From a0b6d9c4e0c74dfc548dd15de16dbc88c68ff6f6 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Fri, 12 Jun 2020 01:19:50 +0200
Subject: [PATCH 1/2] css

---
 htdocs/public/test/test_forms.php |  1 +
 htdocs/theme/eldy/global.inc.php  | 10 +++++-----
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/htdocs/public/test/test_forms.php b/htdocs/public/test/test_forms.php
index 0a43cfda708..bd74ecb0f13 100644
--- a/htdocs/public/test/test_forms.php
+++ b/htdocs/public/test/test_forms.php
@@ -19,6 +19,7 @@ This page is a sample of page using Dolibarr HTML widget methods. It is designed
 - css (add parameter &amp;theme=newtheme to test another theme or edit css of current theme)<br>
 - jmobile (add parameter <a class="wordbreak" href="<?php echo $_SERVER["PHP_SELF"].'?dol_use_jmobile=1&dol_optimize_smallscreen=1'; ?>">dol_use_jmobile=1&amp;dol_optimize_smallscreen=1</a> and switch to small screen < 570 to enable with emulated jmobile)<br>
 - no javascript / usage for bind people (add parameter <a class="wordbreak" href="<?php echo $_SERVER["PHP_SELF"].'?nojs=1'; ?>">nojs=1</a> to force disable javascript)<br>
+- use with a text browser (add parameter <a class="wordbreak" href="<?php echo $_SERVER["PHP_SELF"].'?textbrowser=1'; ?>">textbrowser=1</a> to force detection of a text browser)<br>
 </h2>
 <br>
 
diff --git a/htdocs/theme/eldy/global.inc.php b/htdocs/theme/eldy/global.inc.php
index 78dccbeeea4..fe06d802fb1 100644
--- a/htdocs/theme/eldy/global.inc.php
+++ b/htdocs/theme/eldy/global.inc.php
@@ -174,15 +174,15 @@ input {
 	padding-left: 5px;
 }
 select {
-	padding-top: 4px;
+	padding-top: 5px;
 	padding-right: 4px;
-	padding-bottom: 3px;
+	padding-bottom: 5px;
 	padding-left: 2px;
 }
 input, select {
-	margin-left:0px;
-	margin-bottom:1px;
-	margin-top:1px;
+	margin-left: 0px;
+	margin-bottom: 1px;
+	margin-top: 1px;
 }
 #mainbody input.button:not(.buttongen):not(.bordertransp) {
 	background: var(--butactionbg);

From 5d5fb46af67b2714c7478d2617a7653cdbb3ccf8 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Fri, 12 Jun 2020 14:35:50 +0200
Subject: [PATCH 2/2] Fix We never add .noexe of files into medias dir

---
 htdocs/core/actions_linkedfiles.inc.php |  8 +++++++-
 htdocs/core/lib/files.lib.php           | 15 +++++++++++----
 htdocs/ecm/class/ecmfiles.class.php     |  2 +-
 htdocs/website/index.php                |  2 +-
 4 files changed, 20 insertions(+), 7 deletions(-)

diff --git a/htdocs/core/actions_linkedfiles.inc.php b/htdocs/core/actions_linkedfiles.inc.php
index 2542cf23268..68cc7d5f31f 100644
--- a/htdocs/core/actions_linkedfiles.inc.php
+++ b/htdocs/core/actions_linkedfiles.inc.php
@@ -197,7 +197,13 @@ elseif ($action == 'renamefile' && GETPOST('renamefilesave', 'alpha'))
 	        // Because if we put the documents directory into a directory inside web root (very bad), this allows to execute on demand arbitrary code.
 	        if (isAFileWithExecutableContent($filenameto) && empty($conf->global->MAIN_DOCUMENT_IS_OUTSIDE_WEBROOT_SO_NOEXE_NOT_REQUIRED))
 	        {
-	            $filenameto .= '.noexe';
+	        	// $upload_dir ends with a slash, so be must be sure the medias dir to compare to ends with slash too.
+	        	$publicmediasdirwithslash = $conf->medias->multidir_output[$conf->entity];
+	        	if (! preg_match('/\/$/', $publicmediasdirwithslash)) $publicmediasdirwithslash.='/';
+
+	        	if ($upload_dir != $publicmediasdirwithslash) {	// We never add .noexe on files into media directory
+		            $filenameto .= '.noexe';
+	        	}
 	        }
 
 	        if ($filenamefrom && $filenameto)
diff --git a/htdocs/core/lib/files.lib.php b/htdocs/core/lib/files.lib.php
index 47d16d4fe3f..133830a0eb5 100644
--- a/htdocs/core/lib/files.lib.php
+++ b/htdocs/core/lib/files.lib.php
@@ -1008,10 +1008,11 @@ function dolCheckVirus($src_file)
  * 	@param	integer	$uploaderrorcode	Value of PHP upload error code ($_FILES['field']['error'])
  * 	@param	int		$nohook				Disable all hooks
  * 	@param	string	$varfiles			_FILES var name
+ *  @param	string	$upload_dir			For information. Already included into $dest_file.
  *	@return int|string       			1 if OK, 2 if OK and .noexe appended, <0 or string if KO
  *  @see    dol_move()
  */
-function dol_move_uploaded_file($src_file, $dest_file, $allowoverwrite, $disablevirusscan = 0, $uploaderrorcode = 0, $nohook = 0, $varfiles = 'addedfile')
+function dol_move_uploaded_file($src_file, $dest_file, $allowoverwrite, $disablevirusscan = 0, $uploaderrorcode = 0, $nohook = 0, $varfiles = 'addedfile', $upload_dir = '')
 {
 	global $conf, $db, $user, $langs;
 	global $object, $hookmanager;
@@ -1068,8 +1069,14 @@ function dol_move_uploaded_file($src_file, $dest_file, $allowoverwrite, $disable
 		// Because if we put the documents directory into a directory inside web root (very bad), this allows to execute on demand arbitrary code.
 		if (isAFileWithExecutableContent($dest_file) && empty($conf->global->MAIN_DOCUMENT_IS_OUTSIDE_WEBROOT_SO_NOEXE_NOT_REQUIRED))
 		{
-			$file_name .= '.noexe';
-			$successcode = 2;
+			// $upload_dir ends with a slash, so be must be sure the medias dir to compare to ends with slash too.
+			$publicmediasdirwithslash = $conf->medias->multidir_output[$conf->entity];
+			if (! preg_match('/\/$/', $publicmediasdirwithslash)) $publicmediasdirwithslash.='/';
+
+			if ($upload_dir != $publicmediasdirwithslash) {	// We never add .noexe on files into media directory
+				$file_name .= '.noexe';
+				$successcode = 2;
+			}
 		}
 
 		// Security:
@@ -1580,7 +1587,7 @@ function dol_add_file_process($upload_dir, $allowoverwrite = 0, $donotupdatesess
 				$destfull = dol_string_nohtmltag($destfull);
 
 				// Move file from temp directory to final directory. A .noexe may also be appended on file name.
-				$resupload = dol_move_uploaded_file($TFile['tmp_name'][$i], $destfull, $allowoverwrite, 0, $TFile['error'][$i], 0, $varfiles);
+				$resupload = dol_move_uploaded_file($TFile['tmp_name'][$i], $destfull, $allowoverwrite, 0, $TFile['error'][$i], 0, $varfiles, $upload_dir);
 
 				if (is_numeric($resupload) && $resupload > 0)   // $resupload can be 'ErrorFileAlreadyExists'
 				{
diff --git a/htdocs/ecm/class/ecmfiles.class.php b/htdocs/ecm/class/ecmfiles.class.php
index 653ff29d021..85d6d4f0bc2 100644
--- a/htdocs/ecm/class/ecmfiles.class.php
+++ b/htdocs/ecm/class/ecmfiles.class.php
@@ -67,7 +67,7 @@ class EcmFiles extends CommonObject
 	 */
 	public $entity;
 
-	public $filename;
+	public $filename;			// Note: Into ecm database record, the entry $filename never ends with .noexe
 	public $filepath;
 	public $fullpath_orig;
 
diff --git a/htdocs/website/index.php b/htdocs/website/index.php
index d539572bc11..3d6e0d328b2 100644
--- a/htdocs/website/index.php
+++ b/htdocs/website/index.php
@@ -208,7 +208,7 @@ $permtouploadfile = $user->rights->website->write;
 $diroutput = $conf->medias->multidir_output[$conf->entity];
 
 $relativepath = $section_dir;
-$upload_dir = $diroutput.'/'.$relativepath;
+$upload_dir = preg_replace('/\/$/', '', $diroutput).'/'.preg_replace('/^\//', '', $relativepath);
 
 $htmlheadercontentdefault = '';
 $htmlheadercontentdefault .= '<link rel="stylesheet" id="google-fonts-css"  href="//fonts.googleapis.com/css?family=Open+Sans:300,400,700" />'."\n";