From b71b8e5e4f60c397b60d6c121ef58f2edb2e40c7 Mon Sep 17 00:00:00 2001
From: Hystepik <lmarcouiller@nltechno.com>
Date: Thu, 12 Dec 2024 14:40:03 +0100
Subject: [PATCH 1/5] Fix #32193 Add verification on extension file for upload

---
 htdocs/admin/security_file.php | 12 +++++++++++-
 htdocs/core/lib/files.lib.php  | 12 ++++++++++++
 htdocs/langs/en_US/admin.lang  |  2 ++
 htdocs/langs/en_US/errors.lang |  1 +
 4 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/htdocs/admin/security_file.php b/htdocs/admin/security_file.php
index 5752223834f74..32564013cfd80 100644
--- a/htdocs/admin/security_file.php
+++ b/htdocs/admin/security_file.php
@@ -104,7 +104,8 @@
 		$res4 = dolibarr_set_const($db, "MAIN_UMASK", $tmpumask, 'chaine', 0, '', $conf->entity);
 		$res5 = dolibarr_set_const($db, "MAIN_ANTIVIRUS_COMMAND", trim($antivircommand), 'chaine', 0, '', $conf->entity);
 		$res6 = dolibarr_set_const($db, "MAIN_ANTIVIRUS_PARAM", trim($antivirparam), 'chaine', 0, '', $conf->entity);
-		if ($res3 && $res4 && $res5 && $res6) {
+		$res7 = dolibarr_set_const($db, "MAIN_FILE_EXTENSION_UPLOAD_RESTRICTION", GETPOST('MAIN_FILE_EXTENSION_UPLOAD_RESTRICTION', 'alpha'), 'chaine', 0, '', $conf->entity);
+		if ($res3 && $res4 && $res5 && $res6 && $res7) {
 			setEventMessages($langs->trans("RecordModifiedSuccessfully"), null, 'mesgs');
 		}
 	}
@@ -217,6 +218,15 @@
 print "</td>";
 print '</tr>';
 
+print '<tr class="oddeven">';
+print '<td>'.$langs->trans("UploadExtensionRestriction").'<br>';
+print '<span class="opacitymedium">'.$langs->trans("UploadExtensionRestrictionExemple").'</span>';
+print '</td>';
+print '<td>';
+print '<input type="text" name="MAIN_FILE_EXTENSION_UPLOAD_RESTRICTION" class="minwidth500imp" value="'.getDolGlobalString('MAIN_FILE_EXTENSION_UPLOAD_RESTRICTION').'">';
+print "</td>";
+print '</tr>';
+
 print '</table>';
 print '</div>';
 
diff --git a/htdocs/core/lib/files.lib.php b/htdocs/core/lib/files.lib.php
index 737f8ac24fc0a..d632af6022371 100644
--- a/htdocs/core/lib/files.lib.php
+++ b/htdocs/core/lib/files.lib.php
@@ -1955,6 +1955,18 @@ function dol_add_file_process($upload_dir, $allowoverwrite = 0, $updatesessionor
 				$info = pathinfo($destfile);
 				$destfile = dol_sanitizeFileName($info['filename'].($info['extension'] != '' ? ('.'.strtolower($info['extension'])) : ''));
 
+				$fileextensionrestriction = getDolGlobalString("MAIN_FILE_EXTENSION_UPLOAD_RESTRICTION");
+				if (!empty($info['extension']) && !empty($fileextensionrestriction)) {
+					$fileextensionrestrictionarr = explode(",", $fileextensionrestriction);
+					foreach ($fileextensionrestrictionarr as $key => $fileextension) {
+						if (preg_match('/'.trim($fileextension).'/', $info['extension'])) {
+							$langs->load("errors"); // key must be loaded because we can't rely on loading during output, we need var substitution to be done now.
+							setEventMessages($langs->trans("ErrorFilenameExtensionNotAllowed", $filenameto), null, 'errors');
+							return -1;
+						}
+					}
+				}
+
 				// We apply dol_string_nohtmltag also to clean file names (this remove duplicate spaces) because
 				// this function is also applied when we rename and when we make try to download file (by the GETPOST(filename, 'alphanohtml') call).
 				$destfile = dol_string_nohtmltag($destfile);
diff --git a/htdocs/langs/en_US/admin.lang b/htdocs/langs/en_US/admin.lang
index 90e3055573303..6a954a53de796 100644
--- a/htdocs/langs/en_US/admin.lang
+++ b/htdocs/langs/en_US/admin.lang
@@ -2597,3 +2597,5 @@ AttributeCodeHelp=A code of your choice (without special char and space) to iden
 ThereIsMoreThanXAnswers=There is more than %s answers with your filter. Please add more filters...
 PdfAddTermOfSaleHelp=Upload the condition of sales from file input at the bottom of this setup page
 WarningOnlineSignature=Please note that this function allows a person (customer, supplier...) to insert, online, the image of his signature in the PDF document. As for a handwritten signature, such a signature can be made by anyone and does not have the same legal value as a legal electronic signature system going through a paying trusted third party. If you need this level of security, you can contact an integrator for more information or check for addons on www.dolistore.org.
+UploadExtensionRestriction=File exension list forbidden to upload
+UploadExtensionRestrictionExemple=html, js, php
diff --git a/htdocs/langs/en_US/errors.lang b/htdocs/langs/en_US/errors.lang
index 0e6576f31769e..56edbeacfbd74 100644
--- a/htdocs/langs/en_US/errors.lang
+++ b/htdocs/langs/en_US/errors.lang
@@ -437,3 +437,4 @@ ErrorThisContactXIsAlreadyDefinedAsThisType=%s is already defined as contact for
 ErrorThisGroupIsAlreadyDefinedAsThisType=The contacts with this group are already defined as contact for this type.
 EmptyMessageNotAllowedError=Empty message is not allowed
 ErrorIsNotInError=%s is not in error
+ErrorFilenameExtensionNotAllowed=File %s has a forbidden file extension 

From 912ae1c334cdacf2678cda7d2008ef8042cfaa99 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Fri, 13 Dec 2024 14:32:50 +0100
Subject: [PATCH 2/5] Update admin.lang

---
 htdocs/langs/en_US/admin.lang | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/htdocs/langs/en_US/admin.lang b/htdocs/langs/en_US/admin.lang
index 6a954a53de796..97e6da012f200 100644
--- a/htdocs/langs/en_US/admin.lang
+++ b/htdocs/langs/en_US/admin.lang
@@ -2598,4 +2598,4 @@ ThereIsMoreThanXAnswers=There is more than %s answers with your filter. Please a
 PdfAddTermOfSaleHelp=Upload the condition of sales from file input at the bottom of this setup page
 WarningOnlineSignature=Please note that this function allows a person (customer, supplier...) to insert, online, the image of his signature in the PDF document. As for a handwritten signature, such a signature can be made by anyone and does not have the same legal value as a legal electronic signature system going through a paying trusted third party. If you need this level of security, you can contact an integrator for more information or check for addons on www.dolistore.org.
 UploadExtensionRestriction=File exension list forbidden to upload
-UploadExtensionRestrictionExemple=html, js, php
+UploadExtensionRestrictionExemple=htm, html, shtml, js, php

From 2827139499454e7126be996d33244333821acb91 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Fri, 13 Dec 2024 14:51:32 +0100
Subject: [PATCH 3/5] Update files.lib.php

---
 htdocs/core/lib/files.lib.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/htdocs/core/lib/files.lib.php b/htdocs/core/lib/files.lib.php
index d632af6022371..646faeffd1849 100644
--- a/htdocs/core/lib/files.lib.php
+++ b/htdocs/core/lib/files.lib.php
@@ -1959,7 +1959,7 @@ function dol_add_file_process($upload_dir, $allowoverwrite = 0, $updatesessionor
 				if (!empty($info['extension']) && !empty($fileextensionrestriction)) {
 					$fileextensionrestrictionarr = explode(",", $fileextensionrestriction);
 					foreach ($fileextensionrestrictionarr as $key => $fileextension) {
-						if (preg_match('/'.trim($fileextension).'/', $info['extension'])) {
+						if (preg_match('/'.preg_quote($fileextension, '/').'/i', $info['extension'])) {
 							$langs->load("errors"); // key must be loaded because we can't rely on loading during output, we need var substitution to be done now.
 							setEventMessages($langs->trans("ErrorFilenameExtensionNotAllowed", $filenameto), null, 'errors');
 							return -1;

From 4d02fb03d049210337b0a1506d309bd1a2e99013 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Fri, 13 Dec 2024 14:52:58 +0100
Subject: [PATCH 4/5] Update security_file.php

---
 htdocs/admin/security_file.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/htdocs/admin/security_file.php b/htdocs/admin/security_file.php
index 32564013cfd80..53c2761b4b0be 100644
--- a/htdocs/admin/security_file.php
+++ b/htdocs/admin/security_file.php
@@ -223,7 +223,7 @@
 print '<span class="opacitymedium">'.$langs->trans("UploadExtensionRestrictionExemple").'</span>';
 print '</td>';
 print '<td>';
-print '<input type="text" name="MAIN_FILE_EXTENSION_UPLOAD_RESTRICTION" class="minwidth500imp" value="'.getDolGlobalString('MAIN_FILE_EXTENSION_UPLOAD_RESTRICTION').'">';
+print '<input type="text" name="MAIN_FILE_EXTENSION_UPLOAD_RESTRICTION" class="minwidth500imp" value="'.getDolGlobalString('MAIN_FILE_EXTENSION_UPLOAD_RESTRICTION', 'htm,html,shtml,js,php').'">';
 print "</td>";
 print '</tr>';
 

From 47b034e33cfaa481905811ac9d11dd2615cd2f26 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Fri, 13 Dec 2024 14:53:35 +0100
Subject: [PATCH 5/5] Update files.lib.php

---
 htdocs/core/lib/files.lib.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/htdocs/core/lib/files.lib.php b/htdocs/core/lib/files.lib.php
index 646faeffd1849..498c1d457d32f 100644
--- a/htdocs/core/lib/files.lib.php
+++ b/htdocs/core/lib/files.lib.php
@@ -1955,7 +1955,7 @@ function dol_add_file_process($upload_dir, $allowoverwrite = 0, $updatesessionor
 				$info = pathinfo($destfile);
 				$destfile = dol_sanitizeFileName($info['filename'].($info['extension'] != '' ? ('.'.strtolower($info['extension'])) : ''));
 
-				$fileextensionrestriction = getDolGlobalString("MAIN_FILE_EXTENSION_UPLOAD_RESTRICTION");
+				$fileextensionrestriction = getDolGlobalString("MAIN_FILE_EXTENSION_UPLOAD_RESTRICTION", 'htm,html,shtml,js,php');
 				if (!empty($info['extension']) && !empty($fileextensionrestriction)) {
 					$fileextensionrestrictionarr = explode(",", $fileextensionrestriction);
 					foreach ($fileextensionrestrictionarr as $key => $fileextension) {