Lecteur Markdown
DISKMASTER_IMPROVEMENTS_EN
DiskMaster 3.1 - 2025 Improvements #
New Features #
What Was Added #
1. Bidirectional copy: `← COPY`
- Now copies from list 2 (right) to list 1 (left)
- Full symmetry of operations
2. Secure upload: `📤 UPLOAD`
- Drag & drop interface (ready for enhancement)
- Multiple file upload
- Automatic duplicate handling
- Progress bar
3. Secure download: `📥 DOWNLOAD`
- No more direct link exposing the path
- Routed through `diskmaster.mod` handler
- Forces download for ALL file types (including .md)
- Full path validation
---
Modified/Created Files #
1. `diskmaster.php` (modified) #
Changes:
- Added `← COPY` button (line ~652)
- Added `📤 UPLOAD` button (line ~656)
- `copyFileReverse()` function for reverse copy
- `uploadFile()` function with modal dialog
- `downloadFile()` function now uses the secure handler
2. `diskmaster.mod.php` (new) #
Supported actions:
- `download`: Secure download with path validation
- `upload`: Multiple upload with sanitisation
- `info`: File info (for future use)
---
Usage #
Bidirectional Copy #
Before: Only `COPY →` (left to right)
Now:
1. `COPY →`: Left to right (as before)
2. `← COPY`: Right to left (new!)
Workflow:
1. Select a file in the RIGHT list
2. Click "← COPY"
3. The file is copied to the LEFT list
---
File Upload #
Workflow:
1. Navigate to the destination folder (left list)
2. Click "📤 UPLOAD"
3. Select one or more files
4. Click "UPLOAD"
5. The page reloads automatically
Features:
- Simultaneous multiple upload
- Automatic duplicate handling (appends `_1`, `_2`, etc.)
- Filename sanitisation
- Visual progress bar
- Clear error messages
---
Secure Download #
Before:
window.location.href = getCurrentSourcePath() + '/' + selectedSource;
// → Exposed the path, .md displayed as plain text
Now:
window.location.href = '?obj=diskmaster.mod&action=download&path=' + filepath;
// → Handler validates path, forces download for ALL types
Security:
- Path traversal impossible (`../` blocked)
- Validation against `$allowedDirs` whitelist
- Forces `Content-Disposition: attachment` header
- .md files downloaded instead of displayed
---
Security #
Path Validation #
All paths go through `validatePath()`:
function validatePath($path, $allowedDirs) {
// 1. Sanitize via Parser
// 2. Remove ../ and backslashes
// 3. Check against whitelist
// 4. Return false if invalid
}
Secure Upload #
// 1. Check ADMIN level
if(!secure('SYSTEM_LEVEL_ADMIN')) exit;
// 2. Check destination path
if(!validatePath($targetDir, $allowedDirs)) exit;
// 3. Sanitize filename
$filename = preg_replace('/[^a-zA-Z0-9._-]/', '_', $filename);
// 4. Check upload errors
if($_FILES['files']['error'][$i] !== UPLOAD_ERR_OK) continue;
Secure Download #
// 1. Validate path
if(!validatePath($dir, $allowedDirs)) {
http_response_code(403);
exit;
}
// 2. Check existence
if(!file_exists($fullPath)) {
http_response_code(404);
exit;
}
// 3. Force download
header('Content-Disposition: attachment; filename="' . $filename . '"');
---
Bug Fixes #
Bug #1: .md files served as HTML #
Before: `window.location.href = path/file.md` → Browser displays raw markdown
After: Handler forces `Content-Disposition: attachment` → Systematic download
Bug #2: List 2 unusable #
Before: Impossible to copy list2 → list1
After: `← COPY` button reverses `COPY →`
Bug #3: No upload #
Before: No way to send files
After: Full interface with multiple upload
---
Recommended Tests #
Test 1: Bidirectional copy #
1. Create test.txt in user/
2. Navigate to user/data/ (right list)
3. Select test.txt (left list)
4. COPY → (left to right)
5. Verify presence in user/data/
6. Select test.txt (RIGHT list)
7. ← COPY (right to left)
8. Verify copy succeeded
Test 2: Upload #
1. Navigate to user/test/
2. Click "📤 UPLOAD"
3. Select multiple files
4. Click "UPLOAD"
5. Verify all files are present
6. Try uploading a file with the same name
7. Verify automatic _1, _2, etc. suffix
Test 3: Secure download #
1. Create a test.md file with content
2. Select it in the list
3. Click "📥 DOWNLOAD"
4. Verify that the browser DOWNLOADS it instead of displaying it
5. Open the downloaded file
6. Verify content is intact
Test 4: Path traversal security #
Attempt (via console or Postman):
GET ?obj=diskmaster.mod&action=download&path=../../etc/passwd
Expected result: 403 Forbidden
---
Possible Future Improvements #
Drag & drop upload #
Currently: Classic file input button
Improvement:
// Drop zone
<div id="dropZone" ondrop="handleDrop(event)" ondragover="allowDrop(event)">
Drag your files here
</div>
function handleDrop(e) {
e.preventDefault();
const files = e.dataTransfer.files;
uploadFiles(files);
}
File preview #
Before download, display:
- Images: Thumbnail
- Text: Preview of first 100 characters
- PDF: First page
ZIP compression #
"Download as ZIP" button to download an entire folder
User permissions #
Currently: `SYSTEM_LEVEL_ADMIN` required
Improvement: Granular permissions per folder
$allowedDirs = [
'user' => ['read', 'write', 'delete'],
'user/shared' => ['read', 'write'],
'user/public' => ['read']
];
---
Important Notes #
Server Permissions #
Upload requires write permissions:
chmod 755 user/
chmod 755 user/data/
# etc.
Max Upload Size #
Configure in `php.ini`:
upload_max_filesize = 50M
post_max_size = 50M
max_execution_time = 300
MIME Types #
The handler automatically detects the MIME type via `finfo_file()`.
To force a specific type:
$mimeType = 'application/octet-stream'; // Force binary download
---
Support #
Error Logs #
Check:
tail -f /var/log/php/error.log
Troubleshooting #
Upload not working:
1. Check folder permissions
2. Check PHP `upload_max_filesize`
3. Check Apache/Nginx logs
4. Test with a small file (<1MB)
Download not working:
1. Check that the file exists
2. Check path validation
3. Check user admin level
4. Test with curl: `curl -v "url?obj=diskmaster.mod&action=download&path=user/test.txt"`
← Copy does nothing:
1. Check selection in RIGHT list
2. Check JavaScript console for errors
3. Check destination permissions
---
Version: DiskMaster 3.1
Date: 2025-12-29
Author: Treveur 'Nowee' Bretaudière
