From edb239837c5b498430e82648121f05961714d66a Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Mon, 23 Aug 2021 16:03:34 +0200
Subject: [PATCH] FIX #yogosha6944 Protection against traversal path.

---
 htdocs/document.php  | 2 +-
 htdocs/viewimage.php | 5 +++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/htdocs/document.php b/htdocs/document.php
index 046eb9b14bf..3c06801c9a0 100644
--- a/htdocs/document.php
+++ b/htdocs/document.php
@@ -194,7 +194,7 @@ if (!in_array($type, array('text/x-javascript')) && !dolIsAllowedForPreview($ori
 	$type = 'application/octet-stream';
 }
 
-// Security: Delete string ../ into $original_file
+// Security: Delete string ../ or ..\ into $original_file
 $original_file = str_replace('../', '/', $original_file);
 $original_file = str_replace('..\\', '/', $original_file);
 
diff --git a/htdocs/viewimage.php b/htdocs/viewimage.php
index 9c584f5b8bb..f514c7c0302 100644
--- a/htdocs/viewimage.php
+++ b/htdocs/viewimage.php
@@ -221,8 +221,9 @@ if (preg_match('/\.noexe$/i', $original_file)) {
 	accessforbidden('Error: Using the image wrapper to output a file ending with .noexe is not allowed.', 0, 0, 1);
 }
 
-// Security: Delete string ../ into $original_file
-$original_file = str_replace("../", "/", $original_file);
+// Security: Delete string ../ or ..\ into $original_file
+$original_file = str_replace('../', '/', $original_file);
+$original_file = str_replace('..\\', '/', $original_file);
 
 // Find the subdirectory name as the reference
 $refname = basename(dirname($original_file)."/");