From 5d5fb46af67b2714c7478d2617a7653cdbb3ccf8 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Fri, 12 Jun 2020 14:35:50 +0200
Subject: [PATCH] Fix We never add .noexe of files into medias dir

---
 htdocs/core/actions_linkedfiles.inc.php |  8 +++++++-
 htdocs/core/lib/files.lib.php           | 15 +++++++++++----
 htdocs/ecm/class/ecmfiles.class.php     |  2 +-
 htdocs/website/index.php                |  2 +-
 4 files changed, 20 insertions(+), 7 deletions(-)

diff --git a/htdocs/core/actions_linkedfiles.inc.php b/htdocs/core/actions_linkedfiles.inc.php
index 2542cf23268..68cc7d5f31f 100644
--- a/htdocs/core/actions_linkedfiles.inc.php
+++ b/htdocs/core/actions_linkedfiles.inc.php
@@ -197,7 +197,13 @@ elseif ($action == 'renamefile' && GETPOST('renamefilesave', 'alpha'))
 	        // Because if we put the documents directory into a directory inside web root (very bad), this allows to execute on demand arbitrary code.
 	        if (isAFileWithExecutableContent($filenameto) && empty($conf->global->MAIN_DOCUMENT_IS_OUTSIDE_WEBROOT_SO_NOEXE_NOT_REQUIRED))
 	        {
-	            $filenameto .= '.noexe';
+	        	// $upload_dir ends with a slash, so be must be sure the medias dir to compare to ends with slash too.
+	        	$publicmediasdirwithslash = $conf->medias->multidir_output[$conf->entity];
+	        	if (! preg_match('/\/$/', $publicmediasdirwithslash)) $publicmediasdirwithslash.='/';
+
+	        	if ($upload_dir != $publicmediasdirwithslash) {	// We never add .noexe on files into media directory
+		            $filenameto .= '.noexe';
+	        	}
 	        }
 
 	        if ($filenamefrom && $filenameto)
diff --git a/htdocs/core/lib/files.lib.php b/htdocs/core/lib/files.lib.php
index 47d16d4fe3f..133830a0eb5 100644
--- a/htdocs/core/lib/files.lib.php
+++ b/htdocs/core/lib/files.lib.php
@@ -1008,10 +1008,11 @@ function dolCheckVirus($src_file)
  * 	@param	integer	$uploaderrorcode	Value of PHP upload error code ($_FILES['field']['error'])
  * 	@param	int		$nohook				Disable all hooks
  * 	@param	string	$varfiles			_FILES var name
+ *  @param	string	$upload_dir			For information. Already included into $dest_file.
  *	@return int|string       			1 if OK, 2 if OK and .noexe appended, <0 or string if KO
  *  @see    dol_move()
  */
-function dol_move_uploaded_file($src_file, $dest_file, $allowoverwrite, $disablevirusscan = 0, $uploaderrorcode = 0, $nohook = 0, $varfiles = 'addedfile')
+function dol_move_uploaded_file($src_file, $dest_file, $allowoverwrite, $disablevirusscan = 0, $uploaderrorcode = 0, $nohook = 0, $varfiles = 'addedfile', $upload_dir = '')
 {
 	global $conf, $db, $user, $langs;
 	global $object, $hookmanager;
@@ -1068,8 +1069,14 @@ function dol_move_uploaded_file($src_file, $dest_file, $allowoverwrite, $disable
 		// Because if we put the documents directory into a directory inside web root (very bad), this allows to execute on demand arbitrary code.
 		if (isAFileWithExecutableContent($dest_file) && empty($conf->global->MAIN_DOCUMENT_IS_OUTSIDE_WEBROOT_SO_NOEXE_NOT_REQUIRED))
 		{
-			$file_name .= '.noexe';
-			$successcode = 2;
+			// $upload_dir ends with a slash, so be must be sure the medias dir to compare to ends with slash too.
+			$publicmediasdirwithslash = $conf->medias->multidir_output[$conf->entity];
+			if (! preg_match('/\/$/', $publicmediasdirwithslash)) $publicmediasdirwithslash.='/';
+
+			if ($upload_dir != $publicmediasdirwithslash) {	// We never add .noexe on files into media directory
+				$file_name .= '.noexe';
+				$successcode = 2;
+			}
 		}
 
 		// Security:
@@ -1580,7 +1587,7 @@ function dol_add_file_process($upload_dir, $allowoverwrite = 0, $donotupdatesess
 				$destfull = dol_string_nohtmltag($destfull);
 
 				// Move file from temp directory to final directory. A .noexe may also be appended on file name.
-				$resupload = dol_move_uploaded_file($TFile['tmp_name'][$i], $destfull, $allowoverwrite, 0, $TFile['error'][$i], 0, $varfiles);
+				$resupload = dol_move_uploaded_file($TFile['tmp_name'][$i], $destfull, $allowoverwrite, 0, $TFile['error'][$i], 0, $varfiles, $upload_dir);
 
 				if (is_numeric($resupload) && $resupload > 0)   // $resupload can be 'ErrorFileAlreadyExists'
 				{
diff --git a/htdocs/ecm/class/ecmfiles.class.php b/htdocs/ecm/class/ecmfiles.class.php
index 653ff29d021..85d6d4f0bc2 100644
--- a/htdocs/ecm/class/ecmfiles.class.php
+++ b/htdocs/ecm/class/ecmfiles.class.php
@@ -67,7 +67,7 @@ class EcmFiles extends CommonObject
 	 */
 	public $entity;
 
-	public $filename;
+	public $filename;			// Note: Into ecm database record, the entry $filename never ends with .noexe
 	public $filepath;
 	public $fullpath_orig;
 
diff --git a/htdocs/website/index.php b/htdocs/website/index.php
index d539572bc11..3d6e0d328b2 100644
--- a/htdocs/website/index.php
+++ b/htdocs/website/index.php
@@ -208,7 +208,7 @@ $permtouploadfile = $user->rights->website->write;
 $diroutput = $conf->medias->multidir_output[$conf->entity];
 
 $relativepath = $section_dir;
-$upload_dir = $diroutput.'/'.$relativepath;
+$upload_dir = preg_replace('/\/$/', '', $diroutput).'/'.preg_replace('/^\//', '', $relativepath);
 
 $htmlheadercontentdefault = '';
 $htmlheadercontentdefault .= '<link rel="stylesheet" id="google-fonts-css"  href="//fonts.googleapis.com/css?family=Open+Sans:300,400,700" />'."\n";