/
Remove redundant FCKEditor file manager [5.2.2-B1]

Remove redundant FCKEditor file manager [5.2.2-B1]

Owned by Alex
Last updated: Feb 07, 2016

This is not a security vulnerability, because mentioned file manager:

  • only works, when "root" user is logged-in in the Admin Console
  • only allows to upload files with specified extensions

The WSYIWYG editor is used by In-Portal to allow entering of rich text in the CMS blocks and other places on website. It looks like this (for In-Portal 5.1.x and below):

It also comes with File Manager component, but we've actually replicated it via In-Portal itself:

This is fine, but in In-Portal 5.2.x versions the FCKEditor was replaced by CKEditor (see  INP-839 - Getting issue details... STATUS ), but the File Browser wasn't removed and is still accessible.

Solution

  1. locate all code, that executed while File Manager from "browser/browser" template is used in these classes:
    1. FckTagProcessor
    2. FckEventHandler
    3. fckFCKHelper
  2. delete above located code in case if it's not used anywhere (e.g. in CKFinder - file manager from CKEditor)
  3. delete the "/core/admin_templates/browser" folder (contains CSS and TPL files)

Related Tasks