lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

FIX Yogosha report 4425 (backport)

Browse Source
This commit is contained in:
Alexandre SPANGARO 2020-09-18 01:37:15 +02:00
parent 142a27d472
commit f453e43cca
1 changed files with 5 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
htdocs/document.php
View File

@ -156,12 +156,13 @@ if (isset($_GET["attachment"])) $attachment = GETPOST("attachment", 'alpha')?tru
if (! empty($conf->global->MAIN_DISABLE_FORCE_SAVEAS)) $attachment=false;
// Define mime type
$type = 'application/octet-stream';
$type = 'application/octet-stream'; // By default
if (GETPOST('type', 'alpha')) $type=GETPOST('type', 'alpha');
else $type=dol_mimetype($original_file);
// Security: Force to octet-stream if file is a dangerous file
if (preg_match('/\.noexe$/i', $original_file)) $type = 'application/octet-stream';
// Security: Force to octet-stream if file is a dangerous file. For example when it is a .noexe file
if (!dolIsAllowedForPreview($original_file)) {
$type = 'application/octet-stream';
}
// Security: Delete string ../ into $original_file
$original_file = str_replace("../", "/", $original_file);