[GH-ISSUE #187] view file is insecure #131

New issue

Closed

opened 2026-03-02 15:56:03 +03:00 by kerem · 1 comment

kerem commented

2026-03-02 15:56:03 +03:00

Owner

Originally created by @satyr-software on GitHub (Jun 14, 2019).
Original GitHub issue: https://github.com/prasathmani/tinyfilemanager/issues/187

File exclusion mask is applied on listing files, but not on views:
Short test:

View path (let's say index.php)
Open file (opens fine)
Add to GLOBALS['exclude_items'];
Reload : (File still displayed)
Back: View path (file dissapears)

Expected result:

Reload should show "FIle Not Found" (excluded)

Fix:
if ($file == '' || !is_file($path . '/' . $file) || in_array($file, $GLOBALS['exclude_items'])) {

Just before:
fm_set_msg('File not found', 'error');

Originally created by @satyr-software on GitHub (Jun 14, 2019). Original GitHub issue: https://github.com/prasathmani/tinyfilemanager/issues/187 File exclusion mask is applied on listing files, but not on views: Short test: * View path (let's say index.php) * Open file (opens fine) * Add to GLOBALS['exclude_items']; * Reload : (File still displayed) * Back: View path (file dissapears) Expected result: * Reload should show "FIle Not Found" (excluded) Fix: if ($file == '' || !is_file($path . '/' . $file) **|| in_array($file, $GLOBALS['exclude_items'])**) { Just before: fm_set_msg('File not found', 'error');