Merge pull request #17510 from Hystepik/develo#2

Fix #17501 : Undownloable attached file

htdocs/core/actions_linkedfiles.inc.php

@@ -44,6 +44,10 @@ if (GETPOST('sendit', 'alpha') && !empty($conf->global->MAIN_UPLOAD_DOC)) {
 					setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("File")), null, 'errors');
 				}
 			}
+			if (preg_match('/__.*__/', $_FILES['userfile']['name'][$key])) {
+				$error++;
+				setEventMessages($langs->trans('ErrorWrongFileName'), null, 'errors');
+			}
 		}
 
 		if (!$error) {
@@ -172,8 +176,11 @@ if ($action == 'confirm_deletefile' && $confirm == 'yes') {
 		// We apply dol_string_nohtmltag also to clean file names (this remove duplicate spaces) because
 		// this function is also applied when we upload and when we make try to download file (by the GETPOST(filename, 'alphanohtml') call).
 		$filenameto = dol_string_nohtmltag($filenameto);
-
-		if ($filenamefrom != $filenameto) {
+		if (preg_match('/__.*__/', $filenameto)) {
+			$error++;
+			setEventMessages($langs->trans('ErrorWrongFileName'), null, 'errors');
+		}
+		if (!$error && $filenamefrom != $filenameto) {
 			// Security:
 			// Disallow file with some extensions. We rename them.
 			// Because if we put the documents directory into a directory inside web root (very bad), this allows to execute on demand arbitrary code.

htdocs/langs/en_US/errors.lang

@@ -299,3 +299,4 @@ WarningModuleXDisabledSoYouMayMissEventHere=Module %s has not been enabled. So y
 ErrorActionCommPropertyUserowneridNotDefined=User's owner is required
 ErrorActionCommBadType=Selected event type (id: %n, code: %s) do not exist in Event Type dictionary
 CheckVersionFail=Version check fail
+ErrorWrongFileName=Name of the file cannot have __SOMETHING__ in it