From 50d525ed70b7a9faec27b15ef8330bbea6a450df Mon Sep 17 00:00:00 2001
From: hystepik <lmarcouiller@nltechno.com>
Date: Fri, 25 Nov 2022 17:20:39 +0100
Subject: [PATCH] Fix : Yogosha#12007

---
 htdocs/admin/security_other.php | 15 +++++++++++++--
 htdocs/core/lib/files.lib.php   |  7 ++++++-
 htdocs/langs/en_US/admin.lang   |  1 +
 htdocs/langs/en_US/errors.lang  |  1 +
 4 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/htdocs/admin/security_other.php b/htdocs/admin/security_other.php
index d4c5a3e034a..4bd869103fe 100644
--- a/htdocs/admin/security_other.php
+++ b/htdocs/admin/security_other.php
@@ -62,7 +62,7 @@ if (preg_match('/set_([a-z0-9_\-]+)/i', $action, $reg)) {
 		dol_print_error($db);
 	}
 } elseif ($action == 'updateform') {
-	$res1 = 1; $res2 = 1; $res3 = 1; $res4 = 1;
+	$res1 = 1; $res2 = 1; $res3 = 1; $res4 = 1; $res5 = 1;
 	if (GETPOSTISSET('MAIN_APPLICATION_TITLE')) {
 		$res1 = dolibarr_set_const($db, "MAIN_APPLICATION_TITLE", GETPOST("MAIN_APPLICATION_TITLE", 'alphanohtml'), 'chaine', 0, '', $conf->entity);
 	}
@@ -75,7 +75,10 @@ if (preg_match('/set_([a-z0-9_\-]+)/i', $action, $reg)) {
 	if (GETPOSTISSET('MAIN_SECURITY_MAX_POST_ON_PUBLIC_PAGES_BY_IP_ADDRESS')) {
 		$res4 = dolibarr_set_const($db, "MAIN_SECURITY_MAX_POST_ON_PUBLIC_PAGES_BY_IP_ADDRESS", GETPOST("MAIN_SECURITY_MAX_POST_ON_PUBLIC_PAGES_BY_IP_ADDRESS", 'alphanohtml'), 'int', 0, '', $conf->entity);
 	}
-	if ($res1 && $res2 && $res3 && $res4) {
+	if (GETPOSTISSET('MAIN_SECURITY_MAX_ATTACHMENT_ON_FORMS')) {
+		$res5 = dolibarr_set_const($db, "MAIN_SECURITY_MAX_ATTACHMENT_ON_FORMS", GETPOST("MAIN_SECURITY_MAX_ATTACHMENT_ON_FORMS", 'alphanohtml'), 'int', 0, '', $conf->entity);
+	}
+	if ($res1 && $res2 && $res3 && $res4 && $res5) {
 		setEventMessages($langs->trans("RecordModifiedSuccessfully"), null, 'mesgs');
 	}
 }
@@ -197,6 +200,14 @@ print '<input class="flat right width50" name="MAIN_SECURITY_MAX_POST_ON_PUBLIC_
 print '</td>';
 print '</tr>';
 
+print '<tr class="oddeven">';
+print '<td>'.$langs->trans("MaxNumberOfAttachementOnForms").'</td><td class="right">';
+print '</td>';
+print '<td class="nowrap">';
+print '<input class="flat right width50" name="MAIN_SECURITY_MAX_ATTACHMENT_ON_FORMS" type="text" value="'.getDolGlobalInt("MAIN_SECURITY_MAX_ATTACHMENT_ON_FORMS", 10).'">';
+print '</td>';
+print '</tr>';
+
 /*
 if (empty($conf->global->MAIN_APPLICATION_TITLE)) {
 	$conf->global->MAIN_APPLICATION_TITLE = "";
diff --git a/htdocs/core/lib/files.lib.php b/htdocs/core/lib/files.lib.php
index edbc348444e..c703c65fa2f 100644
--- a/htdocs/core/lib/files.lib.php
+++ b/htdocs/core/lib/files.lib.php
@@ -1657,7 +1657,12 @@ function dol_add_file_process($upload_dir, $allowoverwrite = 0, $donotupdatesess
 
 	if (!empty($_FILES[$varfiles])) { // For view $_FILES[$varfiles]['error']
 		dol_syslog('dol_add_file_process upload_dir='.$upload_dir.' allowoverwrite='.$allowoverwrite.' donotupdatesession='.$donotupdatesession.' savingdocmask='.$savingdocmask, LOG_DEBUG);
-
+		$maxfilesinform = getDolGlobalInt("MAIN_SECURITY_MAX_ATTACHMENT_ON_FORMS", 10);
+		if (count($_FILES[$varfiles]["name"]) > $maxfilesinform) {
+			$langs->load("errors"); // key must be loaded because we can't rely on loading during output, we need var substitution to be done now.
+			setEventMessages($langs->trans("ErrorTooMuchFileInForm", $maxfilesinform), null, "errors");
+			return -1;
+		}
 		$result = dol_mkdir($upload_dir);
 		//      var_dump($result);exit;
 		if ($result >= 0) {
diff --git a/htdocs/langs/en_US/admin.lang b/htdocs/langs/en_US/admin.lang
index 4a55dc2cffc..94de41fba0a 100644
--- a/htdocs/langs/en_US/admin.lang
+++ b/htdocs/langs/en_US/admin.lang
@@ -2343,3 +2343,4 @@ DesktopsAndSmartphones=Desktops et smartphones
 AllowOnlineSign=Allow online signing
 AllowExternalDownload=Allow external download (without login, using a shared link)
 DeadlineDayVATSubmission=Deadline day for vat submission on the next month
+MaxNumberOfAttachementOnForm=Max number of joinded files in form
diff --git a/htdocs/langs/en_US/errors.lang b/htdocs/langs/en_US/errors.lang
index 7bcecfa4999..97af73b8fd1 100644
--- a/htdocs/langs/en_US/errors.lang
+++ b/htdocs/langs/en_US/errors.lang
@@ -302,6 +302,7 @@ ErrorTableNotFound=Table <b>%s</b> not found
 ErrorValueForTooLow=Value for <b>%s</b> is too low
 ErrorValueCantBeNull=Value for <b>%s</b> can't be null
 ErrorDateOfMovementLowerThanDateOfFileTransmission=The date of the bank transaction can't be lower than the date of the file transmission
+ErrorTooMuchFileInForm=Too much files in form, the maximum number is %s file(s)
 
 # Warnings
 WarningParamUploadMaxFileSizeHigherThanPostMaxSize=Your PHP parameter upload_max_filesize (%s) is higher than PHP parameter post_max_size (%s). This is not a consistent setup.