Merge branch '12.0' of git@github.com:Dolibarr/dolibarr.git into develop
This commit is contained in:
Laurent Destailleur
commit
6e81542148
@ -186,7 +186,13 @@ if ($action == 'confirm_deletefile' && $confirm == 'yes')
|
||||
// Because if we put the documents directory into a directory inside web root (very bad), this allows to execute on demand arbitrary code.
|
||||
if (isAFileWithExecutableContent($filenameto) && empty($conf->global->MAIN_DOCUMENT_IS_OUTSIDE_WEBROOT_SO_NOEXE_NOT_REQUIRED))
|
||||
{
|
||||
$filenameto .= '.noexe';
|
||||
// $upload_dir ends with a slash, so be must be sure the medias dir to compare to ends with slash too.
|
||||
$publicmediasdirwithslash = $conf->medias->multidir_output[$conf->entity];
|
||||
if (! preg_match('/\/$/', $publicmediasdirwithslash)) $publicmediasdirwithslash.='/';
|
||||
|
||||
if ($upload_dir != $publicmediasdirwithslash) { // We never add .noexe on files into media directory
|
||||
$filenameto .= '.noexe';
|
||||
}
|
||||
}
|
||||
|
||||
if ($filenamefrom && $filenameto)
|
||||
|
||||
@ -984,10 +984,11 @@ function dolCheckVirus($src_file)
|
||||
* @param integer $uploaderrorcode Value of PHP upload error code ($_FILES['field']['error'])
|
||||
* @param int $nohook Disable all hooks
|
||||
* @param string $varfiles _FILES var name
|
||||
* @param string $upload_dir For information. Already included into $dest_file.
|
||||
* @return int|string 1 if OK, 2 if OK and .noexe appended, <0 or string if KO
|
||||
* @see dol_move()
|
||||
*/
|
||||
function dol_move_uploaded_file($src_file, $dest_file, $allowoverwrite, $disablevirusscan = 0, $uploaderrorcode = 0, $nohook = 0, $varfiles = 'addedfile')
|
||||
function dol_move_uploaded_file($src_file, $dest_file, $allowoverwrite, $disablevirusscan = 0, $uploaderrorcode = 0, $nohook = 0, $varfiles = 'addedfile', $upload_dir = '')
|
||||
{
|
||||
global $conf, $db, $user, $langs;
|
||||
global $object, $hookmanager;
|
||||
@ -1044,8 +1045,14 @@ function dol_move_uploaded_file($src_file, $dest_file, $allowoverwrite, $disable
|
||||
// Because if we put the documents directory into a directory inside web root (very bad), this allows to execute on demand arbitrary code.
|
||||
if (isAFileWithExecutableContent($dest_file) && empty($conf->global->MAIN_DOCUMENT_IS_OUTSIDE_WEBROOT_SO_NOEXE_NOT_REQUIRED))
|
||||
{
|
||||
$file_name .= '.noexe';
|
||||
$successcode = 2;
|
||||
// $upload_dir ends with a slash, so be must be sure the medias dir to compare to ends with slash too.
|
||||
$publicmediasdirwithslash = $conf->medias->multidir_output[$conf->entity];
|
||||
if (! preg_match('/\/$/', $publicmediasdirwithslash)) $publicmediasdirwithslash.='/';
|
||||
|
||||
if ($upload_dir != $publicmediasdirwithslash) { // We never add .noexe on files into media directory
|
||||
$file_name .= '.noexe';
|
||||
$successcode = 2;
|
||||
}
|
||||
}
|
||||
|
||||
// Security:
|
||||
@ -1545,7 +1552,7 @@ function dol_add_file_process($upload_dir, $allowoverwrite = 0, $donotupdatesess
|
||||
$destfull = dol_string_nohtmltag($destfull);
|
||||
|
||||
// Move file from temp directory to final directory. A .noexe may also be appended on file name.
|
||||
$resupload = dol_move_uploaded_file($TFile['tmp_name'][$i], $destfull, $allowoverwrite, 0, $TFile['error'][$i], 0, $varfiles);
|
||||
$resupload = dol_move_uploaded_file($TFile['tmp_name'][$i], $destfull, $allowoverwrite, 0, $TFile['error'][$i], 0, $varfiles, $upload_dir);
|
||||
|
||||
if (is_numeric($resupload) && $resupload > 0) // $resupload can be 'ErrorFileAlreadyExists'
|
||||
{
|
||||
|
||||
@ -67,7 +67,7 @@ class EcmFiles extends CommonObject
|
||||
*/
|
||||
public $entity;
|
||||
|
||||
public $filename;
|
||||
public $filename; // Note: Into ecm database record, the entry $filename never ends with .noexe
|
||||
public $filepath;
|
||||
public $fullpath_orig;
|
||||
|
||||
|
||||
@ -19,6 +19,7 @@ This page is a sample of page using Dolibarr HTML widget methods. It is designed
|
||||
- css (add parameter &theme=newtheme to test another theme or edit css of current theme)<br>
|
||||
- jmobile (add parameter <a class="wordbreak" href="<?php echo $_SERVER["PHP_SELF"].'?dol_use_jmobile=1&dol_optimize_smallscreen=1'; ?>">dol_use_jmobile=1&dol_optimize_smallscreen=1</a> and switch to small screen < 570 to enable with emulated jmobile)<br>
|
||||
- no javascript / usage for bind people (add parameter <a class="wordbreak" href="<?php echo $_SERVER["PHP_SELF"].'?nojs=1'; ?>">nojs=1</a> to force disable javascript)<br>
|
||||
- use with a text browser (add parameter <a class="wordbreak" href="<?php echo $_SERVER["PHP_SELF"].'?textbrowser=1'; ?>">textbrowser=1</a> to force detection of a text browser)<br>
|
||||
</h2>
|
||||
<br>
|
||||
|
||||
|
||||
@ -174,15 +174,15 @@ input {
|
||||
padding-left: 5px;
|
||||
}
|
||||
select {
|
||||
padding-top: 4px;
|
||||
padding-top: 5px;
|
||||
padding-right: 4px;
|
||||
padding-bottom: 3px;
|
||||
padding-bottom: 5px;
|
||||
padding-left: 2px;
|
||||
}
|
||||
input, select {
|
||||
margin-left:0px;
|
||||
margin-bottom:1px;
|
||||
margin-top:1px;
|
||||
margin-left: 0px;
|
||||
margin-bottom: 1px;
|
||||
margin-top: 1px;
|
||||
}
|
||||
#mainbody input.button:not(.buttongen):not(.bordertransp) {
|
||||
background: var(--butactionbg);
|
||||
|
||||
@ -208,7 +208,7 @@ $permtouploadfile = $user->rights->website->write;
|
||||
$diroutput = $conf->medias->multidir_output[$conf->entity];
|
||||
|
||||
$relativepath = $section_dir;
|
||||
$upload_dir = $diroutput.'/'.$relativepath;
|
||||
$upload_dir = preg_replace('/\/$/', '', $diroutput).'/'.preg_replace('/^\//', '', $relativepath);
|
||||
|
||||
$htmlheadercontentdefault = '';
|
||||
$htmlheadercontentdefault .= '<link rel="stylesheet" id="google-fonts-css" href="//fonts.googleapis.com/css?family=Open+Sans:300,400,700" />'."\n";
|
||||
|
||||
Loading…
Reference in New Issue
Block a user