feat(editor): add signed callback state storage for external save handlers

nao-pon · nao-pon · commit 63369c6afedd · 2026-04-21T00:10:12.000+09:00
diff --git a/php/connector.minimal.php-dist b/php/connector.minimal.php-dist
@@ -110,6 +110,9 @@ elFinder::$netDrivers['ftp'] = 'FTP';
 // // Zoho Office Editor APIKey
 // // https://www.zoho.com/docs/help/office-apis.html
 // define('ELFINDER_ZOHO_OFFICE_APIKEY', '');
+// Zoho Office save callback state TTL in seconds
+// Default: 3600 (1 hour), Max: 86400 (24 hours)
+// define('ELFINDER_ZOHO_OFFICE_CALLBACK_TTL', 3600);
 // ===============================================
 
 // // Online converter (online-convert.com) APIKey
diff --git a/php/editors/ZohoOffice/editor.php b/php/editors/ZohoOffice/editor.php
@@ -80,6 +80,8 @@ public function enabled()
 
     public function init()
     {
+        $this->gcCallbackStates();
+
         if (!defined('ELFINDER_ZOHO_OFFICE_APIKEY') || !function_exists('curl_init')) {
             return array('error', array(elFinder::ERROR_CONF, '`ELFINDER_ZOHO_OFFICE_APIKEY` or curl extension'));
         }
@@ -143,7 +145,7 @@ public function init()
                     'callback_settings' => array(
                         'save_format' => $format,
                         'save_url_params' => array(
-                            'hash' => $hash
+                            'content' => 'content'
                         )
                     ),
                     'editor_settings' => $this->editor_settings[$srvsName],
@@ -152,6 +154,26 @@ public function init()
                     )
                 );
                 $data['editor_settings']['language'] = $lang;
+                if ($save) {
+                    $ttl = defined('ELFINDER_ZOHO_OFFICE_CALLBACK_TTL')
+                        ? (int)ELFINDER_ZOHO_OFFICE_CALLBACK_TTL
+                        : 3600;
+
+                    if ($ttl <= 0) {
+                        $ttl = 3600;
+                    } else if ($ttl > 86400) {
+                        $ttl = 86400;
+                    }
+                    $saveParams = $this->createCallbackState('save', $hash, $this->getCallbackStateSecret(), array(), $ttl);
+                    if ($saveParams === false) {
+                        $save = false;
+                    } else {
+                        $data['callback_settings']['save_url_params'] = array_merge(
+                            $data['callback_settings']['save_url_params'],
+                            $saveParams
+                        );
+                    }
+                }
                 if ($save) {
                     $conUrl = elFinder::getConnectorUrl();
                     $data['callback_settings']['save_url'] = $conUrl . (strpos($conUrl, '?') !== false? '&' : '?') . 'cmd=editor&name=' . $this->myName . '&method=save' . $cdata;
@@ -204,17 +226,33 @@ public function init()
 
     public function save()
     {
-        if (!empty($_POST) && !empty($_POST['hash']) && !empty($_FILES) && !empty($_FILES['content'])) {
-            $hash = $_POST['hash'];
-            /** @var elFinderVolumeDriver $volume */
-            if ($volume = $this->elfinder->getVolume($hash)) {
-                if ($content = file_get_contents($_FILES['content']['tmp_name'])) {
-                    if ($volume->putContents($hash, $content)) {
-                        return array('raw' => true, 'error' => '', 'header' => 'HTTP/1.1 200 OK');
-                    }
-                }
+        $state = $this->verifyCallbackRequest('save', $_POST, $this->getCallbackStateSecret());
+        if ($state === false) {
+            return array('raw' => true, 'error' => '', 'header' => 'HTTP/1.1 403 Forbidden');
+        }
+
+        if (empty($_FILES['content']) || (isset($_FILES['content']['error']) && (int)$_FILES['content']['error'] !== 0)) {
+            return array('raw' => true, 'error' => '', 'header' => 'HTTP/1.1 500 Internal Server Error');
+        }
+
+        $tmpName = isset($_FILES['content']['tmp_name']) ? $_FILES['content']['tmp_name'] : '';
+        if (!$tmpName || !is_uploaded_file($tmpName) && !is_file($tmpName)) {
+            return array('raw' => true, 'error' => '', 'header' => 'HTTP/1.1 500 Internal Server Error');
+        }
+
+        $content = file_get_contents($tmpName);
+        if ($content === false) {
+            return array('raw' => true, 'error' => '', 'header' => 'HTTP/1.1 500 Internal Server Error');
+        }
+
+        $hash = $state['hash'];
+        /** @var elFinderVolumeDriver $volume */
+        if ($volume = $this->elfinder->getVolume($hash)) {
+            if ($volume->putContents($hash, $content)) {
+                return array('raw' => true, 'error' => '', 'header' => 'HTTP/1.1 200 OK');
             }
         }
+
         return array('raw' => true, 'error' => '', 'header' => 'HTTP/1.1 500 Internal Server Error');
     }
 
@@ -230,4 +268,13 @@ public function chk()
         }
         return array('cansave' => $res);
     }
+
+    protected function getCallbackStateSecret()
+    {
+        return hash('sha256', implode('|', array(
+            __CLASS__,
+            __FILE__,
+            ELFINDER_ZOHO_OFFICE_APIKEY
+        )));
+    }
 }
diff --git a/php/editors/editor.php b/php/editors/editor.php
