From 0ef507ae7fd609ef90af4cf035c2e3fe4c27e21e Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Sun, 18 Jun 2017 21:52:51 +0200
Subject: [PATCH] Fix rename of file to remove .noexe extension.

---
 htdocs/comm/propal/document.php         | 39 +++++++++++++------------
 htdocs/core/actions_linkedfiles.inc.php | 19 ++++++++----
 htdocs/core/lib/files.lib.php           |  6 ++--
 3 files changed, 37 insertions(+), 27 deletions(-)
diff --git a/htdocs/comm/propal/document.php b/htdocs/comm/propal/document.php
index 9b875e434f7..aef0ade7c84 100644
--- a/htdocs/comm/propal/document.php
+++ b/htdocs/comm/propal/document.php
@@ -1,6 +1,6 @@
 <?php
 /* Copyright (C) 2003-2004 Rodolphe Quiedeville  <rodolphe@quiedeville.org>
- * Copyright (C) 2004-2009 Laurent Destailleur   <eldy@users.sourceforge.net>
+ * Copyright (C) 2004-2017 Laurent Destailleur   <eldy@users.sourceforge.net>
  * Copyright (C) 2005      Marc Barilley / Ocebo <marc@ocebo.com>
  * Copyright (C) 2005-2012 Regis Houssin         <regis.houssin@capnetworks.com>
  * Copyright (C) 2013      Cédric Salvador       <csalvador@gpcsolutions.fr>
@@ -63,17 +63,18 @@ if (! $sortfield) $sortfield="name";
 
 $object = new Propal($db);
 $object->fetch($id,$ref);
-if ($object->id > 0)
-{
-	$object->fetch_thirdparty();
-	$upload_dir = $conf->propal->dir_output.'/'.dol_sanitizeFileName($object->ref);
-	include_once DOL_DOCUMENT_ROOT . '/core/actions_linkedfiles.inc.php';
-}
+
 
 /*
  * Actions
  */
 
+if ($object->id > 0)
+{
+    $object->fetch_thirdparty();
+    $upload_dir = $conf->propal->dir_output.'/'.dol_sanitizeFileName($object->ref);
+    include_once DOL_DOCUMENT_ROOT . '/core/actions_linkedfiles.inc.php';
+}
 
 
 /*
@@ -101,10 +102,10 @@ if ($object->id > 0)
 
 
 	// Proposal card
-	
+
 	$linkback = '<a href="' . DOL_URL_ROOT . '/comm/propal/list.php' . (! empty($socid) ? '?socid=' . $socid : '') . '">' . $langs->trans("BackToList") . '</a>';
-	
-	
+
+
 	$morehtmlref='<div class="refidno">';
 	// Ref customer
 	$morehtmlref.=$form->editfieldkey("RefCustomer", 'ref_client', $object->ref_client, $object, 0, 'string', '', 0, 1);
@@ -145,24 +146,24 @@ if ($object->id > 0)
 	    }
 	}
 	$morehtmlref.='</div>';
-	
+
 	dol_banner_tab($object, 'ref', $linkback, 1, 'ref', 'ref', $morehtmlref);
-	
-	
+
+
 	print '<div class="fichecenter">';
 	print '<div class="underbanner clearboth"></div>';
-	
+
 	print '<table class="border" width="100%">';
-	
+
 	// Files infos
 	print '<tr><td class="titlefield">'.$langs->trans("NbOfAttachedFiles").'</td><td>'.count($filearray).'</td></tr>';
 	print '<tr><td>'.$langs->trans("TotalSizeOfAttachedFiles").'</td><td>'.$totalsize.' '.$langs->trans("bytes").'</td></tr>';
-	
+
 	print "</table>\n";
-	
+
 	print '</div>';
-	
-	
+
+
 	dol_fiche_end();
 
 	$modulepart = 'propal';
diff --git a/htdocs/core/actions_linkedfiles.inc.php b/htdocs/core/actions_linkedfiles.inc.php
index 672da011a79..fb9f44edcfb 100644
--- a/htdocs/core/actions_linkedfiles.inc.php
+++ b/htdocs/core/actions_linkedfiles.inc.php
@@ -71,7 +71,7 @@ if ($action == 'confirm_deletefile' && $confirm == 'yes')
 
             $ret = dol_delete_file($file, 0, 0, 0, $object);
             if (! empty($fileold)) dol_delete_file($fileold, 0, 0, 0, $object);     // Delete file using old path
-            
+
 	        // Si elle existe, on efface la vignette
 	        if (preg_match('/(\.jpg|\.jpeg|\.bmp|\.gif|\.png|\.tiff)$/i',$file,$regs))
 	        {
@@ -150,19 +150,28 @@ elseif ($action == 'renamefile' && GETPOST('renamefilesave'))
         {
             $filenamefrom=dol_sanitizeFileName(GETPOST('renamefilefrom'));
             $filenameto=dol_sanitizeFileName(GETPOST('renamefileto'));
+
+            // Security:
+            // Disallow file with some extensions. We rename them.
+            // Because if we put the documents directory into a directory inside web root (very bad), this allows to execute on demand arbitrary code.
+            if (preg_match('/\.htm|\.html|\.php|\.pl|\.cgi$/i',$filenameto) && empty($conf->global->MAIN_DOCUMENT_IS_OUTSIDE_WEBROOT_SO_NOEXE_NOT_REQUIRED))
+            {
+                $filenameto.= '.noexe';
+            }
+
             if ($filenamefrom && $filenameto)
             {
                 $srcpath = $upload_dir.'/'.$filenamefrom;
                 $destpath = $upload_dir.'/'.$filenameto;
-    
+
                 $result = dol_move($srcpath, $destpath);
-                if ($result) 
+                if ($result)
                 {
                     $object->addThumbs($destpath);
-                    
+
                     // TODO Add revert function of addThumbs
                     //$object->delThumbs($srcpath);
-                    
+
                     setEventMessages($langs->trans("FileRenamed"), null);
                 }
                 else setEventMessages($langs->trans("ErrorFailToRenameFile", $filenamefrom, $filenameto), null, 'errors');
diff --git a/htdocs/core/lib/files.lib.php b/htdocs/core/lib/files.lib.php
index a4680ca81e2..29706e15341 100644
--- a/htdocs/core/lib/files.lib.php
+++ b/htdocs/core/lib/files.lib.php
@@ -634,9 +634,9 @@ function dol_move_uploaded_file($src_file, $dest_file, $allowoverwrite, $disable
 			}
 		}
 
-		// Security:
-		// Disallow file with some extensions. We renamed them.
-		// Car si on a mis le rep documents dans un rep de la racine web (pas bien), cela permet d'executer du code a la demande.
+        // Security:
+        // Disallow file with some extensions. We rename them.
+        // Because if we put the documents directory into a directory inside web root (very bad), this allows to execute on demand arbitrary code.
 		if (preg_match('/\.htm|\.html|\.php|\.pl|\.cgi$/i',$dest_file) && empty($conf->global->MAIN_DOCUMENT_IS_OUTSIDE_WEBROOT_SO_NOEXE_NOT_REQUIRED))
 		{
 			$file_name.= '.noexe';

'.$langs->trans("NbOfAttachedFiles").'	'.count($filearray).'
'.$langs->trans("TotalSizeOfAttachedFiles").'	'.$totalsize.' '.$langs->trans("bytes").'