From 31825375669329ac6006ae664af2645862b906cc Mon Sep 17 00:00:00 2001
From: atm-lena <lena@atm-consulting.fr>
Date: Wed, 16 Sep 2020 17:19:25 +0200
Subject: [PATCH 1/4] FIX - Send mail from contact : select mail model

---
 htdocs/contact/card.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/htdocs/contact/card.php b/htdocs/contact/card.php
index f013cd7e8aa..ec8d64fcede 100644
--- a/htdocs/contact/card.php
+++ b/htdocs/contact/card.php
@@ -1176,6 +1176,11 @@ else
         }
     }
 
+    // Select mail models is same action as presend
+    if (GETPOST('modelselected', 'alpha')) {
+        $action = 'presend';
+    }
+
     if (! empty($id) && $action != 'edit' && $action != 'create')
     {
         $objsoc = new Societe($db);

From 23c4cfe913429a38b3e4f9edec33bdfb0166d274 Mon Sep 17 00:00:00 2001
From: Alexandre SPANGARO <aspangaro.dolibarr@gmail.com>
Date: Wed, 16 Sep 2020 20:55:28 +0200
Subject: [PATCH 2/4] FIX Yogosha report 4425 (backport)

---
 htdocs/core/lib/functions.lib.php | 37 ++++++++++++++++++++++++-------
 htdocs/document.php               |  9 ++++----
 2 files changed, 34 insertions(+), 12 deletions(-)

diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index 97ad5d58969..3f4229589dd 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -7705,19 +7705,16 @@ function getAdvancedPreviewUrl($modulepart, $relativepath, $alldata = 0, $param
 
 	if (empty($conf->use_javascript_ajax)) return '';
 
-	$mime_preview = array('bmp', 'jpeg', 'png', 'gif', 'tiff', 'pdf', 'plain', 'css', 'svg+xml');
-	//$mime_preview[]='vnd.oasis.opendocument.presentation';
-	//$mime_preview[]='archive';
-	$num_mime = array_search(dol_mimetype($relativepath, '', 1), $mime_preview);
+	$isAllowedForPreview = dolIsAllowedForPreview($relativepath);
 
 	if ($alldata == 1)
 	{
-		if ($num_mime !== false) return array('target'=>'_blank', 'css'=>'documentpreview', 'url'=>DOL_URL_ROOT.'/document.php?modulepart='.$modulepart.'&attachment=0&file='.urlencode($relativepath).($param?'&'.$param:''), 'mime'=>dol_mimetype($relativepath), );
+		if (isAllowedForPreview) return array('target'=>'_blank', 'css'=>'documentpreview', 'url'=>DOL_URL_ROOT.'/document.php?modulepart='.$modulepart.'&attachment=0&file='.urlencode($relativepath).($param?'&'.$param:''), 'mime'=>dol_mimetype($relativepath), );
 		else return array();
 	}
 
-	// old behavior
-	if ($num_mime !== false) return 'javascript:document_preview(\''.dol_escape_js(DOL_URL_ROOT.'/document.php?modulepart='.$modulepart.'&attachment=0&file='.urlencode($relativepath).($param?'&'.$param:'')).'\', \''.dol_mimetype($relativepath).'\', \''.dol_escape_js($langs->trans('Preview')).'\')';
+	// old behavior, return a string
+	if ($isAllowedForPreview) return 'javascript:document_preview(\''.dol_escape_js(DOL_URL_ROOT.'/document.php?modulepart='.$modulepart.'&attachment=0&file='.urlencode($relativepath).($param?'&'.$param:'')).'\', \''.dol_mimetype($relativepath).'\', \''.dol_escape_js($langs->trans('Preview')).'\')';
 	else return '';
 }
 
@@ -7741,6 +7738,30 @@ function ajax_autoselect($htmlname, $addlink = '')
 	return $out;
 }
 
+/**
+ *	Return if a file is qualified for preview
+ *
+ *	@param	string	$file		Filename we looking for information
+ *	@return int					1 If allowed, 0 otherwise
+ *  @see    dol_mimetype(), image_format_supported() from images.lib.php
+ */
+function dolIsAllowedForPreview($file) {
+	global $conf;
+
+	// Check .noexe extension in filename
+	if (preg_match('/\.noexe$/i', $file)) return 0;
+
+	// Check mime types
+	$mime_preview = array('bmp', 'jpeg', 'png', 'gif', 'tiff', 'pdf', 'plain', 'css', 'webp');
+	if (!empty($conf->global->MAIN_ALLOW_SVG_FILES_AS_IMAGES)) $mime_preview[] = 'svg+xml';
+	//$mime_preview[]='vnd.oasis.opendocument.presentation';
+	//$mime_preview[]='archive';
+	$num_mime = array_search(dol_mimetype($file, '', 1), $mime_preview);
+	if ($num_mime !== false) return 1;
+
+	// By default, not allowed for preview
+	return 0;
+}
 
 /**
  *	Return mime type of a file
@@ -7749,7 +7770,7 @@ function ajax_autoselect($htmlname, $addlink = '')
  *  @param  string	$default    Default mime type if extension not found in known list
  * 	@param	int		$mode    	0=Return full mime, 1=otherwise short mime string, 2=image for mime type, 3=source language, 4=css of font fa
  *	@return string 		    	Return a mime type family (text/xxx, application/xxx, image/xxx, audio, video, archive)
- *  @see    image_format_supported() from images.lib.php
+ *  @see    dolIsAllowedForPreview(), image_format_supported() from images.lib.php
  */
 function dol_mimetype($file, $default = 'application/octet-stream', $mode = 0)
 {
diff --git a/htdocs/document.php b/htdocs/document.php
index 2b37792d69a..ccd404f7315 100644
--- a/htdocs/document.php
+++ b/htdocs/document.php
@@ -156,12 +156,13 @@ if (isset($_GET["attachment"])) $attachment = GETPOST("attachment", 'alpha')?tru
 if (! empty($conf->global->MAIN_DISABLE_FORCE_SAVEAS)) $attachment=false;
 
 // Define mime type
-$type = 'application/octet-stream';
+$type = 'application/octet-stream';	// By default
 if (GETPOST('type', 'alpha')) $type=GETPOST('type', 'alpha');
 else $type=dol_mimetype($original_file);
-// Security: Force to octet-stream if file is a dangerous file
-if (preg_match('/\.noexe$/i', $original_file)) $type = 'application/octet-stream';
-
+// Security: Force to octet-stream if file is a dangerous file. For example when it is a .noexe file
+if (!dolIsAllowedForPreview($original_file)) {
+	$type = 'application/octet-stream';
+}
 // Security: Delete string ../ into $original_file
 $original_file = str_replace("../", "/", $original_file);
 

From bc457ebb660ae67b0bc853e317915e9e140458c1 Mon Sep 17 00:00:00 2001
From: Alexandre SPANGARO <aspangaro.dolibarr@gmail.com>
Date: Wed, 16 Sep 2020 21:22:59 +0200
Subject: [PATCH 3/4] Stickler

---
 htdocs/core/lib/functions.lib.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index 3f4229589dd..c279b3fb4e5 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -7745,7 +7745,8 @@ function ajax_autoselect($htmlname, $addlink = '')
  *	@return int					1 If allowed, 0 otherwise
  *  @see    dol_mimetype(), image_format_supported() from images.lib.php
  */
-function dolIsAllowedForPreview($file) {
+function dolIsAllowedForPreview($file)
+{
 	global $conf;
 
 	// Check .noexe extension in filename

From 56a9f5c48b180ed152bc3e20e99a8e6151384571 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Fri, 18 Sep 2020 14:49:20 +0200
Subject: [PATCH 4/4] Fix

---
 htdocs/core/lib/functions.lib.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index c279b3fb4e5..a5ab772b795 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -7709,7 +7709,7 @@ function getAdvancedPreviewUrl($modulepart, $relativepath, $alldata = 0, $param
 
 	if ($alldata == 1)
 	{
-		if (isAllowedForPreview) return array('target'=>'_blank', 'css'=>'documentpreview', 'url'=>DOL_URL_ROOT.'/document.php?modulepart='.$modulepart.'&attachment=0&file='.urlencode($relativepath).($param?'&'.$param:''), 'mime'=>dol_mimetype($relativepath), );
+		if ($isAllowedForPreview) return array('target'=>'_blank', 'css'=>'documentpreview', 'url'=>DOL_URL_ROOT.'/document.php?modulepart='.$modulepart.'&attachment=0&file='.urlencode($relativepath).($param?'&'.$param:''), 'mime'=>dol_mimetype($relativepath), );
 		else return array();
 	}