DiskMaster 3.1 - 2025 Improvements #

New Features #

What Was Added #

1. Bidirectional copy: ← COPY

- Now copies from list 2 (right) to list 1 (left)

- Full symmetry of operations

2. Secure upload: 📤 UPLOAD

- Drag & drop interface (ready for enhancement)

- Multiple file upload

- Automatic duplicate handling

- Progress bar

3. Secure download: 📥 DOWNLOAD

- No more direct link exposing the path

- Routed through diskmaster.mod handler

- Forces download for ALL file types (including .md)

- Full path validation

1. diskmaster.php (modified) #

Changes:

• Added ← COPY button (line ~652)
• Added 📤 UPLOAD button (line ~656)
• copyFileReverse() function for reverse copy
• uploadFile() function with modal dialog
• downloadFile() function now uses the secure handler

2. diskmaster.mod.php (new) #

Supported actions:

• download: Secure download with path validation
• upload: Multiple upload with sanitisation
• info: File info (for future use)

Bidirectional Copy #

Before: Only COPY → (left to right)

Now:

1. COPY →: Left to right (as before)

2. ← COPY: Right to left (new!)

Workflow:

1. Select a file in the RIGHT list
2. Click "← COPY"
3. The file is copied to the LEFT list

File Upload #

Workflow:

1. Navigate to the destination folder (left list)
2. Click "📤 UPLOAD"
3. Select one or more files
4. Click "UPLOAD"
5. The page reloads automatically

Features:

• Simultaneous multiple upload
• Automatic duplicate handling (appends _1, _2, etc.)
• Filename sanitisation
• Visual progress bar
• Clear error messages

Secure Download #

Before:

window.location.href = getCurrentSourcePath() + '/' + selectedSource;
// → Exposed the path, .md displayed as plain text

Now:

window.location.href = '?obj=diskmaster.mod&action=download&path=' + filepath;
// → Handler validates path, forces download for ALL types

Security:

• Path traversal impossible (../ blocked)
• Validation against $allowedDirs whitelist
• Forces Content-Disposition: attachment header
• .md files downloaded instead of displayed

Path Validation #

All paths go through validatePath():

function validatePath($path, $allowedDirs) {
	// 1. Sanitize via Parser
	// 2. Remove ../ and backslashes
	// 3. Check against whitelist
	// 4. Return false if invalid
}

Secure Upload #

// 1. Check ADMIN level
if(!secure('SYSTEM_LEVEL_ADMIN')) exit;

// 2. Check destination path
if(!validatePath($targetDir, $allowedDirs)) exit;

// 3. Sanitize filename
$filename = preg_replace('/[^a-zA-Z0-9._-]/', '_', $filename);

// 4. Check upload errors
if($_FILES['files']['error'][$i] !== UPLOAD_ERR_OK) continue;

Secure Download #

// 1. Validate path
if(!validatePath($dir, $allowedDirs)) {
	http_response_code(403);
	exit;
}

// 2. Check existence
if(!file_exists($fullPath)) {
	http_response_code(404);
	exit;
}

// 3. Force download
header('Content-Disposition: attachment; filename="' . $filename . '"');

Bug #1: .md files served as HTML #

Before: window.location.href = path/file.md → Browser displays raw markdown

After: Handler forces Content-Disposition: attachment → Systematic download

Bug #2: List 2 unusable #

Before: Impossible to copy list2 → list1

After: ← COPY button reverses COPY →

Bug #3: No upload #

Before: No way to send files

After: Full interface with multiple upload

Test 1: Bidirectional copy #

1. Create test.txt in user/
2. Navigate to user/data/ (right list)
3. Select test.txt (left list)
4. COPY → (left to right)
5. Verify presence in user/data/
6. Select test.txt (RIGHT list)
7. ← COPY (right to left)
8. Verify copy succeeded

Test 2: Upload #

1. Navigate to user/test/
2. Click "📤 UPLOAD"
3. Select multiple files
4. Click "UPLOAD"
5. Verify all files are present
6. Try uploading a file with the same name
7. Verify automatic _1, _2, etc. suffix

Test 3: Secure download #

1. Create a test.md file with content
2. Select it in the list
3. Click "📥 DOWNLOAD"
4. Verify that the browser DOWNLOADS it instead of displaying it
5. Open the downloaded file
6. Verify content is intact

Test 4: Path traversal security #

Attempt (via console or Postman):
GET ?obj=diskmaster.mod&action=download&path=../../etc/passwd

Expected result: 403 Forbidden

Drag & drop upload #

Currently: Classic file input button

Improvement:

// Drop zone
<div id="dropZone" ondrop="handleDrop(event)" ondragover="allowDrop(event)">
	Drag your files here
</div>

function handleDrop(e) {
	e.preventDefault();
	const files = e.dataTransfer.files;
	uploadFiles(files);
}

File preview #

Before download, display:

• Images: Thumbnail
• Text: Preview of first 100 characters
• PDF: First page

ZIP compression #

"Download as ZIP" button to download an entire folder

User permissions #

Currently: SYSTEM_LEVEL_ADMIN required

Improvement: Granular permissions per folder

$allowedDirs = [
	'user' => ['read', 'write', 'delete'],
	'user/shared' => ['read', 'write'],
	'user/public' => ['read']
];

Server Permissions #

Upload requires write permissions:

chmod 755 user/
chmod 755 user/data/
# etc.

Max Upload Size #

Configure in php.ini:

upload_max_filesize = 50M
post_max_size = 50M
max_execution_time = 300

MIME Types #

The handler automatically detects the MIME type via finfo_file().

To force a specific type:

$mimeType = 'application/octet-stream'; // Force binary download

Error Logs #

Check:

tail -f /var/log/php/error.log

Troubleshooting #

Upload not working:

1. Check folder permissions

2. Check PHP upload_max_filesize

3. Check Apache/Nginx logs

4. Test with a small file (<1MB)

Download not working:

1. Check that the file exists

2. Check path validation

3. Check user admin level

4. Test with curl: curl -v "url?obj=diskmaster.mod&action=download&path=user/test.txt"

← Copy does nothing:

1. Check selection in RIGHT list

2. Check JavaScript console for errors

3. Check destination permissions

Version: DiskMaster 3.1

Date: 2025.12.29

Author: Treveur 'Nowee' Bretaudière