Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

FIX Yogosha report 4425

Browse Source
This commit is contained in:
Laurent Destailleur
2020-09-16 14:37:05 +02:00
parent 382a4552eb
commit d7aa376c3c
3 changed files with 38 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
htdocs/core/lib/functions.lib.php
View File

@@ -7880,19 +7880,16 @@ function getAdvancedPreviewUrl($modulepart, $relativepath, $alldata = 0, $param
if (empty($conf->use_javascript_ajax)) return ''; if (empty($conf->use_javascript_ajax)) return '';
$mime_preview = array('bmp', 'jpeg', 'png', 'gif', 'tiff', 'pdf', 'plain', 'css', 'svg+xml', 'webp'); $isAllowedForPreview = dolIsAllowedForPreview($relativepath);
//$mime_preview[]='vnd.oasis.opendocument.presentation';
//$mime_preview[]='archive';
$num_mime = array_search(dol_mimetype($relativepath, '', 1), $mime_preview);
if ($alldata == 1) if ($alldata == 1)
{ {
if ($num_mime !== false) return array('target'=>'_blank', 'css'=>'documentpreview', 'url'=>DOL_URL_ROOT.'/document.php?modulepart='.$modulepart.'&attachment=0&file='.urlencode($relativepath).($param ? '&'.$param : ''), 'mime'=>dol_mimetype($relativepath),); if ($isAllowedForPreview) return array('target'=>'_blank', 'css'=>'documentpreview', 'url'=>DOL_URL_ROOT.'/document.php?modulepart='.$modulepart.'&attachment=0&file='.urlencode($relativepath).($param ? '&'.$param : ''), 'mime'=>dol_mimetype($relativepath),);
else return array(); else return array();
} }
// old behavior // old behavior, return a string
if ($num_mime !== false) return 'javascript:document_preview(\''.dol_escape_js(DOL_URL_ROOT.'/document.php?modulepart='.$modulepart.'&attachment=0&file='.urlencode($relativepath).($param ? '&'.$param : '')).'\', \''.dol_mimetype($relativepath).'\', \''.dol_escape_js($langs->trans('Preview')).'\')'; if ($isAllowedForPreview) return 'javascript:document_preview(\''.dol_escape_js(DOL_URL_ROOT.'/document.php?modulepart='.$modulepart.'&attachment=0&file='.urlencode($relativepath).($param ? '&'.$param : '')).'\', \''.dol_mimetype($relativepath).'\', \''.dol_escape_js($langs->trans('Preview')).'\')';
else return ''; else return '';
} }
@@ -7917,6 +7914,32 @@ function ajax_autoselect($htmlname, $addlink = '')
} }
/**
* Return if a file is qualified for preview
*
* @param string $file Filename we looking for information
* @return int 1 If allowed, 0 otherwise
* @see dol_mimetype(), image_format_supported() from images.lib.php
*/
function dolIsAllowedForPreview($file) {
global $conf;
// Check .noexe extension in filename
if (preg_match('/\.noexe$/i', $file)) return 0;
// Check mime types
$mime_preview = array('bmp', 'jpeg', 'png', 'gif', 'tiff', 'pdf', 'plain', 'css', 'webp');
if (!empty($conf->global->MAIN_ALLOW_SVG_FILES_AS_IMAGES)) $mime_preview[] = 'svg+xml';
//$mime_preview[]='vnd.oasis.opendocument.presentation';
//$mime_preview[]='archive';
$num_mime = array_search(dol_mimetype($file, '', 1), $mime_preview);
if ($num_mime !== false) return 1;
// By default, not allowed for preview
return 0;
}
/** /**
* Return mime type of a file * Return mime type of a file
* *
@@ -7924,7 +7947,7 @@ function ajax_autoselect($htmlname, $addlink = '')
* @param string $default Default mime type if extension not found in known list * @param string $default Default mime type if extension not found in known list
* @param int $mode 0=Return full mime, 1=otherwise short mime string, 2=image for mime type, 3=source language, 4=css of font fa * @param int $mode 0=Return full mime, 1=otherwise short mime string, 2=image for mime type, 3=source language, 4=css of font fa
* @return string Return a mime type family (text/xxx, application/xxx, image/xxx, audio, video, archive) * @return string Return a mime type family (text/xxx, application/xxx, image/xxx, audio, video, archive)
* @see image_format_supported() from images.lib.php * @see dolIsAllowedForPreview(), image_format_supported() from images.lib.php
*/ */
function dol_mimetype($file, $default = 'application/octet-stream', $mode = 0) function dol_mimetype($file, $default = 'application/octet-stream', $mode = 0)
{ {

9
htdocs/document.php
View File

@@ -153,11 +153,13 @@ if (isset($_GET["attachment"])) $attachment = GETPOST("attachment", 'alpha') ?tr
if (!empty($conf->global->MAIN_DISABLE_FORCE_SAVEAS)) $attachment = false; if (!empty($conf->global->MAIN_DISABLE_FORCE_SAVEAS)) $attachment = false;
// Define mime type // Define mime type
$type = 'application/octet-stream'; $type = 'application/octet-stream'; // By default
if (GETPOST('type', 'alpha')) $type = GETPOST('type', 'alpha'); if (GETPOST('type', 'alpha')) $type = GETPOST('type', 'alpha');
else $type = dol_mimetype($original_file); else $type = dol_mimetype($original_file);
// Security: Force to octet-stream if file is a dangerous file // Security: Force to octet-stream if file is a dangerous file. For example when it is a .noexe file
if (preg_match('/\.noexe$/i', $original_file)) $type = 'application/octet-stream'; if (!dolIsAllowedForPreview($original_file)) {
$type = 'application/octet-stream';
}
// Security: Delete string ../ into $original_file // Security: Delete string ../ into $original_file
$original_file = str_replace("../", "/", $original_file); $original_file = str_replace("../", "/", $original_file);
@@ -259,6 +261,7 @@ if (!$attachment && !empty($conf->global->MAIN_USE_EXIF_ROTATION) && image_forma
if ($readfile) { if ($readfile) {
header('Content-Length: '.dol_filesize($fullpath_original_file)); header('Content-Length: '.dol_filesize($fullpath_original_file));
readfile($fullpath_original_file_osencoded); readfile($fullpath_original_file_osencoded);
} }

2
htdocs/theme/eldy/info-box.inc.php
View File

@@ -255,7 +255,7 @@ if (GETPOSTISSET('THEME_SATURATE_RATIO')) $conf->global->THEME_SATURATE_RATIO =
} }
.customer-back { .customer-back {
background-color: #95a55d !important; background-color: #55955d !important;
color: #FFF !important; color: #FFF !important;
padding: 2px; padding: 2px;
margin: 2px; margin: 2px;