From f453e43ccafd649c6bffce6eab6ac1135fafd455 Mon Sep 17 00:00:00 2001 From: Alexandre SPANGARO Date: Fri, 18 Sep 2020 01:37:15 +0200 Subject: [PATCH 1/3] FIX Yogosha report 4425 (backport) --- htdocs/document.php | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/htdocs/document.php b/htdocs/document.php index 2b37792d69a..ccd404f7315 100644 --- a/htdocs/document.php +++ b/htdocs/document.php @@ -156,12 +156,13 @@ if (isset($_GET["attachment"])) $attachment = GETPOST("attachment", 'alpha')?tru if (! empty($conf->global->MAIN_DISABLE_FORCE_SAVEAS)) $attachment=false; // Define mime type -$type = 'application/octet-stream'; +$type = 'application/octet-stream'; // By default if (GETPOST('type', 'alpha')) $type=GETPOST('type', 'alpha'); else $type=dol_mimetype($original_file); -// Security: Force to octet-stream if file is a dangerous file -if (preg_match('/\.noexe$/i', $original_file)) $type = 'application/octet-stream'; - +// Security: Force to octet-stream if file is a dangerous file. For example when it is a .noexe file +if (!dolIsAllowedForPreview($original_file)) { + $type = 'application/octet-stream'; +} // Security: Delete string ../ into $original_file $original_file = str_replace("../", "/", $original_file); From 56a9f5c48b180ed152bc3e20e99a8e6151384571 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 18 Sep 2020 14:49:20 +0200 Subject: [PATCH 2/3] Fix --- htdocs/core/lib/functions.lib.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index c279b3fb4e5..a5ab772b795 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -7709,7 +7709,7 @@ function getAdvancedPreviewUrl($modulepart, $relativepath, $alldata = 0, $param if ($alldata == 1) { - if (isAllowedForPreview) return array('target'=>'_blank', 'css'=>'documentpreview', 'url'=>DOL_URL_ROOT.'/document.php?modulepart='.$modulepart.'&attachment=0&file='.urlencode($relativepath).($param?'&'.$param:''), 'mime'=>dol_mimetype($relativepath), ); + if ($isAllowedForPreview) return array('target'=>'_blank', 'css'=>'documentpreview', 'url'=>DOL_URL_ROOT.'/document.php?modulepart='.$modulepart.'&attachment=0&file='.urlencode($relativepath).($param?'&'.$param:''), 'mime'=>dol_mimetype($relativepath), ); else return array(); } From 37c9afebd9d249c36660ef7d046c60c0b50fe4e1 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 18 Sep 2020 14:55:32 +0200 Subject: [PATCH 3/3] Fix regression --- htdocs/document.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/document.php b/htdocs/document.php index ccd404f7315..a55ca1fd895 100644 --- a/htdocs/document.php +++ b/htdocs/document.php @@ -160,7 +160,7 @@ $type = 'application/octet-stream'; // By default if (GETPOST('type', 'alpha')) $type=GETPOST('type', 'alpha'); else $type=dol_mimetype($original_file); // Security: Force to octet-stream if file is a dangerous file. For example when it is a .noexe file -if (!dolIsAllowedForPreview($original_file)) { +if (!in_array($type, array('text/x-javascript')) && !dolIsAllowedForPreview($original_file)) { $type = 'application/octet-stream'; } // Security: Delete string ../ into $original_file