From a151e3d7b582afff65249caa46d31ddd5fe30eb9 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@users.sourceforge.net>
Date: Mon, 2 Jun 2025 00:10:36 +0200
Subject: [PATCH] Fix url for barcode of profile should use securekey.

---
 htdocs/public/users/view.php | 10 +++++++++-
 htdocs/viewimage.php         | 26 ++++++++++++++++++++++----
 2 files changed, 31 insertions(+), 5 deletions(-)

diff --git a/htdocs/public/users/view.php b/htdocs/public/users/view.php
index 94c94a778f7..c28f16455e9 100644
--- a/htdocs/public/users/view.php
+++ b/htdocs/public/users/view.php
@@ -307,6 +307,7 @@ if (getDolGlobalString('USER_IMAGE_PUBLIC_INTERFACE')) {
 	print '</div>';
 }
 
+// url for the download .vcf file link
 $urlforqrcode = $object->getOnlineVirtualCardUrl('vcard');
 
 $socialnetworksdict = getArrayOfSocialNetworks();
@@ -319,10 +320,17 @@ if ($showbarcode) {
 
 	$filename = $v->buildVCardString($object, $company, $langs, '', $outdir);
 
+	$encodedsecurekey = dol_hash($conf->file->instance_unique_id.'uservirtualcard'.$object->id.'-'.$object->login, 'md5');
+	if (isModEnabled('multicompany')) {
+		$entity_qr = '&entity='.((int) $conf->entity);
+	} else {
+		$entity_qr = '';
+	}
+
 	print '<br>';
 	print '<div class="floatleft inline-block valignmiddle paddingleft paddingright">';
 	//print '<!-- filename = '.dol_escape_htmltag($filename).' -->';
-	print '<img style="max-width: 100%" src="'.$dolibarr_main_url_root.'/viewimage.php?modulepart=barcode&entity='.((int) $conf->entity).'&generator=tcpdfbarcode&encoding=QRCODE&code='.urlencode(basename($filename)).'">';
+	print '<img style="max-width: 100%" src="'.$dolibarr_main_url_root.'/viewimage.php?modulepart=barcode'.$entity_qr.'&generator=tcpdfbarcode&encoding=QRCODE&code='.urlencode(basename($filename)).'&securekey='.$encodedsecurekey.'">';
 	print '</div>';
 	print '<br>';
 }
diff --git a/htdocs/viewimage.php b/htdocs/viewimage.php
index 899fffa181b..1be3dc656b8 100644
--- a/htdocs/viewimage.php
+++ b/htdocs/viewimage.php
@@ -353,14 +353,32 @@ if ($modulepart == 'barcode') {
 	$reg = array();
 	if (preg_match('/^virtualcard_([^_]+)_(\d+)\.vcf$/', $code, $reg)) {
 		$vcffile = '';
-		if ($reg[1] == 'user') {
+		$id = 0;
+		$login = '';
+		if ($reg[1] == 'user' && (int) $reg[2] > 0) {
 			$vcffile = $conf->user->dir_temp.'/'.$code;
-		} elseif ($reg[1] == 'contact') {
+			$id = (int) $reg[2];
+			$tmpuser = new User($db);
+			$tmpuser->fetch($id);
+			$login = $tmpuser->login;
+		} elseif ($reg[1] == 'contact' && (int) $reg[2] > 0) {
 			$vcffile = $conf->contact->dir_temp.'/'.$code;
+			$id = (int) $reg[2];
 		}
 
-		if ($vcffile) {
-			$code = file_get_contents($vcffile);
+		$code = '';
+		if ($vcffile && $id) {
+			// Case of use of viewimage to get the barcode for user pubic profile,
+			// we must check the securekey that protet against forging url
+			if ($reg[1] == 'user' && (int) $reg[2] > 0) {
+				$encodedsecurekey = dol_hash($conf->file->instance_unique_id.'uservirtualcard'.$id.'-'.$login, 'md5');
+				if ($encodedsecurekey != GETPOST('securekey')) {
+					$code = 'badvalueforsecurekey';
+				}
+			}
+			if (empty($code)) {
+				$code = file_get_contents($vcffile);
+			}
 		}
 	}