Fix to test if delete, rename, paste and save is allowed webmin/webmi…

…n#2300

extensions/file-manager/delete.cgi

@@ -36,6 +36,10 @@ foreach my $name (@entries_list) {
     $name = simplify_path($name);
     if ($in{'etrash'}) {
         my $tdir = "$cwd/$tdirname/";
+        if (!can_write($tdir)) {
+            $errors{$name_} = lc($text{'error_delete'} . lc(" - $text{'error_write'}"));
+            next;    
+        }
         if (!&unlink_file($tdir)) {
             $errors{$name_} = lc($text{'error_delete'} . lc(" - $!"));
         } else {
@@ -65,7 +69,10 @@ foreach my $name (@entries_list) {
             if (&is_under_directory("$cwd/$name", $tfile || "$tdir/$name")) {
                 # If .Trash the only one in list, delete it
                 if (scalar(@entries_list) == 1) {
-                    if (!&unlink_file("$cwd/$name")) {
+                    if (!can_write("$cwd/$name")) {
+                        $errors{$name_} = lc($text{'error_delete'} . lc(" - $text{'error_write'}"));
+                    }
+                    elsif (!&unlink_file("$cwd/$name")) {
                         $errors{$name_} = lc($text{'error_delete'} . lc(" - $!"));
                     } else {
                         $etrashed = 1;
@@ -79,7 +86,10 @@ foreach my $name (@entries_list) {
             push(@deleted_entries, $name);
         }
     } else {
-        if (!&unlink_file($cwd . '/' . $name)) {
+        if (!can_write($cwd . '/' . $name)) {
+            $errors{$name_} = lc($text{'error_delete'} . lc(" - $text{'error_write'}"));
+        }
+        elsif (!&unlink_file($cwd . '/' . $name)) {
             $errors{$name_} = lc($text{'error_delete'} . lc(" - $!"));
         } else {
             push(@deleted_entries, $name);

extensions/file-manager/paste.cgi

@@ -7,7 +7,7 @@
 #
 use strict;
 
-our (%in, %request_uri, $cwd, $base, $path);
+our (%in, %text, %request_uri, $cwd, $base, $path);
 
 do($ENV{'THEME_ROOT'} . "/extensions/file-manager/file-manager-lib.pl");
 
@@ -50,6 +50,10 @@ if (!$dr) {
     for (my $i = 2; $i <= scalar(@arr) - 1; $i++) {
         chomp($arr[$i]);
         $arr[$i] = simplify_path($arr[$i]);
+        if (!can_move("$from/$arr[$i]", $cwd, $from)) {
+            $errors{"$arr[$i]"} = "$text{'error_move'}";
+            next;
+        }
         my $err = paster("$cwd", "$arr[$i]", "$from/$arr[$i]", "$cwd/$arr[$i]", $fo, $mv, $in{'fownergroup'});
         if ($err) {
             $errors{"$arr[$i]"} = $err;

extensions/file-manager/rename.cgi

@@ -33,14 +33,15 @@ if (-e "$cwd/$in{'name'}") {
     my $to   = $in{'name'};
     my $fsid = $in{'fsid'};
 
-    if (rename_file($cwd . '/' . $from, $cwd . '/' . $to)) {
+    if (can_move($cwd . '/' . $from, $cwd) && 
+        rename_file($cwd . '/' . $from, $cwd . '/' . $to)) {
         cache_search_rename($fsid, $from, $to) if ($fsid);
         redirect_local('list.cgi?path=' . urlize($path) . '&module=filemin' . extra_query());
     } else {
         print_error(
                     (
                      text('filemanager_rename_denied',
-                          html_escape($in{'name'}),
+                          html_escape($to),
                           html_escape($path),
                           lc($text{ 'theme_xhred_global_' . $type . '' })
                      )

theme.info

@@ -4,7 +4,7 @@ bootstrap=3
 spa=1
 nomodcall=xnavigation=1
 version=21.30-beta1
-mversion=07
+mversion=08
 bversion=00
 webmin=1
 usermin=1