Fix can't rename a file into a reserved CLI command file

htdocs/core/actions_linkedfiles.inc.php

@@ -188,7 +188,7 @@ if ($action == 'confirm_deletefile' && $confirm == 'yes' && !empty($permissionto
 		//error fetching
 	}
 } elseif ($action == 'renamefile' && GETPOST('renamefilesave', 'alpha') && !empty($permissiontoadd)) {
-	// For documents pages, upload_dir contains already path to file from module dir, so we clean path into urlfile.
+	// For documents pages, upload_dir contains already the path to the file from module dir
 	if (!empty($upload_dir)) {
 		$filenamefrom = dol_sanitizeFileName(GETPOST('renamefilefrom', 'alpha'), '_', 0); // Do not remove accents
 		$filenameto = dol_sanitizeFileName(GETPOST('renamefileto', 'alpha'), '_', 0); // Do not remove accents
@@ -200,7 +200,22 @@ if ($action == 'confirm_deletefile' && $confirm == 'yes' && !empty($permissionto
 			$error++;
 			setEventMessages($langs->trans('ErrorWrongFileName'), null, 'errors');
 		}
-		if (!$error && $filenamefrom != $filenameto) {
+
+		// Check that filename is not the one of a reserved allowed CLI command
+		if (empty($error)) {
+			global $dolibarr_main_restrict_os_commands;
+			if (!empty($dolibarr_main_restrict_os_commands)) {
+				$arrayofallowedcommand = explode(',', $dolibarr_main_restrict_os_commands);
+				$arrayofallowedcommand = array_map('trim', $arrayofallowedcommand);
+				if (in_array(basename($filenameto), $arrayofallowedcommand)) {
+					$error++;
+					$langs->load("errors"); // key must be loaded because we can't rely on loading during output, we need var substitution to be done now.
+					setEventMessages($langs->trans("ErrorFilenameReserved", basename($filenameto)), null, 'errors');
+				}
+			}
+		}
+
+		if (empty($error) && $filenamefrom != $filenameto) {
 			// Security:
 			// Disallow file with some extensions. We rename them.
 			// Because if we put the documents directory into a directory inside web root (very bad), this allows to execute on demand arbitrary code.
@@ -236,17 +251,18 @@ if ($action == 'confirm_deletefile' && $confirm == 'yes' && !empty($permissionto
 							// When we rename a file from the file manager in ecm, we must not regenerate thumbs (not a problem, we do pass here)
 							// When we rename a file from the website module, we must not regenerate thumbs (module = medias in such a case)
 							// but when we rename from a tab "Documents", we must regenerate thumbs
-							if (GETPOST('modulepart') == 'medias') {
+							if (GETPOST('modulepart', 'aZ09') == 'medias') {
 								$generatethumbs = 0;
 							}
 
 							if ($generatethumbs) {
-								if ($object->id) {
+								if ($object->id > 0) {
+									// Create thumbs for the new file
 									$object->addThumbs($destpath);
-								}
 
-								// TODO Add revert function of addThumbs to remove thumbs with old name
-								//$object->delThumbs($srcpath);
+									// Delete thumb files with old name
+									$object->delThumbs($srcpath);
+								}
 							}
 
 							setEventMessages($langs->trans("FileRenamed"), null);

htdocs/core/class/commonobject.class.php

@@ -5743,12 +5743,12 @@ abstract class CommonObject
 	 */
 	public function addThumbs($file)
 	{
-		global $maxwidthsmall, $maxheightsmall, $maxwidthmini, $maxheightmini, $quality;
-
-		require_once DOL_DOCUMENT_ROOT.'/core/lib/images.lib.php'; // This define also $maxwidthsmall, $quality, ...
-
 		$file_osencoded = dol_osencode($file);
 		if (file_exists($file_osencoded)) {
+			global $maxwidthsmall, $maxheightsmall, $maxwidthmini, $maxheightmini, $quality;
+
+			require_once DOL_DOCUMENT_ROOT.'/core/lib/images.lib.php'; // This define also $maxwidthsmall, $quality, ...
+
 			// Create small thumbs for company (Ratio is near 16/9)
 			// Used on logon for example
 			vignette($file_osencoded, $maxwidthsmall, $maxheightsmall, '_small', $quality);
@@ -5759,6 +5759,21 @@ abstract class CommonObject
 		}
 	}
 
+	/**
+	 *  Delete thumbs
+	 *  @todo Move this into files.lib.php
+	 *
+	 *  @param      string	$file           Path file in UTF8 to original file to delete thumbs.
+	 *	@return		void
+	 */
+	public function delThumbs($file)
+	{
+		$imgThumbName = getImageFileNameForSize($file, '_small'); // Full path of thumb file
+		dol_delete_file($imgThumbName);
+		$imgThumbName = getImageFileNameForSize($file, '_mini'); // Full path of thumb file
+		dol_delete_file($imgThumbName);
+	}
+
 
 	/* Functions common to commonobject and commonobjectline */
 

htdocs/core/lib/files.lib.php

@@ -1714,7 +1714,6 @@ function dol_add_file_process($upload_dir, $allowoverwrite = 0, $donotupdatesess
 				$info = pathinfo($destfull);
 				$destfull = $info['dirname'].'/'.dol_sanitizeFileName($info['filename'].($info['extension'] != '' ? ('.'.strtolower($info['extension'])) : ''));
 				$info = pathinfo($destfile);
-
 				$destfile = dol_sanitizeFileName($info['filename'].($info['extension'] != '' ? ('.'.strtolower($info['extension'])) : ''));
 
 				// We apply dol_string_nohtmltag also to clean file names (this remove duplicate spaces) because
@@ -1722,13 +1721,14 @@ function dol_add_file_process($upload_dir, $allowoverwrite = 0, $donotupdatesess
 				$destfile = dol_string_nohtmltag($destfile);
 				$destfull = dol_string_nohtmltag($destfull);
 
+				// Check that filename is not the one of a reserved allowed CLI command
 				global $dolibarr_main_restrict_os_commands;
 				if (!empty($dolibarr_main_restrict_os_commands)) {
 					$arrayofallowedcommand = explode(',', $dolibarr_main_restrict_os_commands);
 					$arrayofallowedcommand = array_map('trim', $arrayofallowedcommand);
-					if (in_array(basename($destfull), $arrayofallowedcommand)) {
+					if (in_array($destfile, $arrayofallowedcommand)) {
 						$langs->load("errors"); // key must be loaded because we can't rely on loading during output, we need var substitution to be done now.
-						setEventMessages($langs->trans("ErrorFilenameReserved", basename($destfull)), null, 'errors');
+						setEventMessages($langs->trans("ErrorFilenameReserved", $destfile), null, 'errors');
 						return -1;
 					}
 				}