30define(
'MAIN_SECURITY_FORCECSP',
"default-src: 'none'");
34if (!defined(
'NOREQUIRESOC')) {
35 define(
'NOREQUIRESOC',
'1');
37if (!defined(
'NOREQUIRETRAN')) {
38 define(
'NOREQUIRETRAN',
'1');
40if (!defined(
'NOCSRFCHECK')) {
41 define(
'NOCSRFCHECK',
'1');
43if (!defined(
'NOTOKENRENEWAL')) {
44 define(
'NOTOKENRENEWAL',
'1');
46if (!defined(
'NOREQUIREMENU')) {
47 define(
'NOREQUIREMENU',
'1');
49if (!defined(
'NOREQUIREHTML')) {
50 define(
'NOREQUIREHTML',
'1');
52if (!defined(
'NOREQUIREAJAX')) {
53 define(
'NOREQUIREAJAX',
'1');
60if (isset($_GET[
"modulepart"])) {
64 if ($_GET[
"modulepart"] ==
'mycompany' && preg_match(
'/^\/?logos\//', $_GET[
'file'])) {
68 if ($_GET[
"modulepart"] ==
'barcode') {
72 if ($_GET[
"modulepart"] ==
'medias') {
76 if ($_GET[
"modulepart"] ==
'common') {
80 if ($_GET[
"modulepart"] ==
'userphotopublic') {
84 if ($_GET[
"modulepart"] ==
'product' && isset($_GET[
"publictakepos"])) {
89if (isset($_GET[
"hashp"])) {
94 if (!defined(
"NOLOGIN")) {
97 if (!defined(
"NOCSRFCHECK")) {
98 define(
"NOCSRFCHECK", 1);
100 if (!defined(
"NOIPCHECK")) {
101 define(
"NOIPCHECK", 1);
108$entity = (!empty($_GET[
'entity']) ? (int) $_GET[
'entity'] : (!empty($_POST[
'entity']) ? (int) $_POST[
'entity'] : 1));
109if (is_numeric($entity)) {
110 define(
"DOLENTITY", $entity);
133function llxHeader($head =
'', $title =
'', $help_url =
'', $target =
'', $disablejs = 0, $disablehead = 0, $arrayofjs =
'', $arrayofcss =
'', $morequerystring =
'', $morecssonbody =
'', $replacemainareaby =
'', $disablenofollow = 0, $disablenoindex = 0)
144function llxFooter($comment =
'', $zone =
'private', $disabledoutputofmessages = 0)
148require
'main.inc.php';
149require_once DOL_DOCUMENT_ROOT.
'/core/lib/files.lib.php';
151$action =
GETPOST(
'action',
'aZ09');
152$original_file =
GETPOST(
'file',
'alphanohtml');
153$hashp =
GETPOST(
'hashp',
'aZ09', 1);
154$modulepart =
GETPOST(
'modulepart',
'alpha', 1);
155$urlsource =
GETPOST(
'urlsource',
'alpha');
159if (empty($modulepart) && empty($hashp)) {
162if (empty($original_file) && empty($hashp) && $modulepart !=
'barcode') {
165if ($modulepart ==
'fckeditor') {
166 $modulepart =
'medias';
182if (
GETPOST(
"cache",
'alpha')) {
187 if (empty($dolibarr_nocache)) {
188 if (
GETPOST(
'cache',
'alpha') !=
'1') {
189 $delaycache = 3600 * 24 * 7;
193 header(
'Cache-Control: max-age='.$delaycache.
', public, must-revalidate');
194 header(
'Pragma: cache');
195 header(
'Expires: '.gmdate(
'D, d M Y H:i:s', time() + $delaycache).
' GMT');
198 header(
'Cache-Control: no-cache');
205 include_once DOL_DOCUMENT_ROOT.
'/ecm/class/ecmfiles.class.php';
207 $result = $ecmfile->fetch(0,
'',
'',
'', $hashp);
209 $tmp = explode(
'/', $ecmfile->filepath, 2);
211 if (is_numeric($tmp[0])) {
212 $tmp = explode(
'/', $tmp[1], 2);
214 $moduleparttocheck = $tmp[0];
217 if ($moduleparttocheck == $modulepart) {
219 $original_file = (($tmp[1] ? $tmp[1].
'/' :
'').$ecmfile->filename);
225 $modulepart = $moduleparttocheck;
226 $original_file = (($tmp[1] ? $tmp[1].
'/' :
'').$ecmfile->filename);
234$type =
'application/octet-stream';
236 $type =
GETPOST(
'type',
'alpha');
242if (preg_match(
'/html/i', $type)) {
246if (preg_match(
'/\.noexe$/i', $original_file)) {
251$original_file = preg_replace(
'/\.\.+/',
'..', $original_file);
252$original_file = str_replace(
'../',
'/', $original_file);
253$original_file = str_replace(
'..\\',
'/', $original_file);
256$refname = basename(dirname($original_file).
"/");
257if ($refname ==
'thumbs') {
259 $refname = basename(dirname(dirname($original_file)).
"/");
268if (empty($modulepart)) {
274if ($modulepart ===
'medias' && $entity != $conf->entity) {
275 $conf->entity = $entity;
276 $conf->setValues($db);
280$accessallowed = $check_access[
'accessallowed'];
281$sqlprotectagainstexternals = $check_access[
'sqlprotectagainstexternals'];
282$fullpath_original_file = $check_access[
'original_file'];
286 $sqlprotectagainstexternals =
'';
288 if (
getDolGlobalString(
'TAKEPOS_AUTO_ORDER') && in_array($modulepart, array(
'product',
'category'))) {
295 if ($user->socid > 0) {
296 if ($sqlprotectagainstexternals) {
297 $resql = $db->query($sqlprotectagainstexternals);
299 $num = $db->num_rows($resql);
302 $obj = $db->fetch_object($resql);
303 if ($user->socid != $obj->fk_soc) {
316if (!$accessallowed) {
322if (preg_match(
'/\.\./', $fullpath_original_file) || preg_match(
'/[<>|]/', $fullpath_original_file)) {
323 dol_syslog(
"Refused to deliver file ".$fullpath_original_file);
324 print
"ErrorFileNameInvalid: ".dol_escape_htmltag($original_file);
330if ($modulepart ==
'barcode') {
331 $generator =
GETPOST(
"generator",
"aZ09");
332 $encoding =
GETPOST(
"encoding",
"aZ09");
333 $readable =
GETPOST(
"readable",
'aZ09') ?
GETPOST(
"readable",
"aZ09") :
"Y";
334 if (in_array($encoding, array(
'EAN8',
'EAN13'))) {
335 $code =
GETPOST(
"code",
'alphanohtml');
337 $code =
GETPOST(
"code",
'restricthtml');
340 if (empty($generator) || empty($encoding)) {
341 print
'Error: Parameter "generator" or "encoding" not defined';
345 $dirbarcode = array_merge(array(
"/core/modules/barcode/doc/"), $conf->modules_parts[
'barcode']);
349 foreach ($dirbarcode as $reldir) {
354 if (!is_dir($newdir)) {
358 $result = @include_once $newdir.$generator.
'.modules.php';
365 $classname =
"mod".ucfirst($generator);
367 $module =
new $classname($db);
368 if ($module->encodingIsSupported($encoding)) {
369 $result = $module->buildBarCode($code, $encoding, $readable);
375 $filename = basename($fullpath_original_file);
378 dol_syslog(
"viewimage.php return file $fullpath_original_file filename=$filename content-type=$type");
382 $fullpath_original_file = DOL_DOCUMENT_ROOT.
'/public/theme/common/nophoto.png';
391 header(
'Content-Disposition: inline; filename="'.basename($fullpath_original_file).
'"');
394 header(
'Content-Disposition: inline; filename="'.basename($fullpath_original_file).
'"');
397 $fullpath_original_file_osencoded =
dol_osencode($fullpath_original_file);
399 readfile($fullpath_original_file_osencoded);
Class to manage ECM files.
dol_check_secure_access_document($modulepart, $original_file, $entity, $fuser=null, $refname='', $mode='read')
Security check when accessing to a document (used by document.php, viewimage.php and webservices to g...
dol_is_file($pathoffile)
Return if path is a file.
dol_mimetype($file, $default='application/octet-stream', $mode=0)
Return MIME type of a file from its name with extension.
GETPOSTINT($paramname, $method=0)
Return the value of a $_GET or $_POST supervariable, converted into integer.
dol_osencode($str)
Return a string encoded into OS filesystem encoding.
GETPOST($paramname, $check='alphanohtml', $method=0, $filter=null, $options=null, $noreplace=0)
Return value of a param into GET or POST supervariable.
dolIsAllowedForPreview($file)
Return if a file is qualified for preview.
dol_buildpath($path, $type=0, $returnemptyifnotfound=0)
Return path of url or filesystem.
getDolGlobalString($key, $default='')
Return dolibarr global constant string value.
dol_syslog($message, $level=LOG_INFO, $ident=0, $suffixinfilename='', $restricttologhandler='', $logcontext=null)
Write log message into outputs.
if(!defined( 'NOREQUIREMENU')) if(!empty(GETPOST('seteventmessages', 'alpha'))) if(!function_exists("llxHeader")) top_httphead($contenttype='text/html', $forcenocache=0)
Show HTTP header.
httponly_accessforbidden($message='1', $http_response_code=403, $stringalreadysanitized=0)
Show a message to say access is forbidden and stop program.
accessforbidden($message='', $printheader=1, $printfooter=1, $showonlymessage=0, $params=null)
Show a message to say access is forbidden and stop program.
if(is_numeric( $entity)) llxHeader($head='', $title='', $help_url='', $target='', $disablejs=0, $disablehead=0, $arrayofjs='', $arrayofcss='', $morequerystring='', $morecssonbody='', $replacemainareaby='', $disablenofollow=0, $disablenoindex=0)
Header empty.