From bc9b816719211ca75a12a709b9f77dd1a6c1d1b9 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 6 Nov 2017 17:54:18 +0100 Subject: [PATCH] Fix deletion of files that contains __ --- htdocs/core/actions_linkedfiles.inc.php | 2 +- htdocs/core/lib/functions.lib.php | 7 ++++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/htdocs/core/actions_linkedfiles.inc.php b/htdocs/core/actions_linkedfiles.inc.php index 1f47a94f6d2..ea5d6c3db26 100644 --- a/htdocs/core/actions_linkedfiles.inc.php +++ b/htdocs/core/actions_linkedfiles.inc.php @@ -56,7 +56,7 @@ if ($action == 'confirm_deletefile' && $confirm == 'yes') { if ($object->id) { - $urlfile = GETPOST('urlfile', 'alpha'); // Do not use urldecode here ($_GET and $_REQUEST are already decoded by PHP). + $urlfile = GETPOST('urlfile', 'alpha', 0, null, null, 1); // Do not use urldecode here ($_GET and $_REQUEST are already decoded by PHP). if (GETPOST('section', 'alpha')) $file = $upload_dir . "/" . $urlfile; // For a delete of GED module urlfile contains full path from upload_dir else // For documents pages, upload_dir contains already path to file from module dir, so we clean path into urlfile. { diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 288badf6285..51eb070da91 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -257,12 +257,13 @@ function dol_shutdown() * 'custom'= custom filter specify $filter and $options) * @param int $method Type of method (0 = get then post, 1 = only get, 2 = only post, 3 = post then get, 4 = post then get then cookie) * @param int $filter Filter to apply when $check is set to 'custom'. (See http://php.net/manual/en/filter.filters.php for détails) - * @param mixed $options Options to pass to filter_var when $check is set to 'custom'. + * @param mixed $options Options to pass to filter_var when $check is set to 'custom' + * @param string $noreplace Force disable of replacement of __xxx__ strings. * @return string|string[] Value found (string or array), or '' if check fails * * @TODO Set default value for check to alpha. Check all WYSIWYG edition (email and description...) is still ok with rich text. */ -function GETPOST($paramname, $check='', $method=0, $filter=NULL, $options=NULL) +function GETPOST($paramname, $check='', $method=0, $filter=NULL, $options=NULL, $noreplace=0) { global $mysoc,$user,$conf; @@ -366,7 +367,7 @@ function GETPOST($paramname, $check='', $method=0, $filter=NULL, $options=NULL) // Substitution variables for GETPOST (used to get final url with variable parameters or final default value with variable paramaters) // Example of variables: __DAY__, __MONTH__, __YEAR__, __MYCOUNTRYID__, __USERID__, __ENTITYID__, ... // We do this only if var is a GET. If it is a POST, may be we want to post the text with vars as the setup text. - if (! is_array($out) && empty($_POST[$paramname])) + if (! is_array($out) && empty($_POST[$paramname]) && empty($noreplace)) { $maxloop=20; $loopnb=0; // Protection against infinite loop while (preg_match('/__([A-Z0-9]+_?[A-Z0-9]+)__/i', $out, $reg) && ($loopnb < $maxloop)) // Detect '__ABCDEF__' as key 'ABCDEF' and '__ABC_DEF__' as key 'ABC_DEF'. Detection is also correct when 2 vars are side by side.