Revert "FIX Yogosha report 4425 (backport)"
This reverts commit 23c4cfe913.
This commit is contained in:
Alexandre SPANGARO
parent
23c4cfe913
commit
2ff633a89f
@ -7705,16 +7705,19 @@ function getAdvancedPreviewUrl($modulepart, $relativepath, $alldata = 0, $param
|
||||
|
||||
if (empty($conf->use_javascript_ajax)) return '';
|
||||
|
||||
$isAllowedForPreview = dolIsAllowedForPreview($relativepath);
|
||||
$mime_preview = array('bmp', 'jpeg', 'png', 'gif', 'tiff', 'pdf', 'plain', 'css', 'svg+xml');
|
||||
//$mime_preview[]='vnd.oasis.opendocument.presentation';
|
||||
//$mime_preview[]='archive';
|
||||
$num_mime = array_search(dol_mimetype($relativepath, '', 1), $mime_preview);
|
||||
|
||||
if ($alldata == 1)
|
||||
{
|
||||
if (isAllowedForPreview) return array('target'=>'_blank', 'css'=>'documentpreview', 'url'=>DOL_URL_ROOT.'/document.php?modulepart='.$modulepart.'&attachment=0&file='.urlencode($relativepath).($param?'&'.$param:''), 'mime'=>dol_mimetype($relativepath), );
|
||||
if ($num_mime !== false) return array('target'=>'_blank', 'css'=>'documentpreview', 'url'=>DOL_URL_ROOT.'/document.php?modulepart='.$modulepart.'&attachment=0&file='.urlencode($relativepath).($param?'&'.$param:''), 'mime'=>dol_mimetype($relativepath), );
|
||||
else return array();
|
||||
}
|
||||
|
||||
// old behavior, return a string
|
||||
if ($isAllowedForPreview) return 'javascript:document_preview(\''.dol_escape_js(DOL_URL_ROOT.'/document.php?modulepart='.$modulepart.'&attachment=0&file='.urlencode($relativepath).($param?'&'.$param:'')).'\', \''.dol_mimetype($relativepath).'\', \''.dol_escape_js($langs->trans('Preview')).'\')';
|
||||
// old behavior
|
||||
if ($num_mime !== false) return 'javascript:document_preview(\''.dol_escape_js(DOL_URL_ROOT.'/document.php?modulepart='.$modulepart.'&attachment=0&file='.urlencode($relativepath).($param?'&'.$param:'')).'\', \''.dol_mimetype($relativepath).'\', \''.dol_escape_js($langs->trans('Preview')).'\')';
|
||||
else return '';
|
||||
}
|
||||
|
||||
@ -7738,30 +7741,6 @@ function ajax_autoselect($htmlname, $addlink = '')
|
||||
return $out;
|
||||
}
|
||||
|
||||
/**
|
||||
* Return if a file is qualified for preview
|
||||
*
|
||||
* @param string $file Filename we looking for information
|
||||
* @return int 1 If allowed, 0 otherwise
|
||||
* @see dol_mimetype(), image_format_supported() from images.lib.php
|
||||
*/
|
||||
function dolIsAllowedForPreview($file) {
|
||||
global $conf;
|
||||
|
||||
// Check .noexe extension in filename
|
||||
if (preg_match('/\.noexe$/i', $file)) return 0;
|
||||
|
||||
// Check mime types
|
||||
$mime_preview = array('bmp', 'jpeg', 'png', 'gif', 'tiff', 'pdf', 'plain', 'css', 'webp');
|
||||
if (!empty($conf->global->MAIN_ALLOW_SVG_FILES_AS_IMAGES)) $mime_preview[] = 'svg+xml';
|
||||
//$mime_preview[]='vnd.oasis.opendocument.presentation';
|
||||
//$mime_preview[]='archive';
|
||||
$num_mime = array_search(dol_mimetype($file, '', 1), $mime_preview);
|
||||
if ($num_mime !== false) return 1;
|
||||
|
||||
// By default, not allowed for preview
|
||||
return 0;
|
||||
}
|
||||
|
||||
/**
|
||||
* Return mime type of a file
|
||||
@ -7770,7 +7749,7 @@ function dolIsAllowedForPreview($file) {
|
||||
* @param string $default Default mime type if extension not found in known list
|
||||
* @param int $mode 0=Return full mime, 1=otherwise short mime string, 2=image for mime type, 3=source language, 4=css of font fa
|
||||
* @return string Return a mime type family (text/xxx, application/xxx, image/xxx, audio, video, archive)
|
||||
* @see dolIsAllowedForPreview(), image_format_supported() from images.lib.php
|
||||
* @see image_format_supported() from images.lib.php
|
||||
*/
|
||||
function dol_mimetype($file, $default = 'application/octet-stream', $mode = 0)
|
||||
{
|
||||
|
||||
@ -156,13 +156,12 @@ if (isset($_GET["attachment"])) $attachment = GETPOST("attachment", 'alpha')?tru
|
||||
if (! empty($conf->global->MAIN_DISABLE_FORCE_SAVEAS)) $attachment=false;
|
||||
|
||||
// Define mime type
|
||||
$type = 'application/octet-stream'; // By default
|
||||
$type = 'application/octet-stream';
|
||||
if (GETPOST('type', 'alpha')) $type=GETPOST('type', 'alpha');
|
||||
else $type=dol_mimetype($original_file);
|
||||
// Security: Force to octet-stream if file is a dangerous file. For example when it is a .noexe file
|
||||
if (!dolIsAllowedForPreview($original_file)) {
|
||||
$type = 'application/octet-stream';
|
||||
}
|
||||
// Security: Force to octet-stream if file is a dangerous file
|
||||
if (preg_match('/\.noexe$/i', $original_file)) $type = 'application/octet-stream';
|
||||
|
||||
// Security: Delete string ../ into $original_file
|
||||
$original_file = str_replace("../", "/", $original_file);
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user