From 46f4c3adc44ef8f1762398616768c919d071f18a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vad=C3=A1szi=20Attila?= Date: Sun, 13 Oct 2024 22:27:45 +0200 Subject: [PATCH] Fix multiple download and browse while downloading --- tinyfilemanager.php | 96 ++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 91 insertions(+), 5 deletions(-) diff --git a/tinyfilemanager.php b/tinyfilemanager.php index 22ba10ba..5cfe2aa2 100644 --- a/tinyfilemanager.php +++ b/tinyfilemanager.php @@ -891,23 +891,38 @@ function get_file_path () { // Download if (isset($_GET['dl'], $_POST['token'])) { - if(!verifyToken($_POST['token'])) { + // Verify the token to ensure it's valid + if (!verifyToken($_POST['token'])) { fm_set_msg("Invalid Token.", 'error'); + exit; } + // Clean the download file path $dl = urldecode($_GET['dl']); - $dl = fm_clean_path($dl); - $dl = str_replace('/', '', $dl); + $dl = fm_clean_path($dl); + $dl = str_replace('/', '', $dl); // Prevent directory traversal attacks + + // Define the file path $path = FM_ROOT_PATH; if (FM_PATH != '') { $path .= '/' . FM_PATH; } + + // Check if the file exists and is valid if ($dl != '' && is_file($path . '/' . $dl)) { - fm_download_file($path . '/' . $dl, $dl, 1024); + // Close the session to prevent session locking + if (session_status() === PHP_SESSION_ACTIVE) { + session_write_close(); + } + + // Call the download function + fm_download_file($path . '/' . $dl, $dl, 1024); // Download with a buffer size of 1024 bytes exit; } else { + // Handle the case where the file is not found fm_set_msg(lng('File not found'), 'error'); - $FM_PATH=FM_PATH; fm_redirect(FM_SELF_URL . '?p=' . urlencode($FM_PATH)); + $FM_PATH = FM_PATH; + fm_redirect(FM_SELF_URL . '?p=' . urlencode($FM_PATH)); } } @@ -1053,6 +1068,75 @@ function get_file_path () { exit(); } +// Mass downloading +if (isset($_POST['group'], $_POST['download'], $_POST['token']) && !FM_READONLY) { + + // Verify token to ensure it's valid + if (!verifyToken($_POST['token'])) { + fm_set_msg(lng("Invalid Token."), 'error'); + exit; + } + + $path = FM_ROOT_PATH; + if (FM_PATH != '') { + $path .= '/' . FM_PATH; + } + + $errors = 0; + $files = $_POST['file']; // List of selected files + if (is_array($files) && count($files)) { + + // Create a new ZIP archive + $zip = new ZipArchive(); + $zip_filename = 'download_' . date('Y-m-d_H-i-s') . '.zip'; + $zip_filepath = sys_get_temp_dir() . '/' . $zip_filename; + + if ($zip->open($zip_filepath, ZipArchive::CREATE) !== TRUE) { + fm_set_msg(lng('Cannot create ZIP file'), 'error'); + $FM_PATH=FM_PATH; fm_redirect(FM_SELF_URL . '?p=' . urlencode($FM_PATH)); + } + + foreach ($files as $f) { + if ($f != '') { + $new_path = $path . '/' . fm_clean_path($f); // Sanitize the file path + + if (is_file($new_path)) { + // Add the file to the ZIP archive + $zip->addFile($new_path, basename($new_path)); + } else { + $errors++; + } + } + } + + // Close the ZIP archive + $zip->close(); + + // Check for errors + if ($errors == 0) { + // Serve the ZIP file for download + if (file_exists($zip_filepath)) { + header('Content-Type: application/zip'); + header('Content-Disposition: attachment; filename="' . $zip_filename . '"'); + header('Content-Length: ' . filesize($zip_filepath)); + readfile($zip_filepath); + // Remove the ZIP file from the temporary directory after download + unlink($zip_filepath); + exit; + } else { + fm_set_msg(lng('Error creating ZIP file'), 'error'); + } + } else { + fm_set_msg(lng('Error while adding items to ZIP'), 'error'); + } + } else { + fm_set_msg(lng('Nothing selected'), 'alert'); + } + + $FM_PATH = FM_PATH; + fm_redirect(FM_SELF_URL . '?p=' . urlencode($FM_PATH)); +} + // Mass deleting if (isset($_POST['group'], $_POST['delete'], $_POST['token']) && !FM_READONLY) { @@ -2225,6 +2309,8 @@ class="edit-file">
    • +
  • +