zip files check, x-frame-options added

dash/models/blocktext.php

@@ -30,6 +30,8 @@ class Blocktext extends Model {
         $block->content = str_replace("\r\n","\n",$content);
         $block->save();
 
+        Zira\Cache::clear();
+
         return array('message' => Zira\Locale::t('Successfully saved'));
     }
 }

dash/models/files.php

@@ -522,8 +522,21 @@ class Files extends Model {
         if ($zip->open($path, \ZipArchive::CREATE)!==TRUE) {
             return array('error' => Zira\Locale::t('An error occurred'));
         }
-        $zip->extractTo(ROOT_DIR . DIRECTORY_SEPARATOR . $root);
+        $denied = false;
+        for ($i=0; $i<$zip->numFiles; $i++) {
+            $st = $zip->statIndex($i);
+            if ($st === false) continue;
+            $p = strrpos($st['name'], '.');
+            if ($p === false) continue;
+            $ext = substr($st['name'], $p+1);
+            if (strtolower($ext) == 'php') {
+                $denied = true;
+                break;
+            }
+        }
+        if (!$denied) $zip->extractTo(ROOT_DIR . DIRECTORY_SEPARATOR . $root);
         $zip->close();
+        if ($denied) return array('error'=>Zira\Locale::t('Permission denied'));
         return array('reload'=>$this->getJSClassName());
     }
     

htaccess.txt

@@ -51,3 +51,7 @@ ExpiresByType application/x-shockwave-flash "access 1 month"
 ExpiresByType image/x-icon "access 1 year"
 ExpiresDefault "access 1 month"
 </IfModule>
+
+<IfModule mod_headers.c>
+Header always append X-Frame-Options SAMEORIGIN
+</IfModule>