From c4d8a25c5a09f018fd42a9b346085c36fa8a87ee Mon Sep 17 00:00:00 2001 From: florian HENRY Date: Mon, 10 Aug 2020 13:40:55 +0200 Subject: [PATCH 1/8] fix external module multidiroutput --- htdocs/core/lib/files.lib.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/core/lib/files.lib.php b/htdocs/core/lib/files.lib.php index 23b631bae53..cb139edd29b 100644 --- a/htdocs/core/lib/files.lib.php +++ b/htdocs/core/lib/files.lib.php @@ -2992,7 +2992,7 @@ function dol_check_secure_access_document($modulepart, $original_file, $entity, if ($partofdirinoriginalfile && ($fuser->rights->$modulepart->$partofdirinoriginalfile->{$lire} || $fuser->rights->$modulepart->$partofdirinoriginalfile->{$read})) $accessallowed = 1; if ($fuser->rights->$modulepart->{$lire} || $fuser->rights->$modulepart->{$read}) $accessallowed = 1; //} - $original_file = $conf->$modulepart->dir_output.'/'.$original_file; + $original_file = $conf->$modulepart->multidir_output[$entity].'/'.$original_file; } // For modules who wants to manage different levels of permissions for documents From 6928b6543c9f6db15e1c7fc8ba257602debd1c52 Mon Sep 17 00:00:00 2001 From: Alexandre SPANGARO Date: Wed, 16 Sep 2020 21:24:24 +0200 Subject: [PATCH 2/8] Revert "FIX Yogosha report 4425 (backport)" This reverts commit 23c4cfe913429a38b3e4f9edec33bdfb0166d274. --- htdocs/core/lib/functions.lib.php | 37 +++++++------------------------ htdocs/document.php | 9 ++++---- 2 files changed, 12 insertions(+), 34 deletions(-) diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 3f4229589dd..97ad5d58969 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -7705,16 +7705,19 @@ function getAdvancedPreviewUrl($modulepart, $relativepath, $alldata = 0, $param if (empty($conf->use_javascript_ajax)) return ''; - $isAllowedForPreview = dolIsAllowedForPreview($relativepath); + $mime_preview = array('bmp', 'jpeg', 'png', 'gif', 'tiff', 'pdf', 'plain', 'css', 'svg+xml'); + //$mime_preview[]='vnd.oasis.opendocument.presentation'; + //$mime_preview[]='archive'; + $num_mime = array_search(dol_mimetype($relativepath, '', 1), $mime_preview); if ($alldata == 1) { - if (isAllowedForPreview) return array('target'=>'_blank', 'css'=>'documentpreview', 'url'=>DOL_URL_ROOT.'/document.php?modulepart='.$modulepart.'&attachment=0&file='.urlencode($relativepath).($param?'&'.$param:''), 'mime'=>dol_mimetype($relativepath), ); + if ($num_mime !== false) return array('target'=>'_blank', 'css'=>'documentpreview', 'url'=>DOL_URL_ROOT.'/document.php?modulepart='.$modulepart.'&attachment=0&file='.urlencode($relativepath).($param?'&'.$param:''), 'mime'=>dol_mimetype($relativepath), ); else return array(); } - // old behavior, return a string - if ($isAllowedForPreview) return 'javascript:document_preview(\''.dol_escape_js(DOL_URL_ROOT.'/document.php?modulepart='.$modulepart.'&attachment=0&file='.urlencode($relativepath).($param?'&'.$param:'')).'\', \''.dol_mimetype($relativepath).'\', \''.dol_escape_js($langs->trans('Preview')).'\')'; + // old behavior + if ($num_mime !== false) return 'javascript:document_preview(\''.dol_escape_js(DOL_URL_ROOT.'/document.php?modulepart='.$modulepart.'&attachment=0&file='.urlencode($relativepath).($param?'&'.$param:'')).'\', \''.dol_mimetype($relativepath).'\', \''.dol_escape_js($langs->trans('Preview')).'\')'; else return ''; } @@ -7738,30 +7741,6 @@ function ajax_autoselect($htmlname, $addlink = '') return $out; } -/** - * Return if a file is qualified for preview - * - * @param string $file Filename we looking for information - * @return int 1 If allowed, 0 otherwise - * @see dol_mimetype(), image_format_supported() from images.lib.php - */ -function dolIsAllowedForPreview($file) { - global $conf; - - // Check .noexe extension in filename - if (preg_match('/\.noexe$/i', $file)) return 0; - - // Check mime types - $mime_preview = array('bmp', 'jpeg', 'png', 'gif', 'tiff', 'pdf', 'plain', 'css', 'webp'); - if (!empty($conf->global->MAIN_ALLOW_SVG_FILES_AS_IMAGES)) $mime_preview[] = 'svg+xml'; - //$mime_preview[]='vnd.oasis.opendocument.presentation'; - //$mime_preview[]='archive'; - $num_mime = array_search(dol_mimetype($file, '', 1), $mime_preview); - if ($num_mime !== false) return 1; - - // By default, not allowed for preview - return 0; -} /** * Return mime type of a file @@ -7770,7 +7749,7 @@ function dolIsAllowedForPreview($file) { * @param string $default Default mime type if extension not found in known list * @param int $mode 0=Return full mime, 1=otherwise short mime string, 2=image for mime type, 3=source language, 4=css of font fa * @return string Return a mime type family (text/xxx, application/xxx, image/xxx, audio, video, archive) - * @see dolIsAllowedForPreview(), image_format_supported() from images.lib.php + * @see image_format_supported() from images.lib.php */ function dol_mimetype($file, $default = 'application/octet-stream', $mode = 0) { diff --git a/htdocs/document.php b/htdocs/document.php index ccd404f7315..2b37792d69a 100644 --- a/htdocs/document.php +++ b/htdocs/document.php @@ -156,13 +156,12 @@ if (isset($_GET["attachment"])) $attachment = GETPOST("attachment", 'alpha')?tru if (! empty($conf->global->MAIN_DISABLE_FORCE_SAVEAS)) $attachment=false; // Define mime type -$type = 'application/octet-stream'; // By default +$type = 'application/octet-stream'; if (GETPOST('type', 'alpha')) $type=GETPOST('type', 'alpha'); else $type=dol_mimetype($original_file); -// Security: Force to octet-stream if file is a dangerous file. For example when it is a .noexe file -if (!dolIsAllowedForPreview($original_file)) { - $type = 'application/octet-stream'; -} +// Security: Force to octet-stream if file is a dangerous file +if (preg_match('/\.noexe$/i', $original_file)) $type = 'application/octet-stream'; + // Security: Delete string ../ into $original_file $original_file = str_replace("../", "/", $original_file); From 55e3f8365e74477f0e582cae10638bfc44848aec Mon Sep 17 00:00:00 2001 From: Alexandre SPANGARO Date: Wed, 16 Sep 2020 21:36:55 +0200 Subject: [PATCH 3/8] FIX Yogosha report 4434 (backport) --- htdocs/adherents/card.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/htdocs/adherents/card.php b/htdocs/adherents/card.php index c6ec8569a09..f8289e04cb2 100644 --- a/htdocs/adherents/card.php +++ b/htdocs/adherents/card.php @@ -286,7 +286,7 @@ if (empty($reshook)) $object->firstname = trim(GETPOST("firstname", 'alpha')); $object->lastname = trim(GETPOST("lastname", 'alpha')); $object->gender = trim(GETPOST("gender", 'alpha')); - $object->login = trim(GETPOST("login", 'alpha')); + $object->login = trim(GETPOST("login", 'alphanohtml')); $object->pass = trim(GETPOST("pass", 'alpha')); $object->societe = trim(GETPOST("societe", 'alpha')); @@ -453,7 +453,7 @@ if (empty($reshook)) $facebook=GETPOST("member_facebook", 'alpha'); $linkedin=GETPOST("member_linkedin", 'alpha'); $email=preg_replace('/\s+/', '', GETPOST("member_email", 'alpha')); - $login=GETPOST("member_login", 'alpha'); + $login=GETPOST("member_login", 'alphanohtml'); $pass=GETPOST("password", 'alpha'); $photo=GETPOST("photo", 'alpha'); //$comment=GETPOST("comment",'none'); @@ -914,7 +914,7 @@ else // Login if (empty($conf->global->ADHERENT_LOGIN_NOT_REQUIRED)) { - print ''.$langs->trans("Login").' / '.$langs->trans("Id").'login).'" autofocus="autofocus">'; + print ''.$langs->trans("Login").' / '.$langs->trans("Id").'login).'" autofocus="autofocus">'; } // Password @@ -1171,7 +1171,7 @@ else // Login if (empty($conf->global->ADHERENT_LOGIN_NOT_REQUIRED)) { - print ''.$langs->trans("Login").' / '.$langs->trans("Id").'login).'">'; + print ''.$langs->trans("Login").' / '.$langs->trans("Id").'login).'">'; } // Password From f453e43ccafd649c6bffce6eab6ac1135fafd455 Mon Sep 17 00:00:00 2001 From: Alexandre SPANGARO Date: Fri, 18 Sep 2020 01:37:15 +0200 Subject: [PATCH 4/8] FIX Yogosha report 4425 (backport) --- htdocs/document.php | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/htdocs/document.php b/htdocs/document.php index 2b37792d69a..ccd404f7315 100644 --- a/htdocs/document.php +++ b/htdocs/document.php @@ -156,12 +156,13 @@ if (isset($_GET["attachment"])) $attachment = GETPOST("attachment", 'alpha')?tru if (! empty($conf->global->MAIN_DISABLE_FORCE_SAVEAS)) $attachment=false; // Define mime type -$type = 'application/octet-stream'; +$type = 'application/octet-stream'; // By default if (GETPOST('type', 'alpha')) $type=GETPOST('type', 'alpha'); else $type=dol_mimetype($original_file); -// Security: Force to octet-stream if file is a dangerous file -if (preg_match('/\.noexe$/i', $original_file)) $type = 'application/octet-stream'; - +// Security: Force to octet-stream if file is a dangerous file. For example when it is a .noexe file +if (!dolIsAllowedForPreview($original_file)) { + $type = 'application/octet-stream'; +} // Security: Delete string ../ into $original_file $original_file = str_replace("../", "/", $original_file); From 7a9332815c6e852e564d8ad47cae19cb06d4d1c6 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 25 Sep 2020 12:22:24 +0200 Subject: [PATCH 5/8] Fix migration --- htdocs/install/mysql/migration/3.2.0-3.3.0.sql | 1 + 1 file changed, 1 insertion(+) diff --git a/htdocs/install/mysql/migration/3.2.0-3.3.0.sql b/htdocs/install/mysql/migration/3.2.0-3.3.0.sql index 91c155d3d84..c0efe6d68b3 100644 --- a/htdocs/install/mysql/migration/3.2.0-3.3.0.sql +++ b/htdocs/install/mysql/migration/3.2.0-3.3.0.sql @@ -315,6 +315,7 @@ ALTER TABLE llx_c_chargesociales ADD COLUMN accountancy_code varchar(15) DEFAULT -- Tables for accountancy expert DROP TABLE llx_accountingaccount; +DROP TABLE llx_accounting_account; DROP TABLE llx_accountingsystem; DROP TABLE llx_accounting_system; From 0dcd85485aba5e1b7566d6a3bf616aeed556114f Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 25 Sep 2020 12:36:32 +0200 Subject: [PATCH 6/8] Fix migration --- htdocs/install/mysql/migration/3.3.0-3.4.0.sql | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/htdocs/install/mysql/migration/3.3.0-3.4.0.sql b/htdocs/install/mysql/migration/3.3.0-3.4.0.sql index 0f84c92ef22..88d9ae1b685 100644 --- a/htdocs/install/mysql/migration/3.3.0-3.4.0.sql +++ b/htdocs/install/mysql/migration/3.3.0-3.4.0.sql @@ -102,6 +102,10 @@ ALTER TABLE llx_expedition DROP FOREIGN KEY fk_expedition_fk_shipping_method; ALTER TABLE llx_expedition DROP INDEX idx_expedition_fk_expedition_methode; ALTER TABLE llx_expedition CHANGE COLUMN fk_expedition_methode fk_shipping_method integer; +-- This table and constraint should not exists as it appears in more recent version, but we may have it if we load an old dump +-- on a newly created database and we want to be sure upgrade of rowid into autoincrement done later will works. +ALTER TABLE llx_reception DROP FOREIGN KEY fk_reception_fk_shipping_method; + ALTER TABLE llx_c_shipment_mode ADD COLUMN tracking VARCHAR(255) NOT NULL DEFAULT '' AFTER description; --ALTER TABLE llx_c_shipment_mode DROP COLUMN CASCADE; From 5ff7e376962e0a78d7c292a441b24fd28c80c122 Mon Sep 17 00:00:00 2001 From: Florian HENRY Date: Sun, 27 Sep 2020 18:05:19 +0200 Subject: [PATCH 7/8] review code --- htdocs/core/lib/files.lib.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/htdocs/core/lib/files.lib.php b/htdocs/core/lib/files.lib.php index cb139edd29b..ddd20159e09 100644 --- a/htdocs/core/lib/files.lib.php +++ b/htdocs/core/lib/files.lib.php @@ -2992,7 +2992,11 @@ function dol_check_secure_access_document($modulepart, $original_file, $entity, if ($partofdirinoriginalfile && ($fuser->rights->$modulepart->$partofdirinoriginalfile->{$lire} || $fuser->rights->$modulepart->$partofdirinoriginalfile->{$read})) $accessallowed = 1; if ($fuser->rights->$modulepart->{$lire} || $fuser->rights->$modulepart->{$read}) $accessallowed = 1; //} - $original_file = $conf->$modulepart->multidir_output[$entity].'/'.$original_file; + if (is_array($conf->$modulepart->multidir_output) && array_key_exists($entity, $conf->$modulepart->multidir_output)) { + $original_file = $conf->$modulepart->multidir_output[$entity].'/'.$original_file; + } else { + $original_file = $conf->$modulepart->dir_output.'/'.$original_file; + } } // For modules who wants to manage different levels of permissions for documents From 5c9ad3ec9bad0399314195855ebc57429e67a94f Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 27 Sep 2020 18:55:09 +0200 Subject: [PATCH 8/8] Update files.lib.php --- htdocs/core/lib/files.lib.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/core/lib/files.lib.php b/htdocs/core/lib/files.lib.php index ddd20159e09..2d126b4e4f7 100644 --- a/htdocs/core/lib/files.lib.php +++ b/htdocs/core/lib/files.lib.php @@ -2992,7 +2992,7 @@ function dol_check_secure_access_document($modulepart, $original_file, $entity, if ($partofdirinoriginalfile && ($fuser->rights->$modulepart->$partofdirinoriginalfile->{$lire} || $fuser->rights->$modulepart->$partofdirinoriginalfile->{$read})) $accessallowed = 1; if ($fuser->rights->$modulepart->{$lire} || $fuser->rights->$modulepart->{$read}) $accessallowed = 1; //} - if (is_array($conf->$modulepart->multidir_output) && array_key_exists($entity, $conf->$modulepart->multidir_output)) { + if (is_array($conf->$modulepart->multidir_output) && !empty($conf->$modulepart->multidir_output[$entity])) { $original_file = $conf->$modulepart->multidir_output[$entity].'/'.$original_file; } else { $original_file = $conf->$modulepart->dir_output.'/'.$original_file;