From 6aefa648e71a4f336c2f336be4c87f3bc0c92b71 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Tue, 30 Jul 2019 14:00:43 +0200
Subject: [PATCH] FIX CVE-2019-11199

---
 htdocs/viewimage.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/htdocs/viewimage.php b/htdocs/viewimage.php
index 073aaa9fb24..3db6e9fb803 100644
--- a/htdocs/viewimage.php
+++ b/htdocs/viewimage.php
@@ -170,7 +170,9 @@ if (GETPOST('type','alpha')) $type=GETPOST('type','alpha');
 else $type=dol_mimetype($original_file);
 
 // Security: This wrapper is for images. We do not allow type/html
-if (preg_match('/html/', $type)) accessforbidden('Error: Using the image wrapper to output a file with a mime type HTML is not possible.', 1, 1, 1);
+if (preg_match('/html/i', $type)) accessforbidden('Error: Using the image wrapper to output a file with a mime type HTML is not possible.', 1, 1, 1);
+// Security: This wrapper is for images. We do not allow files ending with .noexe
+if (preg_match('/\.noexe$/i', $original_file)) accessforbidden('Error: Using the image wrapper to output a file ending with .noexe is not allowed.', 1, 1, 1);
 
 // Security: Delete string ../ into $original_file
 $original_file = str_replace("../","/", $original_file);