Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-12-06 01:28:19 +01:00
Code Issues Packages Projects Releases Wiki Activity

FIX DetecHTML on upload file from filemanager fails due to need to lock

Browse Source 
(no reason to need to lock file to read it).
This commit is contained in:
ldestailleur
2025-04-25 19:54:53 +02:00
parent 9b3f315c14
commit f1e8191e7b
3 changed files with 11 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
htdocs/core/filemanagerdol/browser/default/frmupload.php
View File

@@ -134,7 +134,10 @@ function OnUploadCompleted( errorNumber, data )
alert( 'A file with the same name is already available. The uploaded file has been renamed to "' + data + '"' ); alert( 'A file with the same name is already available. The uploaded file has been renamed to "' + data + '"' );
break; break;
case 202: case 202:
alert( 'Invalid file (Bad extension)' ); alert( 'Invalid file (Bad extension reported by image_format_supported or other)' );
break;
case 205:
alert( 'Invalid file (Bad file reported by DetectHtml)' );
break; break;
default: default:
alert( 'Error on file upload. Error number: ' + errorNumber ); alert( 'Error on file upload. Error number: ' + errorNumber );

12
htdocs/core/filemanagerdol/connectors/php/connector.lib.php
View File

@@ -323,6 +323,8 @@ function FileUpload($resourceType, $currentFolder, $sCommand, $CKEcallback = '')
//$sFileName = SanitizeFileName($sFileName); //$sFileName = SanitizeFileName($sFileName);
$sFileName = dol_sanitizeFileName($sFileName); $sFileName = dol_sanitizeFileName($sFileName);
dol_syslog("FileUpload sFileName=".$sFileName);
$sOriginalFileName = $sFileName; $sOriginalFileName = $sFileName;
// Get the extension. // Get the extension.
@@ -339,7 +341,7 @@ function FileUpload($resourceType, $currentFolder, $sCommand, $CKEcallback = '')
}*/ }*/
if (!$permissiontouploadmediaisok) { if (!$permissiontouploadmediaisok) {
dol_syslog("connector.lib.php Try to upload a file with no permission"); dol_syslog("connector.lib.php Try to upload a file with no permission");
$sErrorNumber = '202'; $sErrorNumber = '204';
} }
include_once DOL_DOCUMENT_ROOT.'/core/lib/images.lib.php'; include_once DOL_DOCUMENT_ROOT.'/core/lib/images.lib.php';
@@ -397,9 +399,9 @@ function FileUpload($resourceType, $currentFolder, $sCommand, $CKEcallback = '')
$detectHtml = DetectHtml($sFilePath); $detectHtml = DetectHtml($sFilePath);
if ($detectHtml === true || $detectHtml == -1) { if ($detectHtml === true || $detectHtml == -1) {
// Note that is is a simple test and not reliable. Security does not rely on this. // Note that is is a simple test and not reliable. Security does not rely on this.
dol_syslog("connector.lib.php DetectHtml is ko"); dol_syslog("connector.lib.php DetectHtml is ko detectHtml=".$detectHtml.", we delete the file.");
@unlink($sFilePath); @unlink($sFilePath);
$sErrorNumber = '202'; $sErrorNumber = '205';
} }
} }
} }
@@ -964,13 +966,11 @@ function DetectHtml($filePath)
{ {
$fp = @fopen($filePath, 'rb'); $fp = @fopen($filePath, 'rb');
//open_basedir restriction, see #1906 if ($fp === false) {
if ($fp === false || !flock($fp, LOCK_SH)) {
return -1; return -1;
} }
$chunk = fread($fp, 1024); $chunk = fread($fp, 1024);
flock($fp, LOCK_UN);
fclose($fp); fclose($fp);
$chunk = strtolower($chunk); $chunk = strtolower($chunk);

2
htdocs/core/lib/images.lib.php
View File

@@ -80,7 +80,7 @@ function getListOfPossibleImageExt($acceptsvg = 0)
* *
* @param string $file Filename * @param string $file Filename
* @param int $acceptsvg 0=Default (depends on setup), 1=Always accept SVG as image files * @param int $acceptsvg 0=Default (depends on setup), 1=Always accept SVG as image files
* @return int -1=Not image filename, 0=Image filename but format not supported for conversion by PHP, 1=Image filename with format supported by this PHP * @return int -1=Not image filename, 0=Image filename but format not supported for conversion by PHP, 1=Image filename with format supported in conversion by this PHP
*/ */
function image_format_supported($file, $acceptsvg = 0) function image_format_supported($file, $acceptsvg = 0)
{ {