Fix rename of file to remove .noexe extension.

2017-06-18 21:52:51 +02:00 · 2017-06-18 21:52:51 +02:00 · 0ef507ae7f
commit 0ef507ae7f
parent abe736c6a6
3 changed files with 37 additions and 27 deletions
--- a/htdocs/comm/propal/document.php
+++ b/htdocs/comm/propal/document.php
@ -1,6 +1,6 @@
 <?php
 /* Copyright (C) 2003-2004 Rodolphe Quiedeville  <rodolphe@quiedeville.org>
- * Copyright (C) 2004-2009 Laurent Destailleur   <eldy@users.sourceforge.net>
+ * Copyright (C) 2004-2017 Laurent Destailleur   <eldy@users.sourceforge.net>
 * Copyright (C) 2005      Marc Barilley / Ocebo <marc@ocebo.com>
 * Copyright (C) 2005-2012 Regis Houssin         <regis.houssin@capnetworks.com>
 * Copyright (C) 2013      Cédric Salvador       <csalvador@gpcsolutions.fr>
@ -63,17 +63,18 @@ if (! $sortfield) $sortfield="name";

 $object = new Propal($db);
 $object->fetch($id,$ref);
-if ($object->id > 0)
-{
-	$object->fetch_thirdparty();
-	$upload_dir = $conf->propal->dir_output.'/'.dol_sanitizeFileName($object->ref);
-	include_once DOL_DOCUMENT_ROOT . '/core/actions_linkedfiles.inc.php';
-}
+

 /*
 * Actions
 */

+if ($object->id > 0)
+{
+    $object->fetch_thirdparty();
+    $upload_dir = $conf->propal->dir_output.'/'.dol_sanitizeFileName($object->ref);
+    include_once DOL_DOCUMENT_ROOT . '/core/actions_linkedfiles.inc.php';
+}


 /*
@ -101,10 +102,10 @@ if ($object->id > 0)


 	// Proposal card
-	
+
 	$linkback = '<a href="' . DOL_URL_ROOT . '/comm/propal/list.php' . (! empty($socid) ? '?socid=' . $socid : '') . '">' . $langs->trans("BackToList") . '</a>';
-	
-	
+
+
 	$morehtmlref='<div class="refidno">';
 	// Ref customer
 	$morehtmlref.=$form->editfieldkey("RefCustomer", 'ref_client', $object->ref_client, $object, 0, 'string', '', 0, 1);
@ -145,24 +146,24 @@ if ($object->id > 0)
 	    }
 	}
 	$morehtmlref.='</div>';
-	
+
 	dol_banner_tab($object, 'ref', $linkback, 1, 'ref', 'ref', $morehtmlref);
-	
-	
+
+
 	print '<div class="fichecenter">';
 	print '<div class="underbanner clearboth"></div>';
-	
+
 	print '<table class="border" width="100%">';
-	
+
 	// Files infos
 	print '<tr><td class="titlefield">'.$langs->trans("NbOfAttachedFiles").'</td><td>'.count($filearray).'</td></tr>';
 	print '<tr><td>'.$langs->trans("TotalSizeOfAttachedFiles").'</td><td>'.$totalsize.' '.$langs->trans("bytes").'</td></tr>';
-	
+
 	print "</table>\n";
-	
+
 	print '</div>';
-	
-	
+
+
 	dol_fiche_end();

 	$modulepart = 'propal';
--- a/htdocs/core/actions_linkedfiles.inc.php
+++ b/htdocs/core/actions_linkedfiles.inc.php
@ -71,7 +71,7 @@ if ($action == 'confirm_deletefile' && $confirm == 'yes')

            $ret = dol_delete_file($file, 0, 0, 0, $object);
            if (! empty($fileold)) dol_delete_file($fileold, 0, 0, 0, $object);     // Delete file using old path
-            
+
 	        // Si elle existe, on efface la vignette
 	        if (preg_match('/(\.jpg|\.jpeg|\.bmp|\.gif|\.png|\.tiff)$/i',$file,$regs))
 	        {
@ -150,19 +150,28 @@ elseif ($action == 'renamefile' && GETPOST('renamefilesave'))
        {
            $filenamefrom=dol_sanitizeFileName(GETPOST('renamefilefrom'));
            $filenameto=dol_sanitizeFileName(GETPOST('renamefileto'));
+
+            // Security:
+            // Disallow file with some extensions. We rename them.
+            // Because if we put the documents directory into a directory inside web root (very bad), this allows to execute on demand arbitrary code.
+            if (preg_match('/\.htm|\.html|\.php|\.pl|\.cgi$/i',$filenameto) && empty($conf->global->MAIN_DOCUMENT_IS_OUTSIDE_WEBROOT_SO_NOEXE_NOT_REQUIRED))
+            {
+                $filenameto.= '.noexe';
+            }
+
            if ($filenamefrom && $filenameto)
            {
                $srcpath = $upload_dir.'/'.$filenamefrom;
                $destpath = $upload_dir.'/'.$filenameto;
-    
+
                $result = dol_move($srcpath, $destpath);
-                if ($result) 
+                if ($result)
                {
                    $object->addThumbs($destpath);
-                    
+
                    // TODO Add revert function of addThumbs
                    //$object->delThumbs($srcpath);
-                    
+
                    setEventMessages($langs->trans("FileRenamed"), null);
                }
                else setEventMessages($langs->trans("ErrorFailToRenameFile", $filenamefrom, $filenameto), null, 'errors');
--- a/htdocs/core/lib/files.lib.php
+++ b/htdocs/core/lib/files.lib.php
@ -634,9 +634,9 @@ function dol_move_uploaded_file($src_file, $dest_file, $allowoverwrite, $disable
 			}
 		}

-		// Security:
-		// Disallow file with some extensions. We renamed them.
-		// Car si on a mis le rep documents dans un rep de la racine web (pas bien), cela permet d'executer du code a la demande.
+        // Security:
+        // Disallow file with some extensions. We rename them.
+        // Because if we put the documents directory into a directory inside web root (very bad), this allows to execute on demand arbitrary code.
 		if (preg_match('/\.htm|\.html|\.php|\.pl|\.cgi$/i',$dest_file) && empty($conf->global->MAIN_DOCUMENT_IS_OUTSIDE_WEBROOT_SO_NOEXE_NOT_REQUIRED))
 		{
 			$file_name.= '.noexe';