forked from Wavyzz/dolibarr
FIX Yogosha report 4425
This commit is contained in:
Laurent Destailleur
@@ -7880,19 +7880,16 @@ function getAdvancedPreviewUrl($modulepart, $relativepath, $alldata = 0, $param
|
||||
|
||||
if (empty($conf->use_javascript_ajax)) return '';
|
||||
|
||||
$mime_preview = array('bmp', 'jpeg', 'png', 'gif', 'tiff', 'pdf', 'plain', 'css', 'svg+xml', 'webp');
|
||||
//$mime_preview[]='vnd.oasis.opendocument.presentation';
|
||||
//$mime_preview[]='archive';
|
||||
$num_mime = array_search(dol_mimetype($relativepath, '', 1), $mime_preview);
|
||||
$isAllowedForPreview = dolIsAllowedForPreview($relativepath);
|
||||
|
||||
if ($alldata == 1)
|
||||
{
|
||||
if ($num_mime !== false) return array('target'=>'_blank', 'css'=>'documentpreview', 'url'=>DOL_URL_ROOT.'/document.php?modulepart='.$modulepart.'&attachment=0&file='.urlencode($relativepath).($param ? '&'.$param : ''), 'mime'=>dol_mimetype($relativepath),);
|
||||
if ($isAllowedForPreview) return array('target'=>'_blank', 'css'=>'documentpreview', 'url'=>DOL_URL_ROOT.'/document.php?modulepart='.$modulepart.'&attachment=0&file='.urlencode($relativepath).($param ? '&'.$param : ''), 'mime'=>dol_mimetype($relativepath),);
|
||||
else return array();
|
||||
}
|
||||
|
||||
// old behavior
|
||||
if ($num_mime !== false) return 'javascript:document_preview(\''.dol_escape_js(DOL_URL_ROOT.'/document.php?modulepart='.$modulepart.'&attachment=0&file='.urlencode($relativepath).($param ? '&'.$param : '')).'\', \''.dol_mimetype($relativepath).'\', \''.dol_escape_js($langs->trans('Preview')).'\')';
|
||||
// old behavior, return a string
|
||||
if ($isAllowedForPreview) return 'javascript:document_preview(\''.dol_escape_js(DOL_URL_ROOT.'/document.php?modulepart='.$modulepart.'&attachment=0&file='.urlencode($relativepath).($param ? '&'.$param : '')).'\', \''.dol_mimetype($relativepath).'\', \''.dol_escape_js($langs->trans('Preview')).'\')';
|
||||
else return '';
|
||||
}
|
||||
|
||||
@@ -7917,6 +7914,32 @@ function ajax_autoselect($htmlname, $addlink = '')
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Return if a file is qualified for preview
|
||||
*
|
||||
* @param string $file Filename we looking for information
|
||||
* @return int 1 If allowed, 0 otherwise
|
||||
* @see dol_mimetype(), image_format_supported() from images.lib.php
|
||||
*/
|
||||
function dolIsAllowedForPreview($file) {
|
||||
global $conf;
|
||||
|
||||
// Check .noexe extension in filename
|
||||
if (preg_match('/\.noexe$/i', $file)) return 0;
|
||||
|
||||
// Check mime types
|
||||
$mime_preview = array('bmp', 'jpeg', 'png', 'gif', 'tiff', 'pdf', 'plain', 'css', 'webp');
|
||||
if (!empty($conf->global->MAIN_ALLOW_SVG_FILES_AS_IMAGES)) $mime_preview[] = 'svg+xml';
|
||||
//$mime_preview[]='vnd.oasis.opendocument.presentation';
|
||||
//$mime_preview[]='archive';
|
||||
$num_mime = array_search(dol_mimetype($file, '', 1), $mime_preview);
|
||||
if ($num_mime !== false) return 1;
|
||||
|
||||
// By default, not allowed for preview
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Return mime type of a file
|
||||
*
|
||||
@@ -7924,7 +7947,7 @@ function ajax_autoselect($htmlname, $addlink = '')
|
||||
* @param string $default Default mime type if extension not found in known list
|
||||
* @param int $mode 0=Return full mime, 1=otherwise short mime string, 2=image for mime type, 3=source language, 4=css of font fa
|
||||
* @return string Return a mime type family (text/xxx, application/xxx, image/xxx, audio, video, archive)
|
||||
* @see image_format_supported() from images.lib.php
|
||||
* @see dolIsAllowedForPreview(), image_format_supported() from images.lib.php
|
||||
*/
|
||||
function dol_mimetype($file, $default = 'application/octet-stream', $mode = 0)
|
||||
{
|
||||
|
||||
@@ -153,11 +153,13 @@ if (isset($_GET["attachment"])) $attachment = GETPOST("attachment", 'alpha') ?tr
|
||||
if (!empty($conf->global->MAIN_DISABLE_FORCE_SAVEAS)) $attachment = false;
|
||||
|
||||
// Define mime type
|
||||
$type = 'application/octet-stream';
|
||||
$type = 'application/octet-stream'; // By default
|
||||
if (GETPOST('type', 'alpha')) $type = GETPOST('type', 'alpha');
|
||||
else $type = dol_mimetype($original_file);
|
||||
// Security: Force to octet-stream if file is a dangerous file
|
||||
if (preg_match('/\.noexe$/i', $original_file)) $type = 'application/octet-stream';
|
||||
// Security: Force to octet-stream if file is a dangerous file. For example when it is a .noexe file
|
||||
if (!dolIsAllowedForPreview($original_file)) {
|
||||
$type = 'application/octet-stream';
|
||||
}
|
||||
|
||||
// Security: Delete string ../ into $original_file
|
||||
$original_file = str_replace("../", "/", $original_file);
|
||||
@@ -259,6 +261,7 @@ if (!$attachment && !empty($conf->global->MAIN_USE_EXIF_ROTATION) && image_forma
|
||||
|
||||
if ($readfile) {
|
||||
header('Content-Length: '.dol_filesize($fullpath_original_file));
|
||||
|
||||
readfile($fullpath_original_file_osencoded);
|
||||
}
|
||||
|
||||
|
||||
@@ -255,7 +255,7 @@ if (GETPOSTISSET('THEME_SATURATE_RATIO')) $conf->global->THEME_SATURATE_RATIO =
|
||||
}
|
||||
|
||||
.customer-back {
|
||||
background-color: #95a55d !important;
|
||||
background-color: #55955d !important;
|
||||
color: #FFF !important;
|
||||
padding: 2px;
|
||||
margin: 2px;
|
||||
|
||||
Reference in New Issue
Block a user