Redesign login screen, Removed remember me checkbox, Security vulnerability fix #270, User role have Preview and Search option #265, #222

* Fix the RCE vuln via Upload from URL

This commit attemps to fix the Remote Code Execution
(authenticated) via Upload from URL. Some notes about
the proposed solution:

* A new function (fm_is_file_allowed) has been created to
validate if the filename is allowed. This function gets the
the filename as parameter and returns true if it validates
as allowed. Otherwise returns false (the default).

* It's better to have such validatation(s) in one place
instead of spread all over the code. There are other places in
the application where the filename is validated and they should
all be refactored to call this function. Then we can focus
all needed validations in one place only!

NOTE: This refactoring was not done - the only goal was to fix
this security vulnerability only.

* The fm_is_file_allowed() function validates the filename
based on its extension only. No other validatation(s) have been
implemented in this commit.

* File extensions are assumed to be case-insensitive.
For example, php == PHP == Php == PhP, etc. This is consitent
with some web servers. Without this, the user will have to populate
the $allowed_extensions with all possible allowed combinations.

* Although, there is one drawback to the current solution, which
is that all files must have an extension to be uploaded. This is not
consitent with modern filesystems. Maybe a better solution would be
to automatically append an extension to the filename if no
extension has been found (e.g., .html or .txt which are generally
considered to be harmless). This must be decided by the
application's maintainers.

* Fix the RCE vulns via new/rename file

Sanitize the arguments to stat using escapeshellarg()

Co-authored-by: Jorge Morgado <jorge@morgado.ch>

.github/FUNDING.yml

@@ -0,0 +1,6 @@
+# These are supported funding model platforms
+
+patreon: ccpprogrammers
+open_collective: # Replace with a single Open Collective username
+ko_fi: tinyfilemanager
+custom: ['https://paypal.me/prasathmani']

README.md

@@ -1,35 +1,42 @@
-# Tiny PHP File Manager
+# Tiny File Manager
-It is a simple, fast and small file manager with single php file. It is also a web code editor. It'll run either online or locally, on Linux, Windows or Mac based platforms. The only requirement is to have PHP 5.5+ available.
+
+
+[![Live demo](https://img.shields.io/badge/Live-Demo-brightgreen.svg?style=flat-square)](https://tinyfilemanager.github.io/demo/)
+[![Live demo](https://img.shields.io/badge/Help-Docs-lightgrey.svg?style=flat-square)](https://tinyfilemanager.github.io/)
+[![GitHub Release](https://img.shields.io/github/release/qubyte/rubidium.svg?style=flat-square)](https://github.com/prasathmani/tinyfilemanager/releases)
+ [![GitHub License](https://img.shields.io/github/license/prasathmani/tinyfilemanager.svg?style=flat-square)](https://github.com/prasathmani/tinyfilemanager/blob/master/LICENSE) 
+[![Paypal](https://img.shields.io/badge/Donate-Paypal-lightgrey.svg?style=flat-square)](https://www.paypal.me/prasathmani)
+> It is web based file manager and it is a simple, fast and small file manager with a single file, multi-language ready web application for storing, editing and managing files and folders online via web browser. The Application runs on PHP 5.5+, a build-in support for managing text files with cloud9 IDE and it supports syntax highlighting for over 150+ languages and over 35+ themes. .
 
 ## Demo
-<a href="https://tinyfilemanager.herokuapp.com" target="_blank">tinyfilemanager.herokuapp.com</a>
+[Demo](https://tinyfilemanager.github.io/demo/)
 
- Login Details : admin/admin | user/12345
+ Login Details : admin/admin@123 | user/12345
 
 
 ## Documents
-<a href="https://tinyfilemanager.github.io/" target="_blank">tinyfilemanager.github.io</a>
+[TinyFileManager.github.io](https://tinyfilemanager.github.io/)  | [Password Generater](https://tinyfilemanager.github.io/docs/pwd.html)
 <hr>
 
-<img src="screenshot.gif" alt="H3K | Tiny File Manager">
+[![Tiny File Manager](screenshot.gif)](screenshot.gif)
 
 ## Requirements
 
 - PHP 5.5.0 or higher.
-- [Zip extension](http://php.net/manual/en/book.zip.php) for zip and unzip actions.
+- Fileinfo, iconv, zip, tar and mbstring extensions are strongly recommended.
-- Fileinfo, iconv and mbstring extensions are strongly recommended.
 
 ## How to use
 
 Download ZIP with latest version from master branch.
 
-Copy tinyfilemanager.php to your website folder and open it with web browser (e.g. http://yoursite/any_path/tinyfilemanager.php).
+Just copy the tinyfilemanager.php to your webspace - thats all :)
+You can also change the file name from "tinyfilemanager.php" to something else, you know what i meant for.
 
-Default username/password: admin/admin and user/12345.
+Default username/password: **admin/admin@123** and **user/12345**.
 
-Warning: Please set your own username and password in $auth_users before use. password is encrypted with <code>password_hash()</code>. to generate new password hash <a href="https://tinyfilemanager.github.io/docs/pwd.html" target="_blank">here</a>
+Warning: Please set your own username and password in `$auth_users` before use. password is encrypted with <code>password_hash()</code>. to generate new password hash [here](https://tinyfilemanager.github.io/docs/pwd.html)
 
-To enable/disable authentication set $use_auth to true or false.
+To enable/disable authentication set `$use_auth` to true or false.
 
 ### Supported constants:
 
@@ -44,22 +51,29 @@ To enable/disable authentication set $use_auth to true or false.
 
 
 ### :loudspeaker: Features 
-<ul>
-<li>:cd: Open Source, light and extremely simple</li>
-<li>:information_source: Basic features likes Create, Delete, Modify, View, Download, Copy and Move files </li>
-<li>:arrow_double_up: Ajax Upload, Ability to drag & drop, multiple files upload and file extensions filter </li>
-<li>:file_folder: Ability to create folders and files</li>
-<li>:gift: Ability to compress, extract files</li>
-<li>:sunglasses: Support user permissions - based on session and each user root folder mapping</li>
-<li>:floppy_disk: Copy direct file URL</li>
-<li>:pencil2: Edit text formats file using advanced editor</li>
-<li>:page_facing_up: Google Drive viewer helps you preview PDF/DOC/XLS/PPT/etc. 25 MB can be previewed with the Google Drive viewer</li>
-<li>:zap: Backup files</li>
-<li>:mag_right: Search -  Search and Sorting using datatable js</li>
-<li>:file_folder: Exclude folders from listing</li>
-<li>:bangbang: lots more...</li>
-</ul>
 
-###### CDN Used
+- :cd: Open Source, light and extremely simple
+- :iphone: Mobile friendly view for touch devices
+- :information_source: Basic features likes Create, Delete, Modify, View, Quick View, Download, Copy and Move files 
+- :arrow_double_up: Ajax Upload, Ability to drag & drop, upload from URL, multiple files upload and file extensions filter 
+- :file_folder: Ability to create folders and files
+- :gift: Ability to compress, extract files (`zip`, `tar`)
+- :sunglasses: Support user permissions - based on session and each user root folder mapping
+- :floppy_disk: Copy direct file URL
+- :pencil2: Cloud9 IDE - Syntax highlighting for over `150+` languages, Over `35+` themes with your favorite programming style
+- :page_facing_up: Google/Microsoft doc viewer helps you preview `PDF/DOC/XLS/PPT/etc`. 25 MB can be previewed with the Google Drive viewer
+- :zap: Backup files and IP white and blacklisting
+- :mag_right: Search -  Search and Sorting using `datatable js`
+- :file_folder: Exclude folders from listing
+- :globe_with_meridians: Multi-language support (English, Spanish, French, Italian, German, Russian, Thailand, Chinese and more..) for translations `translation.json` is file required
+- :bangbang: lots more...
+
+
+### <a name=license></a>License, Credit  
+
+- Available under the [GNU license](https://github.com/prasathmani/tinyfilemanager/blob/master/LICENSE)
+- Original concept and development by github.com/alexantr/filemanager
+- CDN Used - _jQuery, Bootstrap, Font Awesome, Highlight js, ace js, DropZone js, ekko-lightbox js, and DataTable js_
+- To report a bug or request a feature, please file an [issue](https://github.com/prasathmani/tinyfilemanager/issues)
+
 
- `jQuery | Bootstrap | Font Awesome | Highlight js | ace js | DropZone js | DataTable js`

SECURITY.md

@@ -0,0 +1,27 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+The team takes security bugs seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.
+
+To report a security issue, email [ccpprogrammers@gmail.com](mailto:ccpprogrammers@gmail.com) and include the word "SECURITY" in the subject line.
+
+The team will send a response indicating the next steps in handling your report. After the initial reply to your report you will be kept informed of the progress towards a fix and full announcement.
+
+Report security bugs in third-party modules to the person or team maintaining the module.
+
+## Disclosure Policy
+
+When the security team receives a security bug report, they will assign it to a
+primary handler. This person will coordinate the fix and release process,
+involving the following steps:
+
+  * Confirm the problem and determine the affected versions.
+  * Audit code to find any potential similar problems.
+  * Prepare fixes for all releases still under maintenance. These fixes will be
+    released as fast as possible to npm.
+
+## Comments on this Policy
+
+If you have suggestions on how this process could be improved please submit a
+pull request.