| [php:core] add Main option `commonTempPath`
## commonTempPath
Temp directory path for working place.
It will be encouraged to set up outside the document root.
**Data type:** string
**Default value:** `'./.tmp'` | 10 年前 |
| [php:editors] Zoho API update
| 2 年前 |
| [php] add @var type hinting rel. #2812
| 7 年前 |
| [security] fix #3458 filename bypass leading to RCE on Windows server (#3470)
Windows servers do not allow "." (Dots) at the end of a file name. | 4 年前 |
| [ENH] Lossless image compression. Saved 1kb with an average of 35.7% per file, up to 67.7%. (#2387)
| 8 年前 |
| [doc,example] fix #3079 add connector.maximal.php-dist
| 6 年前 |
| Updated documentation for newly added SFTP driver, removed unavailable demo url, Drupal integration info update, added SFTP volume example and dependencies install info.
| 5 年前 |
| [php] change code style to PSR-2 of all of php files
| 7 年前 |
| [php-dist] fix typo
| 4 年前 |
| [php-dist] fix typo
| 4 年前 |
| elFinder version 2.1.66
| 8 个月前 |
| [php:core] fix #3134 close file pointer before deleting temporary file on shutdown
| 6 年前 |
| [cmd:netmount] fix #3138 OAuth not possible with CORS due to new ITP
| 6 年前 |
| [php] change code style to PSR-2 of all of php files
| 7 年前 |
| [php:session] fix #3278 wrong code of typo
| 4 年前 |
| [php] change code style to PSR-2 of all of php files
| 7 年前 |
| [cmd:netmount] fix #3138 OAuth not possible with CORS due to new ITP
| 6 年前 |
| Fix CVE-2025-0818 (#3723)
* CVE-2025-0818 (Part 1)
- Fixed arbitrary file delete by prepending the tempath to the global temp file array paths before deleting them
- This also required a new global array (elFinderAbortFiles) because the temp path could be different depeing on the configuration of elFInder.
- Removed the ability of getTempPath() to return the writableTmb path because this would unnecessarly complicate things when checking the path before deletion
* CVE-2025-0818 (Part II)
- Prevented arbitrary file read by prepending the common temp directory to the extracted onetime file path of the 'file' commands 'ontime' function.
- Prevented directory traversal and the general use of paths by using basename() for the appended file name.
- This patch currently prevents arbitrary file reads and deletes. However, it still allows this for files in the .tmp directory. This should also at least be mitigated. | 8 个月前 |
| Fix #3637 FILTER_SANITIZE_STRING is deprecated (PHP 8.1)
| 1 年前 |
| [VD:FTP] fix #3172 to support filename starting with " "
| 5 年前 |
| [cmd:netmount] fix #3138 OAuth not possible with CORS due to new ITP
| 6 年前 |
| [php] change code style to PSR-2 of all of php files
| 7 年前 |
| [VD:LocalFileSystem] fix #3543 Can't download folder in PHP 8.1
| 2 年前 |
| Use prepared statements instead of escaping when saving file (#3604)
Co-authored-by: Adam Valalský <adam.valalsky@nubium.cz> | 2 年前 |
| [OneDrive] fix Content URL
| 1 年前 |
| [VD:SFTP] Make compatible with phpseclib version 2 or 3 when returned from connectCallback($options) (#3687)
| 8 个月前 |
| [php] change code style to PSR-2 of all of php files
| 7 年前 |
| [php] change code style to PSR-2 of all of php files
| 7 年前 |
| [mime.types] Update mime.types to allow MS outlook message files (#3499)
Adding application/vnd.ms-outlook mimetype with .msg extension | 3 年前 |