diff --git a/admin-dev/ajaxfilemanager/ajax_file_upload.php b/admin-dev/ajaxfilemanager/ajax_file_upload.php
index b21a39c13..c942991ed 100755
--- a/admin-dev/ajaxfilemanager/ajax_file_upload.php
+++ b/admin-dev/ajaxfilemanager/ajax_file_upload.php
@@ -22,26 +22,18 @@
$upload->setInvalidFileExt(explode(",", CONFIG_UPLOAD_INVALID_EXTS));
if(CONFIG_SYS_VIEW_ONLY || !CONFIG_OPTIONS_UPLOAD)
- {
$error = SYS_DISABLED;
- }
elseif(empty($_GET['folder']) || !isUnderRoot($_GET['folder']))
- {
$error = ERR_FOLDER_PATH_NOT_ALLOWED;
- }else if(!$upload->isFileUploaded('file'))
- {
+ elseif (!$upload->isFileUploaded('file'))
$error = ERR_FILE_NOT_UPLOADED;
- }else if(!$upload->moveUploadedFile($_GET['folder']))
- {
- $error = ERR_FILE_MOVE_FAILED;
- }
- elseif(!$upload->isPermittedFileExt(explode(",", CONFIG_UPLOAD_VALID_EXTS)))
- {
+ elseif (!$upload->isPermittedFileExt(explode(",", CONFIG_UPLOAD_VALID_EXTS)))
$error = ERR_FILE_TYPE_NOT_ALLOWED;
- }elseif(defined('CONFIG_UPLOAD_MAXSIZE') && CONFIG_UPLOAD_MAXSIZE && $upload->isSizeTooBig(CONFIG_UPLOAD_MAXSIZE))
- {
+ elseif (defined('CONFIG_UPLOAD_MAXSIZE') && CONFIG_UPLOAD_MAXSIZE && $upload->isSizeTooBig(CONFIG_UPLOAD_MAXSIZE))
$error = sprintf(ERROR_FILE_TOO_BID, transformFileSize(CONFIG_UPLOAD_MAXSIZE));
- }else
+ elseif (!$upload->moveUploadedFile($_GET['folder']))
+ $error = ERR_FILE_MOVE_FAILED;
+ else
{
include_once(CLASS_FILE);
$path = $upload->getFilePath();
diff --git a/admin-dev/ajaxfilemanager/ajax_get_file_listing.php b/admin-dev/ajaxfilemanager/ajax_get_file_listing.php
index c72110344..bb85caada 100755
--- a/admin-dev/ajaxfilemanager/ajax_get_file_listing.php
+++ b/admin-dev/ajaxfilemanager/ajax_get_file_listing.php
@@ -24,7 +24,8 @@
if(!empty($_GET['search']))
{
include_once(CLASS_SEARCH);
-
+ if (!preg_match('/^'.Tools::pRegexp(realpath(dirname(__FILE__).'/'.$_GET['search_folder']), '/').'/i', _PS_ROOT_DIR_.'/img/cms'))
+ exit;
$search = new Search($_GET['search_folder']);
$search->addSearchKeyword('recursive', @$_GET['search_recursively']);
$search->addSearchKeyword('mtime_from', @$_GET['search_mtime_from']);
diff --git a/admin-dev/ajaxfilemanager/ajax_login.php b/admin-dev/ajaxfilemanager/ajax_login.php
index 2f07dc7d1..cbf069ed1 100755
--- a/admin-dev/ajaxfilemanager/ajax_login.php
+++ b/admin-dev/ajaxfilemanager/ajax_login.php
@@ -32,7 +32,6 @@ if(!isset($_SESSION['loggedin']) || $_SESSION['loggedin'] === false) {
-
<?php echo LOGIN_PAGE_TITLE; ?>
diff --git a/admin-dev/ajaxfilemanager/inc/config.base.php b/admin-dev/ajaxfilemanager/inc/config.base.php
index 28155f21e..5b57feed0 100755
--- a/admin-dev/ajaxfilemanager/inc/config.base.php
+++ b/admin-dev/ajaxfilemanager/inc/config.base.php
@@ -78,9 +78,9 @@
define('CONFIG_EDITABLE_VALID_EXTS', 'txt,htm,html,xml,js,css'); //make you include all these extension in CONFIG_UPLOAD_VALID_EXTS if you want all valid
define('CONFIG_OVERWRITTEN', false); //overwirte when processing paste
- define('CONFIG_UPLOAD_VALID_EXTS', 'gif,jpg,png');// //
+ define('CONFIG_UPLOAD_VALID_EXTS', 'gif,jpg,jpeg,png');// //
//define('CONFIG_UPLOAD_VALID_EXTS', 'gif,jpg,png,bmp,tif,zip,sit,rar,gz,tar,htm,html,mov,mpg,avi,asf,mpeg,wmv,aif,aiff,wav,mp3,swf,ppt,rtf,doc,pdf,xls,txt,xml,xsl,dtd');//
- define("CONFIG_VIEWABLE_VALID_EXTS", 'gif,jpg,png');
+ define("CONFIG_VIEWABLE_VALID_EXTS", 'gif,jpg,jpeg,jpeg,png');
//define('CONFIG_UPLOAD_VALID_EXTS', 'gif,jpg,png,txt'); //
define('CONFIG_UPLOAD_INVALID_EXTS', '');
diff --git a/admin-dev/ajaxfilemanager/inc/config.php b/admin-dev/ajaxfilemanager/inc/config.php
index 2f30ed245..09b4e4200 100755
--- a/admin-dev/ajaxfilemanager/inc/config.php
+++ b/admin-dev/ajaxfilemanager/inc/config.php
@@ -10,6 +10,9 @@
//FILESYSTEM CONFIG
require_once(dirname(__FILE__) . DIRECTORY_SEPARATOR . "class.auth.php");
+ if (_PS_MODE_DEMO_)
+ die('This functionality has been disabled.');
+
define('CONFIG_QUERY_STRING_ENABLE', true); //Enable passed query string to setting the system configuration
if(!isset($_SESSION))
{
diff --git a/admin-dev/ajaxfilemanager/inc/config.tinymce.php b/admin-dev/ajaxfilemanager/inc/config.tinymce.php
index c406f47e5..9070323a2 100755
--- a/admin-dev/ajaxfilemanager/inc/config.tinymce.php
+++ b/admin-dev/ajaxfilemanager/inc/config.tinymce.php
@@ -73,9 +73,9 @@
define('CONFIG_EDITABLE_VALID_EXTS', 'txt,htm,html,xml,js,css'); //make you include all these extension in CONFIG_UPLOAD_VALID_EXTS if you want all valid
define('CONFIG_OVERWRITTEN', false); //overwirte when processing paste
- define('CONFIG_UPLOAD_VALID_EXTS', 'gif,jpg,png,txt'); //
+ define('CONFIG_UPLOAD_VALID_EXTS', 'gif,jpg,jpeg,png,txt'); //
//define('CONFIG_UPLOAD_VALID_EXTS', 'gif,jpg,png,bmp,tif,zip,sit,rar,gz,tar,htm,html,mov,mpg,avi,asf,mpeg,wmv,aif,aiff,wav,mp3,swf,ppt,rtf,doc,pdf,xls,txt,xml,xsl,dtd');//
- define("CONFIG_VIEWABLE_VALID_EXTS", 'gif,bmp,txt,jpg,png,tif,html,htm,js,css,xml,xsl,dtd,mp3,wav,wmv,wma,rm,rmvb,mov,swf');
+ define("CONFIG_VIEWABLE_VALID_EXTS", 'gif,bmp,txt,jpg,jpeg,png,tif,html,htm,js,css,xml,xsl,dtd,mp3,wav,wmv,wma,rm,rmvb,mov,swf');
//define('CONFIG_UPLOAD_VALID_EXTS', 'gif,jpg,png,txt'); //
define('CONFIG_UPLOAD_INVALID_EXTS', '');
diff --git a/admin-dev/header.inc.php b/admin-dev/header.inc.php
index 26110efc9..86a4aac2d 100644
--- a/admin-dev/header.inc.php
+++ b/admin-dev/header.inc.php
@@ -56,9 +56,6 @@ echo '
'.Hook::exec('displayBackOfficeHeader').'
-