diff --git a/htdocs/core/actions_linkedfiles.inc.php b/htdocs/core/actions_linkedfiles.inc.php index 4e2cd2873b6..6c5ac91c9bb 100644 --- a/htdocs/core/actions_linkedfiles.inc.php +++ b/htdocs/core/actions_linkedfiles.inc.php @@ -188,7 +188,7 @@ if ($action == 'confirm_deletefile' && $confirm == 'yes' && !empty($permissionto //error fetching } } elseif ($action == 'renamefile' && GETPOST('renamefilesave', 'alpha') && !empty($permissiontoadd)) { - // For documents pages, upload_dir contains already path to file from module dir, so we clean path into urlfile. + // For documents pages, upload_dir contains already the path to the file from module dir if (!empty($upload_dir)) { $filenamefrom = dol_sanitizeFileName(GETPOST('renamefilefrom', 'alpha'), '_', 0); // Do not remove accents $filenameto = dol_sanitizeFileName(GETPOST('renamefileto', 'alpha'), '_', 0); // Do not remove accents @@ -200,7 +200,22 @@ if ($action == 'confirm_deletefile' && $confirm == 'yes' && !empty($permissionto $error++; setEventMessages($langs->trans('ErrorWrongFileName'), null, 'errors'); } - if (!$error && $filenamefrom != $filenameto) { + + // Check that filename is not the one of a reserved allowed CLI command + if (empty($error)) { + global $dolibarr_main_restrict_os_commands; + if (!empty($dolibarr_main_restrict_os_commands)) { + $arrayofallowedcommand = explode(',', $dolibarr_main_restrict_os_commands); + $arrayofallowedcommand = array_map('trim', $arrayofallowedcommand); + if (in_array(basename($filenameto), $arrayofallowedcommand)) { + $error++; + $langs->load("errors"); // key must be loaded because we can't rely on loading during output, we need var substitution to be done now. + setEventMessages($langs->trans("ErrorFilenameReserved", basename($filenameto)), null, 'errors'); + } + } + } + + if (empty($error) && $filenamefrom != $filenameto) { // Security: // Disallow file with some extensions. We rename them. // Because if we put the documents directory into a directory inside web root (very bad), this allows to execute on demand arbitrary code. @@ -236,17 +251,18 @@ if ($action == 'confirm_deletefile' && $confirm == 'yes' && !empty($permissionto // When we rename a file from the file manager in ecm, we must not regenerate thumbs (not a problem, we do pass here) // When we rename a file from the website module, we must not regenerate thumbs (module = medias in such a case) // but when we rename from a tab "Documents", we must regenerate thumbs - if (GETPOST('modulepart') == 'medias') { + if (GETPOST('modulepart', 'aZ09') == 'medias') { $generatethumbs = 0; } if ($generatethumbs) { - if ($object->id) { + if ($object->id > 0) { + // Create thumbs for the new file $object->addThumbs($destpath); - } - // TODO Add revert function of addThumbs to remove thumbs with old name - //$object->delThumbs($srcpath); + // Delete thumb files with old name + $object->delThumbs($srcpath); + } } setEventMessages($langs->trans("FileRenamed"), null); diff --git a/htdocs/core/class/commonobject.class.php b/htdocs/core/class/commonobject.class.php index 69188c9a7e4..b8a986a0663 100644 --- a/htdocs/core/class/commonobject.class.php +++ b/htdocs/core/class/commonobject.class.php @@ -5743,12 +5743,12 @@ abstract class CommonObject */ public function addThumbs($file) { - global $maxwidthsmall, $maxheightsmall, $maxwidthmini, $maxheightmini, $quality; - - require_once DOL_DOCUMENT_ROOT.'/core/lib/images.lib.php'; // This define also $maxwidthsmall, $quality, ... - $file_osencoded = dol_osencode($file); if (file_exists($file_osencoded)) { + global $maxwidthsmall, $maxheightsmall, $maxwidthmini, $maxheightmini, $quality; + + require_once DOL_DOCUMENT_ROOT.'/core/lib/images.lib.php'; // This define also $maxwidthsmall, $quality, ... + // Create small thumbs for company (Ratio is near 16/9) // Used on logon for example vignette($file_osencoded, $maxwidthsmall, $maxheightsmall, '_small', $quality); @@ -5759,6 +5759,21 @@ abstract class CommonObject } } + /** + * Delete thumbs + * @todo Move this into files.lib.php + * + * @param string $file Path file in UTF8 to original file to delete thumbs. + * @return void + */ + public function delThumbs($file) + { + $imgThumbName = getImageFileNameForSize($file, '_small'); // Full path of thumb file + dol_delete_file($imgThumbName); + $imgThumbName = getImageFileNameForSize($file, '_mini'); // Full path of thumb file + dol_delete_file($imgThumbName); + } + /* Functions common to commonobject and commonobjectline */ diff --git a/htdocs/core/lib/files.lib.php b/htdocs/core/lib/files.lib.php index e74bd537fb2..c29eec57698 100644 --- a/htdocs/core/lib/files.lib.php +++ b/htdocs/core/lib/files.lib.php @@ -1714,7 +1714,6 @@ function dol_add_file_process($upload_dir, $allowoverwrite = 0, $donotupdatesess $info = pathinfo($destfull); $destfull = $info['dirname'].'/'.dol_sanitizeFileName($info['filename'].($info['extension'] != '' ? ('.'.strtolower($info['extension'])) : '')); $info = pathinfo($destfile); - $destfile = dol_sanitizeFileName($info['filename'].($info['extension'] != '' ? ('.'.strtolower($info['extension'])) : '')); // We apply dol_string_nohtmltag also to clean file names (this remove duplicate spaces) because @@ -1722,13 +1721,14 @@ function dol_add_file_process($upload_dir, $allowoverwrite = 0, $donotupdatesess $destfile = dol_string_nohtmltag($destfile); $destfull = dol_string_nohtmltag($destfull); + // Check that filename is not the one of a reserved allowed CLI command global $dolibarr_main_restrict_os_commands; if (!empty($dolibarr_main_restrict_os_commands)) { $arrayofallowedcommand = explode(',', $dolibarr_main_restrict_os_commands); $arrayofallowedcommand = array_map('trim', $arrayofallowedcommand); - if (in_array(basename($destfull), $arrayofallowedcommand)) { + if (in_array($destfile, $arrayofallowedcommand)) { $langs->load("errors"); // key must be loaded because we can't rely on loading during output, we need var substitution to be done now. - setEventMessages($langs->trans("ErrorFilenameReserved", basename($destfull)), null, 'errors'); + setEventMessages($langs->trans("ErrorFilenameReserved", $destfile), null, 'errors'); return -1; } }