From c66a8d6bc1131a249499db6367fb0baa55706796 Mon Sep 17 00:00:00 2001 From: Florian HENRY Date: Fri, 26 May 2023 10:16:56 +0200 Subject: [PATCH 1/7] fix: php warning on sabre lib --- htdocs/includes/sabre/sabre/vobject/lib/Component/VCard.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/includes/sabre/sabre/vobject/lib/Component/VCard.php b/htdocs/includes/sabre/sabre/vobject/lib/Component/VCard.php index 4f620de1070..369ad22f14f 100644 --- a/htdocs/includes/sabre/sabre/vobject/lib/Component/VCard.php +++ b/htdocs/includes/sabre/sabre/vobject/lib/Component/VCard.php @@ -506,7 +506,7 @@ class VCard extends VObject\Document { switch ($property->name) { case 'VERSION': - continue; + continue 2; case 'XML': $value = $property->getParts(); From 27cc40fd07b2fd74a9d560ebab15761bc76bc1d0 Mon Sep 17 00:00:00 2001 From: Florian HENRY Date: Fri, 26 May 2023 10:27:58 +0200 Subject: [PATCH 2/7] fix: php warning on sabre lib with same as sabre 4.2.2 --- htdocs/includes/sabre/sabre/vobject/lib/Component/VCard.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/includes/sabre/sabre/vobject/lib/Component/VCard.php b/htdocs/includes/sabre/sabre/vobject/lib/Component/VCard.php index 369ad22f14f..52ee2fad5f0 100644 --- a/htdocs/includes/sabre/sabre/vobject/lib/Component/VCard.php +++ b/htdocs/includes/sabre/sabre/vobject/lib/Component/VCard.php @@ -506,7 +506,7 @@ class VCard extends VObject\Document { switch ($property->name) { case 'VERSION': - continue 2; + break; case 'XML': $value = $property->getParts(); From 66d9cd50624dbaa90fa3ba1a0ae393eb35948688 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 3 Jun 2023 10:32:41 +0200 Subject: [PATCH 3/7] Remove + char from allowed characters --- htdocs/admin/security_file.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/htdocs/admin/security_file.php b/htdocs/admin/security_file.php index c545cc7e0dd..e5c8ac8695a 100644 --- a/htdocs/admin/security_file.php +++ b/htdocs/admin/security_file.php @@ -62,8 +62,8 @@ if (GETPOST('sendit') && !empty($conf->global->MAIN_UPLOAD_DOC)) { if ($action == 'updateform') { $antivircommand = GETPOST('MAIN_ANTIVIRUS_COMMAND', 'restricthtml'); // Use GETPOST restricthtml because we must accept ". Example c:\Progra~1\ClamWin\bin\clamscan.exe $antivirparam = GETPOST('MAIN_ANTIVIRUS_PARAM', 'restricthtml'); // Use GETPOST restricthtml because we must accept ". Example --database="C:\Program Files (x86)\ClamWin\lib" - $antivircommand = dol_string_nospecial($antivircommand, '', array("|", ";", "<", ">", "&")); // Sanitize command - $antivirparam = dol_string_nospecial($antivirparam, '', array("|", ";", "<", ">", "&")); // Sanitize params + $antivircommand = dol_string_nospecial($antivircommand, '', array("|", ";", "<", ">", "&", "+")); // Sanitize command + $antivirparam = dol_string_nospecial($antivirparam, '', array("|", ";", "<", ">", "&", "+")); // Sanitize params $res3 = dolibarr_set_const($db, 'MAIN_UPLOAD_DOC', GETPOST('MAIN_UPLOAD_DOC', 'alpha'), 'chaine', 0, '', $conf->entity); $res4 = dolibarr_set_const($db, "MAIN_UMASK", GETPOST('MAIN_UMASK', 'alpha'), 'chaine', 0, '', $conf->entity); From b886791b28144438bb3e835e9a4d6b5ff3528201 Mon Sep 17 00:00:00 2001 From: ptibogxiv Date: Sat, 3 Jun 2023 11:00:46 +0200 Subject: [PATCH 4/7] Fix php 8 error on member card --- htdocs/adherents/card.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/adherents/card.php b/htdocs/adherents/card.php index 9e9cf47eff4..f2667a2b034 100644 --- a/htdocs/adherents/card.php +++ b/htdocs/adherents/card.php @@ -1345,7 +1345,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) { if (!$value['active']) { break; } - print ''.$langs->trans($value['label']).''; + print ''.$langs->trans($value['label']).''; } } From 6c8b5d489f61f6816f3a7d72362eee23dd9e3aa5 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 3 Jun 2023 11:20:24 +0200 Subject: [PATCH 5/7] NEW Add option MAIN_ALLOW_LOCAL_LINKS_AS_EXTERNAL_LINKS --- htdocs/admin/system/security.php | 2 +- htdocs/core/actions_linkedfiles.inc.php | 22 ++++++++++++++++++- .../connectors/php/config.inc.php | 2 +- htdocs/langs/en_US/errors.lang | 1 + 4 files changed, 24 insertions(+), 3 deletions(-) diff --git a/htdocs/admin/system/security.php b/htdocs/admin/system/security.php index 03aa1b19d76..8c50799ef64 100644 --- a/htdocs/admin/system/security.php +++ b/htdocs/admin/system/security.php @@ -507,7 +507,7 @@ print '
'; print load_fiche_titre($langs->trans("OtherSetup"), '', 'folder'); -print 'MAIN_ALLOW_SVG_FILES_AS_IMAGES = '.(empty($conf->global->MAIN_ALLOW_SVG_FILES_AS_IMAGES) ? '0' : $conf->global->MAIN_ALLOW_SVG_FILES_AS_IMAGES).'   ('.$langs->trans("Recommended").': 0)
'; +print 'MAIN_ALLOW_SVG_FILES_AS_IMAGES = '.getDolGlobalString('MAIN_ALLOW_SVG_FILES_AS_IMAGES', '0').'   ('.$langs->trans("Recommended").': 0)
'; print '
'; print 'MAIN_ALWAYS_CREATE_LOCK_AFTER_LAST_UPGRADE = '.(empty($conf->global->MAIN_ALWAYS_CREATE_LOCK_AFTER_LAST_UPGRADE) ? ''.$langs->trans("Undefined").'' : $conf->global->MAIN_ALWAYS_CREATE_LOCK_AFTER_LAST_UPGRADE).'   ('.$langs->trans("Recommended").': 1)
'; diff --git a/htdocs/core/actions_linkedfiles.inc.php b/htdocs/core/actions_linkedfiles.inc.php index 4e2cd2873b6..8858456a5f6 100644 --- a/htdocs/core/actions_linkedfiles.inc.php +++ b/htdocs/core/actions_linkedfiles.inc.php @@ -92,7 +92,27 @@ if (GETPOST('sendit', 'alpha') && !empty($conf->global->MAIN_UPLOAD_DOC) && !emp if (substr($link, 0, 7) != 'http://' && substr($link, 0, 8) != 'https://' && substr($link, 0, 7) != 'file://' && substr($link, 0, 7) != 'davs://') { $link = 'http://'.$link; } - dol_add_file_process($upload_dir, 0, 1, 'userfile', null, $link, '', 0); + + // Parse $newUrl + $newUrlArray = parse_url($link); + + // Check URL is external + if (!getDolGlobalString('MAIN_ALLOW_LOCAL_LINKS_AS_EXTERNAL_LINKS')) { + if (!empty($newUrlArray['path']) && preg_match('/\.svg/i', $newUrlArray['path'])) { + $error++; + $langs->load("errors"); + setEventMessages($langs->trans('ErrorSVGFilesNotAllowedAsLinksWithout', 'MAIN_ALLOW_LOCAL_LINKS_AS_EXTERNAL_LINKS'), null, 'errors'); + } + } + // Alow external links to svg ? + if (!getDolGlobalString('MAIN_ALLOW_SVG_FILES_AS_EXTERNAL_LINKS')) { + // Test $newUrlAray['host'] to check link is external + // TODO + } + + if (!$error) { + dol_add_file_process($upload_dir, 0, 1, 'userfile', null, $link, '', 0); + } } } diff --git a/htdocs/core/filemanagerdol/connectors/php/config.inc.php b/htdocs/core/filemanagerdol/connectors/php/config.inc.php index 368b82c42e7..7407ab706a7 100644 --- a/htdocs/core/filemanagerdol/connectors/php/config.inc.php +++ b/htdocs/core/filemanagerdol/connectors/php/config.inc.php @@ -160,7 +160,7 @@ $Config['QuickUploadPath']['File'] = $Config['UserFilesPath']; $Config['QuickUploadAbsolutePath']['File'] = $Config['UserFilesAbsolutePath']; $Config['AllowedExtensions']['Image'] = array('bmp', 'gif', 'jpeg', 'jpg', 'png', 'ai'); -if (!empty($conf->global->MAIN_ALLOW_SVG_FILES_AS_IMAGES)) { +if (getDolGlobalString('MAIN_ALLOW_SVG_FILES_AS_IMAGES')) { $Config['AllowedExtensions']['Image'][] = 'svg'; } $Config['DeniedExtensions']['Image'] = array(); diff --git a/htdocs/langs/en_US/errors.lang b/htdocs/langs/en_US/errors.lang index b3eeae4606b..5d3f6a43392 100644 --- a/htdocs/langs/en_US/errors.lang +++ b/htdocs/langs/en_US/errors.lang @@ -303,6 +303,7 @@ ErrorValueForTooLow=Value for %s is too low ErrorValueCantBeNull=Value for %s can't be null ErrorDateOfMovementLowerThanDateOfFileTransmission=The date of the bank transaction can't be lower than the date of the file transmission ErrorTooMuchFileInForm=Too much files in form, the maximum number is %s file(s) +ErrorSVGFilesNotAllowedAsLinksWithout=SVG files are not allowed as external links without option %s # Warnings WarningParamUploadMaxFileSizeHigherThanPostMaxSize=Your PHP parameter upload_max_filesize (%s) is higher than PHP parameter post_max_size (%s). This is not a consistent setup. From 557a5ea35f4c29eeb8491fa557aebfb69f9cb189 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 3 Jun 2023 11:28:43 +0200 Subject: [PATCH 6/7] Fix bad var --- htdocs/core/actions_linkedfiles.inc.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/htdocs/core/actions_linkedfiles.inc.php b/htdocs/core/actions_linkedfiles.inc.php index 8858456a5f6..fe8b8bf3543 100644 --- a/htdocs/core/actions_linkedfiles.inc.php +++ b/htdocs/core/actions_linkedfiles.inc.php @@ -97,15 +97,15 @@ if (GETPOST('sendit', 'alpha') && !empty($conf->global->MAIN_UPLOAD_DOC) && !emp $newUrlArray = parse_url($link); // Check URL is external - if (!getDolGlobalString('MAIN_ALLOW_LOCAL_LINKS_AS_EXTERNAL_LINKS')) { + if (!getDolGlobalString('MAIN_ALLOW_SVG_FILES_AS_EXTERNAL_LINKS')) { if (!empty($newUrlArray['path']) && preg_match('/\.svg/i', $newUrlArray['path'])) { $error++; $langs->load("errors"); - setEventMessages($langs->trans('ErrorSVGFilesNotAllowedAsLinksWithout', 'MAIN_ALLOW_LOCAL_LINKS_AS_EXTERNAL_LINKS'), null, 'errors'); + setEventMessages($langs->trans('ErrorSVGFilesNotAllowedAsLinksWithout', 'MAIN_ALLOW_SVG_FILES_AS_EXTERNAL_LINKS'), null, 'errors'); } } // Alow external links to svg ? - if (!getDolGlobalString('MAIN_ALLOW_SVG_FILES_AS_EXTERNAL_LINKS')) { + if (!getDolGlobalString('MAIN_ALLOW_LOCAL_LINKS_AS_EXTERNAL_LINKS')) { // Test $newUrlAray['host'] to check link is external // TODO } From 7f9c34a9353fa1cbc8ffffd08fb221af341f648b Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 4 Jun 2023 02:33:53 +0200 Subject: [PATCH 7/7] Fix more complete than #24938 --- htdocs/projet/card.php | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/htdocs/projet/card.php b/htdocs/projet/card.php index 040b3ea2772..183418edad7 100644 --- a/htdocs/projet/card.php +++ b/htdocs/projet/card.php @@ -958,7 +958,7 @@ if ($action == 'create' && $user->rights->projet->creer) { print ''; print ''; if (!empty($conf->global->PROJECT_USE_OPPORTUNITIES)) { - print 'usage_opportunity ? ' checked="checked"' : '')).'"> '; + print 'usage_opportunity ? ' checked="checked"' : '')).'> '; $htmltext = $langs->trans("ProjectFollowOpportunity"); print ''; print '