diff --git a/htdocs/admin/mails_templates.php b/htdocs/admin/mails_templates.php
index 999bfecf562..5ba126e8229 100644
--- a/htdocs/admin/mails_templates.php
+++ b/htdocs/admin/mails_templates.php
@@ -258,6 +258,39 @@ $permissiontoadd = 1;
$id = 25;
+// If $acceptlocallinktomedia is true, we can add link media files int email templates (we already can do this into HTML editor of an email).
+// Note that local link to a file into medias are replaced with a real link by email in CMailFile.class.php with value $urlwithroot defined like this:
+// $urlwithouturlroot = preg_replace('/'.preg_quote(DOL_URL_ROOT, '/').'$/i', '', trim($dolibarr_main_url_root));
+// $urlwithroot = $urlwithouturlroot.DOL_URL_ROOT; // This is to use external domain name found into config file
+$acceptlocallinktomedia = getDolGlobalInt('MAIN_DISALLOW_MEDIAS_IN_EMAIL_TEMPLATES') ? 0 : 1;
+if ($acceptlocallinktomedia) {
+ global $dolibarr_main_url_root;
+ $urlwithouturlroot = preg_replace('/'.preg_quote(DOL_URL_ROOT, '/').'$/i', '', trim($dolibarr_main_url_root));
+
+ // Parse $newUrl
+ $newUrlArray = parse_url($urlwithouturlroot);
+ $hosttocheck = $newUrlArray['host'];
+ $hosttocheck = str_replace(array('[', ']'), '', $hosttocheck); // Remove brackets of IPv6
+
+ if (function_exists('gethostbyname')) {
+ $iptocheck = gethostbyname($hosttocheck);
+ } else {
+ $iptocheck = $hosttocheck;
+ }
+
+ //var_dump($iptocheck.' '.$acceptlocallinktomedia);
+ if (!filter_var($iptocheck, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {
+ // If ip of public url is an private network IP, we do not allow this.
+ $acceptlocallinktomedia = 0;
+ // TODO Show a warning
+ }
+
+ if (preg_match('/http:/i', $urlwithouturlroot)) {
+ // If public url is not a https, we do not allow to add medias link. It will generate security alerts when email will be sent.
+ $acceptlocallinktomedia = 0;
+ // TODO Show a warning
+ }
+}
/*
@@ -828,7 +861,8 @@ if ($action == 'create') {
if (empty($conf->global->FCKEDITOR_ENABLE_MAIL)) {
$okforextended = false;
}
- $doleditor = new DolEditor($tmpfieldlist, (!empty($obj->$tmpfieldlist) ? $obj->$tmpfieldlist : ''), '', 180, 'dolibarr_mailings', 'In', 0, true, $okforextended, ROWS_4, '90%');
+
+ $doleditor = new DolEditor($tmpfieldlist, (!empty($obj->$tmpfieldlist) ? $obj->$tmpfieldlist : ''), '', 180, 'dolibarr_mailings', 'In', false, $acceptlocallinktomedia, $okforextended, ROWS_4, '90%');
print $doleditor->Create(1);
}
print '';
@@ -1061,46 +1095,13 @@ if ($num) {
print $form->selectyesno($tmpfieldlist.'-'.$rowid, (isset($obj->$tmpfieldlist) ? $obj->$tmpfieldlist : '0'), 1, false, 0, 1);
}
- // If $acceptlocallinktomedia is true, we can add link media files int email templates (we already can do this into HTML editor of an email).
- // Note that local link to a file into medias are replaced with a real link by email in CMailFile.class.php with value $urlwithroot defined like this:
- // $urlwithouturlroot = preg_replace('/'.preg_quote(DOL_URL_ROOT, '/').'$/i', '', trim($dolibarr_main_url_root));
- // $urlwithroot = $urlwithouturlroot.DOL_URL_ROOT; // This is to use external domain name found into config file
- $acceptlocallinktomedia = getDolGlobalInt('MAIN_DISALLOW_MEDIAS_IN_EMAIL_TEMPLATES') ? 0 : 1;
- if ($acceptlocallinktomedia) {
- global $dolibarr_main_url_root;
- $urlwithouturlroot = preg_replace('/'.preg_quote(DOL_URL_ROOT, '/').'$/i', '', trim($dolibarr_main_url_root));
-
- // Parse $newUrl
- $newUrlArray = parse_url($urlwithouturlroot);
- $hosttocheck = $newUrlArray['host'];
- $hosttocheck = str_replace(array('[', ']'), '', $hosttocheck); // Remove brackets of IPv6
-
- if (function_exists('gethostbyname')) {
- $iptocheck = gethostbyname($hosttocheck);
- } else {
- $iptocheck = $hosttocheck;
- }
-
- //var_dump($iptocheck.' '.$acceptlocallinktomedia);
- if (!filter_var($iptocheck, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {
- // If ip of public url is an private network IP, we do not allow this.
- $acceptlocallinktomedia = 0;
- // TODO Show a warning
- }
-
- if (preg_match('/http:/i', $urlwithouturlroot)) {
- // If public url is not a https, we do not allow to add medias link. It will generate security alerts when email will be sent.
- $acceptlocallinktomedia = 0;
- // TODO Show a warning
- }
- }
-
if ($tmpfieldlist == 'content') {
print $form->textwithpicto($langs->trans("Content"), $tabhelp[$id][$tmpfieldlist], 1, 'help', '', 0, 2, $tmpfieldlist).'
';
$okforextended = true;
if (empty($conf->global->FCKEDITOR_ENABLE_MAIL)) {
$okforextended = false;
}
+
$doleditor = new DolEditor($tmpfieldlist.'-'.$rowid, (!empty($obj->{$tmpfieldlist}) ? $obj->{$tmpfieldlist} : ''), '', 500, 'dolibarr_mailings', 'In', 0, $acceptlocallinktomedia, $okforextended, ROWS_6, '90%');
print $doleditor->Create(1);
}
diff --git a/htdocs/core/class/doleditor.class.php b/htdocs/core/class/doleditor.class.php
index 53a20d6dadd..67f9cbcbf89 100644
--- a/htdocs/core/class/doleditor.class.php
+++ b/htdocs/core/class/doleditor.class.php
@@ -60,7 +60,7 @@ class DolEditor
* 'In' = each window has its own toolbar
* 'Out:name' = share toolbar into the div called 'name'
* @param boolean $toolbarstartexpanded Bar is visible or not at start
- * @param boolean $uselocalbrowser Enabled to add links to local object with local browser. If false, only external images can be added in content.
+ * @param boolean|int $uselocalbrowser Enabled to add links to local object with local browser. If false, only external images can be added in content.
* @param boolean|string $okforextendededitor True=Allow usage of extended editor tool if qualified (like ckeditor). If 'textarea', force use of simple textarea. If 'ace', force use of Ace.
* Warning: If you use 'ace', don't forget to also include ace.js in page header. Also, the button "save" must have class="buttonforacesave".
* @param int $rows Size of rows for textarea tool
diff --git a/htdocs/core/filemanagerdol/connectors/php/connector.lib.php b/htdocs/core/filemanagerdol/connectors/php/connector.lib.php
index 0377413f857..08dd2429b7b 100644
--- a/htdocs/core/filemanagerdol/connectors/php/connector.lib.php
+++ b/htdocs/core/filemanagerdol/connectors/php/connector.lib.php
@@ -286,8 +286,6 @@ function CreateFolder($resourceType, $currentFolder)
echo '';
}
-// @CHANGE
-//function FileUpload( $resourceType, $currentFolder, $sCommand )
/**
* FileUpload
*
@@ -299,6 +297,8 @@ function CreateFolder($resourceType, $currentFolder)
*/
function FileUpload($resourceType, $currentFolder, $sCommand, $CKEcallback = '')
{
+ global $user;
+
if (!isset($_FILES)) {
global $_FILES;
}
@@ -328,22 +328,11 @@ function FileUpload($resourceType, $currentFolder, $sCommand, $CKEcallback = '')
$sExtension = substr($sFileName, (strrpos($sFileName, '.') + 1));
$sExtension = strtolower($sExtension);
- //var_dump($Config);
- /*
- if (isset($Config['SecureImageUploads'])) {
- if (($isImageValid = IsImageValid($oFile['tmp_name'], $sExtension)) === false) {
- $sErrorNumber = '202';
- }
- }
-
- if (isset($Config['HtmlExtensions'])) {
- if (!IsHtmlExtension($sExtension, $Config['HtmlExtensions']) &&
- ($detectHtml = DetectHtml($oFile['tmp_name'])) === true) {
- $sErrorNumber = '202';
- }
- }
- */
-
+ // Check permission
+ if (!$user->hasRight('website', 'write') && !$user->hasRight('mailing', 'write') || !empty($user->socid)) {
+ dol_syslog("connector.lib.php Try to upload a file with no permission");
+ $sErrorNumber = '202';
+ }
include_once DOL_DOCUMENT_ROOT.'/core/lib/images.lib.php';
//var_dump($sFileName); var_dump(image_format_supported($sFileName));exit;
diff --git a/htdocs/user/card.php b/htdocs/user/card.php
index 2325ab7ab53..e8c4e2e8bcd 100644
--- a/htdocs/user/card.php
+++ b/htdocs/user/card.php
@@ -125,6 +125,40 @@ $hookmanager->initHooks(array('usercard', 'globalcard'));
$error = 0;
+// If $acceptlocallinktomedia is true, we can add link media files int email templates (we already can do this into HTML editor of an email).
+// Note that local link to a file into medias are replaced with a real link by email in CMailFile.class.php with value $urlwithroot defined like this:
+// $urlwithouturlroot = preg_replace('/'.preg_quote(DOL_URL_ROOT, '/').'$/i', '', trim($dolibarr_main_url_root));
+// $urlwithroot = $urlwithouturlroot.DOL_URL_ROOT; // This is to use external domain name found into config file
+$acceptlocallinktomedia = getDolGlobalInt('MAIN_DISALLOW_MEDIAS_IN_EMAIL_TEMPLATES') ? 0 : 1;
+if ($acceptlocallinktomedia) {
+ global $dolibarr_main_url_root;
+ $urlwithouturlroot = preg_replace('/'.preg_quote(DOL_URL_ROOT, '/').'$/i', '', trim($dolibarr_main_url_root));
+
+ // Parse $newUrl
+ $newUrlArray = parse_url($urlwithouturlroot);
+ $hosttocheck = $newUrlArray['host'];
+ $hosttocheck = str_replace(array('[', ']'), '', $hosttocheck); // Remove brackets of IPv6
+
+ if (function_exists('gethostbyname')) {
+ $iptocheck = gethostbyname($hosttocheck);
+ } else {
+ $iptocheck = $hosttocheck;
+ }
+
+ //var_dump($iptocheck.' '.$acceptlocallinktomedia);
+ if (!filter_var($iptocheck, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {
+ // If ip of public url is an private network IP, we do not allow this.
+ $acceptlocallinktomedia = 0;
+ // TODO Show a warning
+ }
+
+ if (preg_match('/http:/i', $urlwithouturlroot)) {
+ // If public url is not a https, we do not allow to add medias link. It will generate security alerts when email will be sent.
+ $acceptlocallinktomedia = 0;
+ // TODO Show a warning
+ }
+}
+
/**
* Actions
@@ -1212,7 +1246,8 @@ if ($action == 'create' || $action == 'adduserldap') {
print '| '.$langs->trans("Signature").' | ';
print '';
require_once DOL_DOCUMENT_ROOT.'/core/class/doleditor.class.php';
- $doleditor = new DolEditor('signature', GETPOST('signature', 'restricthtml'), '', 138, 'dolibarr_notes', 'In', true, true, empty($conf->global->FCKEDITOR_ENABLE_USERSIGN) ? 0 : 1, ROWS_4, '90%');
+
+ $doleditor = new DolEditor('signature', GETPOST('signature', 'restricthtml'), '', 138, 'dolibarr_notes', 'In', true, $acceptlocallinktomedia, empty($conf->global->FCKEDITOR_ENABLE_USERSIGN) ? 0 : 1, ROWS_4, '90%');
print $doleditor->Create(1);
print ' |
';
@@ -2699,7 +2734,8 @@ if ($action == 'create' || $action == 'adduserldap') {
print '';
if ($caneditfield) {
require_once DOL_DOCUMENT_ROOT.'/core/class/doleditor.class.php';
- $doleditor = new DolEditor('signature', $object->signature, '', 138, 'dolibarr_notes', 'In', false, true, empty($conf->global->FCKEDITOR_ENABLE_USERSIGN) ? 0 : 1, ROWS_4, '90%');
+
+ $doleditor = new DolEditor('signature', $object->signature, '', 138, 'dolibarr_notes', 'In', false, $acceptlocallinktomedia, empty($conf->global->FCKEDITOR_ENABLE_USERSIGN) ? 0 : 1, ROWS_4, '90%');
print $doleditor->Create(1);
} else {
print dol_htmlentitiesbr($object->signature);
|