From 455a9ed4da8d5712a5ba2ee7754aee85f358e264 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Wed, 7 Dec 2016 12:41:48 +0100
Subject: [PATCH] FIX security in import of files

---
 htdocs/core/class/html.formfile.class.php     |  4 +-
 .../modules/import/import_csv.modules.php     |  2 +-
 htdocs/imports/import.php                     | 42 +++++++++++++++----
 3 files changed, 35 insertions(+), 13 deletions(-)

diff --git a/htdocs/core/class/html.formfile.class.php b/htdocs/core/class/html.formfile.class.php
index 05a4a8d398e..804a15de39a 100644
--- a/htdocs/core/class/html.formfile.class.php
+++ b/htdocs/core/class/html.formfile.class.php
@@ -140,10 +140,8 @@ class FormFile
                 if ($perm)
                 {
                 	$langs->load('other');
-                    //$out .= ' ('.$langs->trans("MaxSize").': '.$max.' '.$langs->trans("Kb");
                     $out .= ' ';
-                    $out.=info_admin($langs->trans("ThisLimitIsDefinedInSetup",$max,$maxphp),1);
-                    //$out .= ')';
+                    $out .= info_admin($langs->trans("ThisLimitIsDefinedInSetup",$max,$maxphp),1);
                 }
             }
             else
diff --git a/htdocs/core/modules/import/import_csv.modules.php b/htdocs/core/modules/import/import_csv.modules.php
index fed4489c9db..08ae59d0924 100644
--- a/htdocs/core/modules/import/import_csv.modules.php
+++ b/htdocs/core/modules/import/import_csv.modules.php
@@ -372,7 +372,7 @@ class ImportCsv extends ModeleImports
                                     
                                     if ($isidorref == 'ref')    // If value into input import file is a ref, we apply the function defined into descriptor
                                     {
-                                        $file=$objimport->array_import_convertvalue[0][$val]['classfile'];
+                                        $file=(empty($objimport->array_import_convertvalue[0][$val]['classfile'])?$objimport->array_import_convertvalue[0][$val]['file']:$objimport->array_import_convertvalue[0][$val]['classfile']);
                                         $class=$objimport->array_import_convertvalue[0][$val]['class'];
                                         $method=$objimport->array_import_convertvalue[0][$val]['method'];
                                         if ($this->cacheconvert[$file.'_'.$class.'_'.$method.'_'][$newval] != '')
diff --git a/htdocs/imports/import.php b/htdocs/imports/import.php
index 3952cd2d605..ec49f8e450a 100644
--- a/htdocs/imports/import.php
+++ b/htdocs/imports/import.php
@@ -529,7 +529,15 @@ if ($step == 3 && $datatoimport)
 	print '<form name="userfile" action="'.$_SERVER["PHP_SELF"].'" enctype="multipart/form-data" METHOD="POST">';
 	print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 	print '<input type="hidden" name="max_file_size" value="'.$conf->maxfilesize.'">';
-
+	
+	print '<input type="hidden" value="'.$step.'" name="step">';
+	print '<input type="hidden" value="'.$format.'" name="format">';
+	print '<input type="hidden" value="'.$excludefirstline.'" name="excludefirstline">';
+	print '<input type="hidden" value="'.$endatlinenb.'" name="endatlinenb">';
+	print '<input type="hidden" value="'.$separator.'" name="separator">';
+	print '<input type="hidden" value="'.$enclosure.'" name="enclosure">';
+	print '<input type="hidden" value="'.$datatoimport.'" name="datatoimport">';
+	
 	print '<table class="noborder" width="100%" cellspacing="0" cellpadding="4">';
 
 	$filetoimport='';
@@ -543,14 +551,30 @@ if ($step == 3 && $datatoimport)
 	$var=false;
 	print '<tr '.$bc[$var].'><td colspan="6">';
 	print '<input type="file"   name="userfile" size="20" maxlength="80"> &nbsp; &nbsp; ';
-	print '<input type="submit" class="button" value="'.$langs->trans("AddFile").'" name="sendit">';
-	print '<input type="hidden" value="'.$step.'" name="step">';
-	print '<input type="hidden" value="'.$format.'" name="format">';
-	print '<input type="hidden" value="'.$excludefirstline.'" name="excludefirstline">';
-	print '<input type="hidden" value="'.$endatlinenb.'" name="endatlinenb">';
-	print '<input type="hidden" value="'.$separator.'" name="separator">';
-	print '<input type="hidden" value="'.$enclosure.'" name="enclosure">';
-	print '<input type="hidden" value="'.$datatoimport.'" name="datatoimport">';
+	$out = (empty($conf->global->MAIN_UPLOAD_DOC)?' disabled':'');
+	print '<input type="submit" class="button" value="'.$langs->trans("AddFile").'"'.$out.' name="sendit">';
+	$out='';
+	if (! empty($conf->global->MAIN_UPLOAD_DOC))
+	{
+	    $max=$conf->global->MAIN_UPLOAD_DOC;		// En Kb
+	    $maxphp=@ini_get('upload_max_filesize');	// En inconnu
+	    if (preg_match('/k$/i',$maxphp)) $maxphp=$maxphp*1;
+	    if (preg_match('/m$/i',$maxphp)) $maxphp=$maxphp*1024;
+	    if (preg_match('/g$/i',$maxphp)) $maxphp=$maxphp*1024*1024;
+	    if (preg_match('/t$/i',$maxphp)) $maxphp=$maxphp*1024*1024*1024;
+	    // Now $max and $maxphp are in Kb
+	    if ($maxphp > 0) $max=min($max,$maxphp);
+
+        $langs->load('other');
+        $out .= ' ';
+        $out.=info_admin($langs->trans("ThisLimitIsDefinedInSetup",$max,$maxphp),1);
+	}
+	else
+	{
+	    $out .= ' ('.$langs->trans("UploadDisabled").')';
+	}
+	print $out;
+	print '</td>';
 	print "</tr>\n";
 
 	// Search available imports
-- 
GitLab