From 64c8053b67a995992ffee166c0a2ed5df3d90fbc Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Thu, 24 Sep 2020 21:09:58 +0200
Subject: [PATCH] Fix restrict extension of files

---
 htdocs/admin/geoipmaxmind.php | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/htdocs/admin/geoipmaxmind.php b/htdocs/admin/geoipmaxmind.php
index 0a118dfe065..6b8fe0ab3b7 100644
--- a/htdocs/admin/geoipmaxmind.php
+++ b/htdocs/admin/geoipmaxmind.php
@@ -47,7 +47,12 @@ if ($action == 'set')
 
 	$gimcdf = GETPOST("GEOIPMAXMIND_COUNTRY_DATAFILE");
 
-	if (!$gimcdf && !file_exists($gimcdf))
+	if (!$error && $gimcdf && ! preg_match('/\.(dat|mmdb)$/', $gimcdf)) {
+		setEventMessages($langs->trans("ErrorFileMustHaveFormat", '.dat|.mmdb'), null, 'errors');
+		$error++;
+	}
+
+	if (!$error && $gimcdf && !file_exists($gimcdf))
 	{
 		setEventMessages($langs->trans("ErrorFileNotFound", $gimcdf), null, 'errors');
 		$error++;
@@ -126,7 +131,7 @@ if ($conf->global->GEOIP_VERSION == 'php')
 {
 	print 'Using geoip PHP internal functions. Value must be '.geoip_db_filename(GEOIP_COUNTRY_EDITION).' or '.geoip_db_filename(GEOIP_CITY_EDITION_REV1).' or /pathtodatafile/GeoLite2-Country.mmdb<br>';
 }
-print '<input size="50" type="text" name="GEOIPMAXMIND_COUNTRY_DATAFILE" value="'.$conf->global->GEOIPMAXMIND_COUNTRY_DATAFILE.'">';
+print '<input size="50" type="text" name="GEOIPMAXMIND_COUNTRY_DATAFILE" value="'.dol_escape_htmltag($conf->global->GEOIPMAXMIND_COUNTRY_DATAFILE).'">';
 print '</td></tr>';
 
 print '</table>';
@@ -148,7 +153,7 @@ print $langs->trans("YouCanDownloadAdvancedDatFileTo", '<a href="'.$url2.'" targ
 if ($geoip)
 {
 	print '<br><br>';
-	print '<br>'.$langs->trans("TestGeoIPResult", $ip).':';
+	print '<br><span class="opacitymedium">'.$langs->trans("TestGeoIPResult", $ip).':</span>';
 
 	$ip = '24.24.24.24';
 	print '<br>'.$ip.' -> ';