
  * @author The	The QuiX project (http://quixplorer.sourceforge.net)
  * 
@@ -40,16 +39,18 @@ class ext_extplorer_authentication {
 	function onAuthenticate($credentials, $options=null ) {
 		// Check Login
 		//------------------------------------------------------------------------------
-
+		if(empty( $credentials['password'] )) {
+			return false;
+		}
 		$data=ext_find_user( $credentials['username'],null );
 		// Username not existing
 		if( $data === NULL ) return false;
 
 		require_once( _EXT_PATH.'/libraries/PasswordHash.php');
 		$hasher = new PasswordHash(8, FALSE);
 		$result = $hasher->CheckPassword($credentials['password'], $data[1]);
-		
-		if(!$result) {
+
+		if(!$result ) {
 			$data=ext_find_user( $credentials['username'],$credentials['password'] );
 			if( $data == NULL ) return false;
 		}

include/list.php

@@ -84,6 +84,8 @@ function get_dircontents($dir, &$dir_list, &$file_list, &$tot_file_size, &$num_i
         $pattern = "/^.*$pattern.*\$/m";
         // search, and store all matching occurrences in $matches
     }
+	$mdate_start = 0;
+
     if (!empty($_POST['mdate_start'])) {
         $mdate_start = strtotime($_POST['mdate_start']);
         if (empty($_POST['mdate_end'])) {

include/view.php

@@ -37,7 +37,7 @@
  */
 class ext_View extends ext_Action {
 
-	function execAction($dir, $item) {		// show file contents
+	static function execAction($dir, $item) {		// show file contents
 		global $action;
 		$item = basename($item);
 		if(in_array(".".strtolower(pathinfo($item,PATHINFO_EXTENSION )), $GLOBALS["images_ext"])) {

index.php

@@ -42,12 +42,12 @@
 define( '_VALID_EXT', 1 );
 
 require_once( dirname(__FILE__).'/libraries/standalone.php');
-ob_start();
+if(!ob_start("ob_gzhandler")) ob_start();
 include( dirname(__FILE__).'/admin.extplorer.php' );
 $mainbody = ob_get_contents();
 ob_end_clean();
 
-extInitGzip();
+if(!ob_start("ob_gzhandler")) ob_start();
 header( 'Expires: Mon, 26 Jul 1997 05:00:00 GMT' );
 header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' );
 header( 'Cache-Control: no-store, no-cache, must-revalidate' );
@@ -69,6 +69,6 @@
 	</body>
 </html>
 <?php
-extDoGzip();
+ob_end_flush();
 
 ?>

libraries/Archive/path.php

@@ -123,11 +123,11 @@ function getPermissions($path)
 		for ($i = 0; $i < 3; $i ++)
 		{
 			// read
-			$parsed_mode .= ($mode { $i } & 04) ? "r" : "-";
+			$parsed_mode .= ($mode [ $i ] & 04) ? "r" : "-";
 			// write
-			$parsed_mode .= ($mode { $i } & 02) ? "w" : "-";
+			$parsed_mode .= ($mode [ $i ] & 02) ? "w" : "-";
 			// execute
-			$parsed_mode .= ($mode { $i } & 01) ? "x" : "-";
+			$parsed_mode .= ($mode [ $i ] & 01) ? "x" : "-";
 		}
 		return $parsed_mode;
 	}

libraries/inputfilter.php

@@ -307,10 +307,7 @@ public function sanitize(array $input, array $fields = array(), $utf8_encode = t
                     $value = null;
                 }
                 if (is_string($value)) {
-                    if ($magic_quotes === true) {
-                        $value = stripslashes($value);
-                    }
-
+
                     if (strpos($value, "\r") !== false) {
                         $value = trim($value);
                     }

libraries/standalone.php

@@ -329,32 +329,7 @@ function extInitGzip() {
 	ob_start();
 }
 
-/**
-* Perform GZIP
-*/
-function extDoGzip() {
-	global $do_gzip_compress;
-	if ( $do_gzip_compress ) {
-		/**
-		*Borrowed from php.net!
-		*/
-		$gzip_contents = ob_get_contents();
-		ob_end_clean();
-
-		$gzip_size = strlen($gzip_contents);
-		$gzip_crc = crc32($gzip_contents);
-
-		$gzip_contents = gzcompress($gzip_contents, 9);
-		$gzip_contents = substr($gzip_contents, 0, strlen($gzip_contents) - 4);
-
-		echo "\x1f\x8b\x08\x00\x00\x00\x00\x00";
-		echo $gzip_contents;
-		echo pack('V', $gzip_crc);
-		echo pack('V', $gzip_size);
-	} else {
-		ob_end_flush();
-	}
-}
+
 /**
 * Replaces & with & for xhtml compliance
 *