diff --git a/htdocs/lib/files.lib.php b/htdocs/lib/files.lib.php
index 4e63a2221a5ddb43a2ae7e3a6d5d3a38a6abed03..d14de3b804d49d4561e593431f4aef405e715729 100644
--- a/htdocs/lib/files.lib.php
+++ b/htdocs/lib/files.lib.php
@@ -20,7 +20,7 @@
/**
* \file htdocs/lib/files.lib.php
* \brief Library for file managing functions
- * \version $Id: files.lib.php,v 1.65 2011/07/06 09:25:06 eldy Exp $
+ * \version $Id: files.lib.php,v 1.66 2011/07/06 16:56:01 eldy Exp $
*/
/**
@@ -260,7 +260,12 @@ function dol_mimetype($file,$default='application/octet-stream',$mode=0)
// Audio
if (preg_match('/\.(mp3|ogg|au|wav|wma|mid)$/i',$tmpfile)) { $mime='audio'; $imgmime='audio.png'; }
// Video
- if (preg_match('/\.(avi|divx|xvid|wmv|mpg|mpeg)$/i',$tmpfile)) { $mime='video'; $imgmime='video.png'; }
+ if (preg_match('/\.ogv$/i',$tmpfile)) { $mime='video/ogg'; $imgmime='video.png'; }
+ if (preg_match('/\.webm$/i',$tmpfile)) { $mime='video/webm'; $imgmime='video.png'; }
+ if (preg_match('/\.avi$/i',$tmpfile)) { $mime='video/x-msvideo'; $imgmime='video.png'; }
+ if (preg_match('/\.divx$/i',$tmpfile)) { $mime='video/divx'; $imgmime='video.png'; }
+ if (preg_match('/\.xvid$/i',$tmpfile)) { $mime='video/xvid'; $imgmime='video.png'; }
+ if (preg_match('/\.(wmv|mpg|mpeg)$/i',$tmpfile)) { $mime='video'; $imgmime='video.png'; }
// Archive
if (preg_match('/\.(zip|rar|gz|tgz|z|cab|bz2|7z|tar|lzh)$/i',$tmpfile)) { $mime='archive'; $imgmime='archive.png'; } // application/xxx where zzz is zip, ...
// Exe
diff --git a/htdocs/viewimage.php b/htdocs/viewimage.php
index ccc670cc90956f0adedeaff453090ae0af328b3b..2a4dd7b2b92e2d945ad1c2b9b3e0ab808c4eb373 100644
--- a/htdocs/viewimage.php
+++ b/htdocs/viewimage.php
@@ -23,7 +23,7 @@
* \file htdocs/viewimage.php
* \brief Wrapper to show images into Dolibarr screens
* \remarks Call to wrapper is '<img src="'.DOL_URL_ROOT.'/viewimage.php?modulepart=diroffile&file=relativepathofofile&cache=0">'
- * \version $Id: viewimage.php,v 1.93 2011/06/28 14:20:22 hregis Exp $
+ * \version $Id: viewimage.php,v 1.94 2011/07/06 16:56:01 eldy Exp $
*/
// Do not use urldecode here ($_GET and $_REQUEST are already decoded by PHP).
@@ -88,7 +88,8 @@ else $type=dol_mimetype($original_file);
// Suppression de la chaine de caractere ../ dans $original_file
$original_file = str_replace("../","/", $original_file);
-// Security check
+// Security checks
+if (empty($modulepart)) accessforbidden('Bad value for parameter modulepart');
$accessallowed=0;
if ($modulepart)
{
@@ -376,8 +377,7 @@ if (! $accessallowed)
}
// Security:
-// On interdit les remontees de repertoire ainsi que les pipe dans
-// les noms de fichiers.
+// On interdit les remontees de repertoire ainsi que les pipe dans les noms de fichiers.
if (preg_match('/\.\./',$original_file) || preg_match('/[<>|]/',$original_file))
{
dol_syslog("Refused to deliver file ".$original_file, LOG_WARNING);
@@ -420,19 +420,23 @@ else // Open and return file
$original_file_osencoded=dol_osencode($original_file);
// This test if file exists should be useless. We keep it to find bug more easily
- if (! file_exists($original_file_osencoded))
+ if (! dol_is_file($original_file_osencoded))
{
- dol_print_error(0,'Error: File '.$_GET["file"].' does not exists');
+ $error='Error: File '.$_GET["file"].' does not exists or filesystems permissions are not allowed';
+ dol_print_error(0,$error);
+ print $error;
exit;
}
// Les drois sont ok et fichier trouve
if ($type)
{
+ header('Content-Disposition: inline; filename="'.basename($original_file).'"');
header('Content-type: '.$type);
}
else
{
+ header('Content-Disposition: inline; filename="'.basename($original_file).'"');
header('Content-type: image/png');
}