lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

FIX #yogosha8628

Browse Source
This commit is contained in:
Laurent Destailleur 2022-02-04 15:14:10 +01:00
parent f99e19e729
commit 5249840402
2 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
htdocs/core/lib/functions.lib.php
View File

@ -9236,7 +9236,7 @@ function dolIsAllowedForPreview($file)
/** /**
* Return mime type of a file * Return MIME type of a file from its name with extension.
* *
* @param string $file Filename we looking for MIME type * @param string $file Filename we looking for MIME type
* @param string $default Default mime type if extension not found in known list * @param string $default Default mime type if extension not found in known list

5
htdocs/viewimage.php
View File

@ -229,6 +229,11 @@ $original_file = str_replace('..\\', '/', $original_file);
// Find the subdirectory name as the reference // Find the subdirectory name as the reference
$refname = basename(dirname($original_file)."/"); $refname = basename(dirname($original_file)."/");
// Check that file is allowed for view with viewimage.php
if (!dolIsAllowedForPreview($original_file)) {
accessforbidden('This file is not qualified for preview', 0, 0, 1);
}
// Security check // Security check
if (empty($modulepart)) { if (empty($modulepart)) {
accessforbidden('Bad value for parameter modulepart', 0, 0, 1); accessforbidden('Bad value for parameter modulepart', 0, 0, 1);