From 9cfe1262bdbdc38521e79bb1cbaad3a0a04d3fee Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Tue, 24 Sep 2019 13:30:04 +0200
Subject: [PATCH] FIX Force downlaod of file with .noexe as octet-stream mime
 type

---
 htdocs/document.php | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/htdocs/document.php b/htdocs/document.php
index 57897786f0d..2b37792d69a 100644
--- a/htdocs/document.php
+++ b/htdocs/document.php
@@ -159,6 +159,8 @@ if (! empty($conf->global->MAIN_DISABLE_FORCE_SAVEAS)) $attachment=false;
 $type = 'application/octet-stream';
 if (GETPOST('type', 'alpha')) $type=GETPOST('type', 'alpha');
 else $type=dol_mimetype($original_file);
+// Security: Force to octet-stream if file is a dangerous file
+if (preg_match('/\.noexe$/i', $original_file)) $type = 'application/octet-stream';
 
 // Security: Delete string ../ into $original_file
 $original_file = str_replace("../", "/", $original_file);
@@ -215,7 +217,7 @@ if (! $accessallowed)
 }
 
 // Security:
-// On interdit les remontees de repertoire ainsi que les pipe dans les noms de fichiers.
+// We refuse directory transversal change and pipes in file names
 if (preg_match('/\.\./', $fullpath_original_file) || preg_match('/[<>|]/', $fullpath_original_file))
 {
 	dol_syslog("Refused to deliver file ".$fullpath_original_file);
@@ -227,6 +229,7 @@ if (preg_match('/\.\./', $fullpath_original_file) || preg_match('/[<>|]/', $full
 clearstatcache();
 
 $filename = basename($fullpath_original_file);
+$filename = preg_replace('/\.noexe$/i', '', $filename);
 
 // Output file on browser
 dol_syslog("document.php download $fullpath_original_file filename=$filename content-type=$type");