lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch '9.0' of git@github.com:Dolibarr/dolibarr.git into develop

Browse Source
This commit is contained in:
Laurent Destailleur 2019-04-27 13:26:12 +02:00
commit b275160f20
2 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
htdocs/projet/element.php
View File

@ -474,7 +474,7 @@ $listofreferent=array(
'lang'=>'banks',
'buttonnew'=>'AddVariousPayment',
'testnew'=>$user->rights->banque->modifier,
'test'=>$conf->banque->enabled && $user->rights->banque->lire),
'test'=>$conf->banque->enabled && $user->rights->banque->lire && empty($conf->global->BANK_USE_OLD_VARIOUS_PAYMENT)),
/* No need for this, available on dedicated tab "Agenda/Events"
'agenda'=>array(
'name'=>"Agenda",

5
htdocs/viewimage.php
View File

@ -169,6 +169,9 @@ $type = 'application/octet-stream';
if (GETPOST('type', 'alpha')) $type=GETPOST('type', 'alpha');
else $type=dol_mimetype($original_file);
// Security: This wrapper is for images. We do not allow type/html
if (preg_match('/html/', $type)) accessforbidden('Error: Using the image wrapper to output a file with a mime type HTML is not possible.', 1, 1, 1);
// Security: Delete string ../ into $original_file
$original_file = str_replace("../", "/", $original_file);
@ -176,7 +179,7 @@ $original_file = str_replace("../", "/", $original_file);
$refname=basename(dirname($original_file)."/");
// Security check
if (empty($modulepart)) accessforbidden('Bad value for parameter modulepart');
if (empty($modulepart)) accessforbidden('Bad value for parameter modulepart', 1, 1, 1);
$check_access = dol_check_secure_access_document($modulepart, $original_file, $entity, $refname);
$accessallowed = $check_access['accessallowed'];