diff --git a/htdocs/comm/propal/list.php b/htdocs/comm/propal/list.php index 1a23c0b8728..ec4e9c37bf2 100644 --- a/htdocs/comm/propal/list.php +++ b/htdocs/comm/propal/list.php @@ -310,7 +310,7 @@ if ($search_country) $sql .= " AND s.fk_pays IN (".$db->escape($search_country). if ($search_type_thirdparty) $sql .= " AND s.fk_typent IN (".$db->escape($search_type_thirdparty).')'; if ($search_ref) $sql .= natural_search('p.ref', $search_ref); if ($search_refcustomer) $sql .= natural_search('p.ref_client', $search_refcustomer); -if ($search_refproject) $sql .= natural_search('pr.ref', $search_refprojet); +if ($search_refproject) $sql .= natural_search('pr.ref', $search_refproject); if ($search_availability) $sql .= " AND p.fk_availability IN (".$db->escape($search_availability).')'; if ($search_societe) $sql .= natural_search('s.nom', $search_societe); @@ -432,7 +432,7 @@ if ($resql) if ($search_year) $param.='&search_year='.urlencode($search_year); if ($search_ref) $param.='&search_ref='.urlencode($search_ref); if ($search_refcustomer) $param.='&search_refcustomer='.urlencode($search_refcustomer); - if ($search_refprojet) $param.='&search_refprojet='.urlencode($search_refprojet); + if ($search_refproject) $param.='&search_refproject='.urlencode($search_refproject); if ($search_societe) $param.='&search_societe='.urlencode($search_societe); if ($search_user > 0) $param.='&search_user='.urlencode($search_user); if ($search_sale > 0) $param.='&search_sale='.urlencode($search_sale); diff --git a/htdocs/core/lib/files.lib.php b/htdocs/core/lib/files.lib.php index 28b598f090e..15e8c003417 100644 --- a/htdocs/core/lib/files.lib.php +++ b/htdocs/core/lib/files.lib.php @@ -1133,10 +1133,11 @@ function dol_move_uploaded_file($src_file, $dest_file, $allowoverwrite, $disable * @param int $nophperrors Disable all PHP output errors * @param int $nohook Disable all hooks * @param object $object Current object in use + * @param boolean $allowdotdot Allow to delete file path with .. inside. Never use this, it is reserved for migration purpose. * @return boolean True if no error (file is deleted or if glob is used and there's nothing to delete), False if error * @see dol_delete_dir */ -function dol_delete_file($file,$disableglob=0,$nophperrors=0,$nohook=0,$object=null) +function dol_delete_file($file,$disableglob=0,$nophperrors=0,$nohook=0,$object=null,$allowdotdot=false) { global $db, $conf, $user, $langs; global $hookmanager; @@ -1148,7 +1149,7 @@ function dol_delete_file($file,$disableglob=0,$nophperrors=0,$nohook=0,$object=n // Security: // We refuse transversal using .. and pipes into filenames. - if (preg_match('/\.\./',$file) || preg_match('/[<>|]/',$file)) + if ((! $allowdotdot && preg_match('/\.\./',$file)) || preg_match('/[<>|]/',$file)) { dol_syslog("Refused to delete file ".$file, LOG_WARNING); return false; diff --git a/htdocs/install/upgrade2.php b/htdocs/install/upgrade2.php index 1fa421bb61f..1077e37f78e 100644 --- a/htdocs/install/upgrade2.php +++ b/htdocs/install/upgrade2.php @@ -4472,7 +4472,7 @@ function migrate_delete_old_files($db,$langs,$conf) $result=1; if (file_exists($filetodelete)) { - $result=dol_delete_file($filetodelete); + $result=dol_delete_file($filetodelete,0,0,0,null,true); if (! $result) { $langs->load("errors");