Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-12-06 09:38:23 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch '15.0' of git@github.com:Dolibarr/dolibarr.git into 16.0

Browse Source
This commit is contained in:
Laurent Destailleur
2024-02-22 00:15:35 +01:00
parent 2b71c260d8 8c2a910a94
commit a76eafa0d4
3 changed files with 9 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
htdocs/core/lib/files.lib.php
View File

@@ -2441,7 +2441,7 @@ function dol_check_secure_access_document($modulepart, $original_file, $entity,
// Find the subdirectory name as the reference. For example original_file='10/myfile.pdf' -> refname='10'
if (empty($refname)) {
$refname = basename(dirname($original_file)."/");
if ($refname == 'thumbs') {
if ($refname == 'thumbs' || $refname == 'temp') {
// If we get the thumbs directory, we must go one step higher. For example original_file='10/thumbs/myfile_small.jpg' -> refname='10'
$refname = basename(dirname(dirname($original_file))."/");
}

11
htdocs/document.php
View File

@@ -207,20 +207,17 @@ $original_file = str_replace('../', '/', $original_file);
$original_file = str_replace('..\\', '/', $original_file);
// Find the subdirectory name as the reference
$refname = basename(dirname($original_file)."/");
// Security check
if (empty($modulepart)) {
accessforbidden('Bad value for parameter modulepart');
}
// Check security and set return info with full path of file
$check_access = dol_check_secure_access_document($modulepart, $original_file, $entity, $user, $refname);
$check_access = dol_check_secure_access_document($modulepart, $original_file, $entity, $user, '');
$accessallowed = $check_access['accessallowed'];
$sqlprotectagainstexternals = $check_access['sqlprotectagainstexternals'];
$fullpath_original_file = $check_access['original_file']; // $fullpath_original_file is now a full path name
//var_dump($fullpath_original_file.' '.$original_file.' '.$refname.' '.$accessallowed);exit;
//var_dump($fullpath_original_file.' '.$original_file.' '.$accessallowed);exit;
if (!empty($hashp)) {
$accessallowed = 1; // When using hashp, link is public so we force $accessallowed
@@ -284,7 +281,7 @@ if (!is_object($hookmanager)) {
}
$hookmanager->initHooks(array('document'));
$parameters = array('ecmfile' => $ecmfile, 'modulepart' => $modulepart, 'original_file' => $original_file,
'entity' => $entity, 'refname' => $refname, 'fullpath_original_file' => $fullpath_original_file,
'entity' => $entity, 'fullpath_original_file' => $fullpath_original_file,
'filename' => $filename, 'fullpath_original_file_osencoded' => $fullpath_original_file_osencoded);
$reshook = $hookmanager->executeHooks('downloadDocument', $parameters); // Note that $action and $object may have been
if ($reshook < 0) {
@@ -294,6 +291,7 @@ if ($reshook < 0) {
exit;
}
// Permissions are ok and file found, so we return it
top_httphead($type);
header('Content-Description: File Transfer');
@@ -301,6 +299,7 @@ if ($encoding) {
header('Content-Encoding: '.$encoding);
}
// Add MIME Content-Disposition from RFC 2183 (inline=automatically displayed, attachment=need user action to open)
if ($attachment) {
header('Content-Disposition: attachment; filename="'.$filename.'"');
} else {

5
htdocs/fichinter/class/fichinter.class.php
View File

@@ -592,7 +592,8 @@ class Fichinter extends CommonObject
$sql .= ", date_valid = '".$this->db->idate($now)."'";
$sql .= ", fk_user_valid = ".($user->id > 0 ? (int) $user->id : "null");
$sql .= " WHERE rowid = ".((int) $this->id);
$sql .= " AND entity = ".((int) $conf->entity);
$sql .= " AND entity = ".((int) $this->entity);
$sql .= " AND fk_statut = 0";
dol_syslog(get_class($this)."::setValid", LOG_DEBUG);
@@ -620,7 +621,7 @@ class Fichinter extends CommonObject
// Now we rename also files into index
$sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->db->escape($this->newref)."', SUBSTR(filename, ".(strlen($this->ref) + 1).")), filepath = 'ficheinter/".$this->db->escape($this->newref)."'";
$sql .= " WHERE filename LIKE '".$this->db->escape($this->ref)."%' AND filepath = 'ficheinter/".$this->db->escape($this->ref)."' and entity = ".$conf->entity;
$sql .= " WHERE filename LIKE '".$this->db->escape($this->ref)."%' AND filepath = 'ficheinter/".$this->db->escape($this->ref)."' and entity = ".((int) $this->entity);
$resql = $this->db->query($sql);
if (!$resql) {
$error++; $this->error = $this->db->lasterror();