From 5129710380a101d16448bf2d57d41999dfb612e6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=B6ren?= <info@extplorer.net>
Date: Thu, 6 Jan 2022 19:43:54 +0100
Subject: [PATCH] Preparing version 2.1.15 - fixed a critical security issue
 reported by shimmeris - PHP 8 compatibility

---
 CHANGELOG.txt                        |  4 +++-
 admin.extplorer.php                  |  8 +++-----
 extplorer.j15.xml                    |  4 ++--
 extplorer.j30.xml                    |  4 ++--
 extplorer.xml                        |  4 ++--
 include/authentication/extplorer.php | 11 ++++++-----
 include/list.php                     |  2 ++
 include/view.php                     |  2 +-
 index.php                            |  6 +++---
 libraries/Archive/path.php           |  6 +++---
 libraries/inputfilter.php            |  5 +----
 libraries/standalone.php             | 27 +--------------------------
 12 files changed, 29 insertions(+), 54 deletions(-)

diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 258f375..3d6508a 100755
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,7 +1,9 @@
 ****************************
 Changelog for eXtplorer
-Version $Id: CHANGELOG.txt 249 2016-12-11 16:11:03Z soeren $
 ****************************
+--- version 2.1.15 ---
+- fixed a critical security issue reported by shimmeris
+- PHP 8 compatibility
 
 --- version 2.1.14 ---
 - fixed various security issues reported by Sander Bos:
diff --git a/admin.extplorer.php b/admin.extplorer.php
index ecff4e1..ada7b93 100755
--- a/admin.extplorer.php
+++ b/admin.extplorer.php
@@ -3,11 +3,9 @@
 if( !defined( '_JEXEC' ) && !defined( '_VALID_MOS' ) ) die( 'Restricted access' );
 /**
  * MAIN FILE! (formerly known as index.php)
- * 
- * @version $Id: admin.extplorer.php 247 2016-02-23 10:06:18Z soeren $
- * 
+ * #
  * @package eXtplorer
- * @copyright soeren 2007-2021
+ * @copyright soeren 2007-2022
  * @author The eXtplorer project (http://extplorer.net)
  * @author The	The QuiX project (http://quixplorer.sourceforge.net)
  * @license
@@ -39,7 +37,7 @@
 **/
 
 // The eXtplorer version number
-$GLOBALS['ext_version'] = '2.1.14';
+$GLOBALS['ext_version'] = '2.1.15';
 $GLOBALS['ext_home'] = 'http://extplorer.net';
 $dir = '';
 //------------------------------------------------------------------------------
diff --git a/extplorer.j15.xml b/extplorer.j15.xml
index ae754fc..62dff85 100644
--- a/extplorer.j15.xml
+++ b/extplorer.j15.xml
@@ -4,12 +4,12 @@
 <!-- Joomla! 1.5 Installer XML File
 $Id: extplorer.j15.xml 249 2016-12-11 16:11:03Z soeren $ -->
     <name>eXtplorer</name>
-    <creationDate>21.01.2021</creationDate>
+    <creationDate>06.01.2022</creationDate>
     <author>soeren, QuiX Project</author>
     <copyright>Soeren Eberhardt-Biermann, QuiX Project</copyright>
     <authorEmail>info|-at|-extplorer.net</authorEmail>
     <authorUrl>https://extplorer.net/</authorUrl>
-    <version>2.1.14</version>
+    <version>2.1.15</version>
     <description><![CDATA[
 	<div align="left"><img src="components/com_extplorer/images/eXtplorer_logo.png" alt="eXtplorer Logo" /></div>
 	<h2>Successfully installed eXtplorer&nbsp;</h2>
diff --git a/extplorer.j30.xml b/extplorer.j30.xml
index 9e3fcda..33da7a3 100644
--- a/extplorer.j30.xml
+++ b/extplorer.j30.xml
@@ -3,12 +3,12 @@
 <!-- Joomla! 3.0 Installer XML File 
 $Id: extplorer.j30.xml 249 2016-12-11 16:11:03Z soeren $ -->
     <name>eXtplorer</name>
-    <creationDate>21.01.2021</creationDate>
+    <creationDate>06.01.2022</creationDate>
     <author>soeren, QuiX Project</author>
     <copyright>Soeren Eberhardt-Biermann, QuiX Project</copyright>
     <authorEmail>info|-at|-extplorer.net</authorEmail>
     <authorUrl>http://extplorer.net/</authorUrl>
-    <version>2.1.14</version>
+    <version>2.1.15</version>
     <description><![CDATA[
 	<div align="left"><img src="components/com_extplorer/images/eXtplorer_logo.png" alt="eXtplorer Logo" /></div>
 	<h2>Successfully installed eXtplorer&nbsp;</h2>
diff --git a/extplorer.xml b/extplorer.xml
index 1d8ce75..f10fafd 100644
--- a/extplorer.xml
+++ b/extplorer.xml
@@ -3,12 +3,12 @@
 <!-- Joomla! 1.0 Installer XML File 
 $Id: extplorer.xml 249 2016-12-11 16:11:03Z soeren $ -->
     <name>eXtplorer</name>
-    <creationDate>21.01.2021</creationDate>
+    <creationDate>06.01.2022</creationDate>
     <author>soeren, QuiX Project</author>
     <copyright>Soeren Eberhardt-Biermann, QuiX Project</copyright>
     <authorEmail>info|-at|-extplorer.net</authorEmail>
     <authorUrl>https://extplorer.net/</authorUrl>
-    <version>2.1.14</version>
+    <version>2.1.15</version>
     <description><![CDATA[
 	<div align="left"><img src="components/com_extplorer/images/eXtplorer_logo.png" alt="eXtplorer Logo" /></div>
 	<h2>Successfully installed eXtplorer&nbsp;</h2>
diff --git a/include/authentication/extplorer.php b/include/authentication/extplorer.php
index cae517d..28fe023 100644
--- a/include/authentication/extplorer.php
+++ b/include/authentication/extplorer.php
@@ -2,9 +2,8 @@
 // ensure this file is being included by a parent file
 if( !defined( '_JEXEC' ) && !defined( '_VALID_MOS' ) ) die( 'Restricted access' );
 /**
- * @version $Id: extplorer.php 201 2011-06-27 09:45:09Z soeren $
  * @package eXtplorer
- * @copyright soeren 2007-2010
+ * @copyright soeren 2007-2022
  * @author The eXtplorer project (http://extplorer.net)
  * @author The	The QuiX project (http://quixplorer.sourceforge.net)
  * 
@@ -40,7 +39,9 @@ class ext_extplorer_authentication {
 	function onAuthenticate($credentials, $options=null ) {
 		// Check Login
 		//------------------------------------------------------------------------------
-
+		if(empty( $credentials['password'] )) {
+			return false;
+		}
 		$data=ext_find_user( $credentials['username'],null );
 		// Username not existing
 		if( $data === NULL ) return false;
@@ -48,8 +49,8 @@ function onAuthenticate($credentials, $options=null ) {
 		require_once( _EXT_PATH.'/libraries/PasswordHash.php');
 		$hasher = new PasswordHash(8, FALSE);
 		$result = $hasher->CheckPassword($credentials['password'], $data[1]);
-		
-		if(!$result) {
+
+		if(!$result ) {
 			$data=ext_find_user( $credentials['username'],$credentials['password'] );
 			if( $data == NULL ) return false;
 		}
diff --git a/include/list.php b/include/list.php
index ec1ce5e..21913e1 100755
--- a/include/list.php
+++ b/include/list.php
@@ -84,6 +84,8 @@ function get_dircontents($dir, &$dir_list, &$file_list, &$tot_file_size, &$num_i
         $pattern = "/^.*$pattern.*\$/m";
         // search, and store all matching occurrences in $matches
     }
+	$mdate_start = 0;
+	
     if (!empty($_POST['mdate_start'])) {
         $mdate_start = strtotime($_POST['mdate_start']);
         if (empty($_POST['mdate_end'])) {
diff --git a/include/view.php b/include/view.php
index b446c47..d9d1540 100755
--- a/include/view.php
+++ b/include/view.php
@@ -37,7 +37,7 @@
  */
 class ext_View extends ext_Action {
 
-	function execAction($dir, $item) {		// show file contents
+	static function execAction($dir, $item) {		// show file contents
 		global $action;
 		$item = basename($item);
 		if(in_array(".".strtolower(pathinfo($item,PATHINFO_EXTENSION )), $GLOBALS["images_ext"])) {
diff --git a/index.php b/index.php
index d50cf66..d4b1e97 100644
--- a/index.php
+++ b/index.php
@@ -42,12 +42,12 @@
 define( '_VALID_EXT', 1 );
 
 require_once( dirname(__FILE__).'/libraries/standalone.php');
-ob_start();
+if(!ob_start("ob_gzhandler")) ob_start();
 include( dirname(__FILE__).'/admin.extplorer.php' );
 $mainbody = ob_get_contents();
 ob_end_clean();
 
-extInitGzip();
+if(!ob_start("ob_gzhandler")) ob_start();
 header( 'Expires: Mon, 26 Jul 1997 05:00:00 GMT' );
 header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' );
 header( 'Cache-Control: no-store, no-cache, must-revalidate' );
@@ -69,6 +69,6 @@
 	</body>
 </html>
 <?php
-extDoGzip();
+ob_end_flush();
 
 ?>
\ No newline at end of file
diff --git a/libraries/Archive/path.php b/libraries/Archive/path.php
index 6a05186..98e5336 100644
--- a/libraries/Archive/path.php
+++ b/libraries/Archive/path.php
@@ -123,11 +123,11 @@ function getPermissions($path)
 		for ($i = 0; $i < 3; $i ++)
 		{
 			// read
-			$parsed_mode .= ($mode { $i } & 04) ? "r" : "-";
+			$parsed_mode .= ($mode [ $i ] & 04) ? "r" : "-";
 			// write
-			$parsed_mode .= ($mode { $i } & 02) ? "w" : "-";
+			$parsed_mode .= ($mode [ $i ] & 02) ? "w" : "-";
 			// execute
-			$parsed_mode .= ($mode { $i } & 01) ? "x" : "-";
+			$parsed_mode .= ($mode [ $i ] & 01) ? "x" : "-";
 		}
 		return $parsed_mode;
 	}
diff --git a/libraries/inputfilter.php b/libraries/inputfilter.php
index e93eb03..c9a1a21 100644
--- a/libraries/inputfilter.php
+++ b/libraries/inputfilter.php
@@ -307,10 +307,7 @@ public function sanitize(array $input, array $fields = array(), $utf8_encode = t
                     $value = null;
                 }
                 if (is_string($value)) {
-                    if ($magic_quotes === true) {
-                        $value = stripslashes($value);
-                    }
-
+                    
                     if (strpos($value, "\r") !== false) {
                         $value = trim($value);
                     }
diff --git a/libraries/standalone.php b/libraries/standalone.php
index 7c5bb15..ee50eac 100644
--- a/libraries/standalone.php
+++ b/libraries/standalone.php
@@ -329,32 +329,7 @@ function extInitGzip() {
 	ob_start();
 }
 
-/**
-* Perform GZIP
-*/
-function extDoGzip() {
-	global $do_gzip_compress;
-	if ( $do_gzip_compress ) {
-		/**
-		*Borrowed from php.net!
-		*/
-		$gzip_contents = ob_get_contents();
-		ob_end_clean();
-
-		$gzip_size = strlen($gzip_contents);
-		$gzip_crc = crc32($gzip_contents);
-
-		$gzip_contents = gzcompress($gzip_contents, 9);
-		$gzip_contents = substr($gzip_contents, 0, strlen($gzip_contents) - 4);
-
-		echo "\x1f\x8b\x08\x00\x00\x00\x00\x00";
-		echo $gzip_contents;
-		echo pack('V', $gzip_crc);
-		echo pack('V', $gzip_size);
-	} else {
-		ob_end_flush();
-	}
-}
+
 /**
 * Replaces &amp; with & for xhtml compliance
 *