Skip to content

Commit

Permalink
FIX #13175
Browse files Browse the repository at this point in the history
  • Loading branch information
@eldy
eldy committed Feb 23, 2020
1 parent 090b0e9 commit 6366881
Show file tree
Hide file tree
Showing 4 changed files with 36 additions and 24 deletions.
6 changes: 3 additions & 3 deletions htdocs/compta/bank/account_statement_document.php
View file
Expand Up @@ -137,9 +137,9 @@
$modulepart = 'bank';
$permission = $user->rights->banque->modifier;
$permtoedit = $user->rights->banque->modifier;
$param = '&id='.$object->id.'&num='.$num;
$uri = '&num='.$num;
$relativepathwithnofile = $id."/statement/".$num."/";
$param = '&id='.$object->id.'&num='.urlencode($num);
$moreparam = '&num='.urlencode($num);;
$relativepathwithnofile = $id."/statement/".dol_sanitizeFileName($num)."/";
include_once DOL_DOCUMENT_ROOT.'/core/tpl/document_actions_post_headers.tpl.php';
}
else {
Expand Down
2 changes: 1 addition & 1 deletion htdocs/compta/bank/releve.php
View file
Expand Up @@ -49,7 +49,7 @@
$langs->loadLangs(array("banks", "categories", "companies", "bills", "trips", "donations", "loan"));

$action = GETPOST('action', 'alpha');
$id = GETPOST('account', 'int');
$id = GETPOST('account', 'int') ? GETPOST('account', 'int') : GETPOST('id', 'int');
$ref = GETPOST('ref', 'alpha');
$dvid = GETPOST('dvid', 'alpha');
$numref = GETPOST('num', 'alpha');
Expand Down
49 changes: 30 additions & 19 deletions htdocs/core/photos_resize.php
View file
Expand Up @@ -38,6 +38,10 @@
$backtourl = GETPOST('backtourl');
$cancel = GETPOST('cancel', 'alpha');

$file = GETPOST('file', 'alpha');
$num = GETPOST('num', 'alpha'); // Used for document on bank statement


// Security check
if (empty($modulepart)) accessforbidden('Bad value for modulepart');
$accessallowed = 0;
Expand Down Expand Up @@ -249,19 +253,25 @@

if (empty($backtourl))
{
if (in_array($modulepart, array('product', 'produit', 'service', 'produit|service'))) $backtourl = DOL_URL_ROOT."/product/document.php?id=".$id.'&file='.urldecode($_POST["file"]);
elseif (in_array($modulepart, array('expensereport'))) $backtourl = DOL_URL_ROOT."/expensereport/document.php?id=".$id.'&file='.urldecode($_POST["file"]);
elseif (in_array($modulepart, array('holiday'))) $backtourl = DOL_URL_ROOT."/holiday/document.php?id=".$id.'&file='.urldecode($_POST["file"]);
elseif (in_array($modulepart, array('member'))) $backtourl = DOL_URL_ROOT."/adherents/document.php?id=".$id.'&file='.urldecode($_POST["file"]);
elseif (in_array($modulepart, array('project'))) $backtourl = DOL_URL_ROOT."/projet/document.php?id=".$id.'&file='.urldecode($_POST["file"]);
elseif (in_array($modulepart, array('propal'))) $backtourl = DOL_URL_ROOT."/comm/propal/document.php?id=".$id.'&file='.urldecode($_POST["file"]);
elseif (in_array($modulepart, array('societe'))) $backtourl = DOL_URL_ROOT."/societe/document.php?id=".$id.'&file='.urldecode($_POST["file"]);
elseif (in_array($modulepart, array('tax'))) $backtourl = DOL_URL_ROOT."/compta/sociales/document.php?id=".$id.'&file='.urldecode($_POST["file"]);
elseif (in_array($modulepart, array('ticket'))) $backtourl = DOL_URL_ROOT."/ticket/document.php?id=".$id.'&file='.urldecode($_POST["file"]);
elseif (in_array($modulepart, array('user'))) $backtourl = DOL_URL_ROOT."/user/document.php?id=".$id.'&file='.urldecode($_POST["file"]);
elseif (in_array($modulepart, array('bank'))) $backtourl = DOL_URL_ROOT."/compta/bank/document.php?id=".$id.'&file='.urldecode($_POST["file"]);
elseif (in_array($modulepart, array('mrp'))) $backtourl = DOL_URL_ROOT."/mrp/mo_document.php?id=".$id.'&file='.urldecode($_POST["file"]);
else $backtourl = DOL_URL_ROOT."/".$modulepart."/".$modulepart."_document.php?id=".$id.'&file='.urldecode($_POST["file"]);
$regs = array();

if (in_array($modulepart, array('product', 'produit', 'service', 'produit|service'))) $backtourl = DOL_URL_ROOT."/product/document.php?id=".$id.'&file='.urldecode($file);
elseif (in_array($modulepart, array('expensereport'))) $backtourl = DOL_URL_ROOT."/expensereport/document.php?id=".$id.'&file='.urldecode($file);
elseif (in_array($modulepart, array('holiday'))) $backtourl = DOL_URL_ROOT."/holiday/document.php?id=".$id.'&file='.urldecode($file);
elseif (in_array($modulepart, array('member'))) $backtourl = DOL_URL_ROOT."/adherents/document.php?id=".$id.'&file='.urldecode($file);
elseif (in_array($modulepart, array('project'))) $backtourl = DOL_URL_ROOT."/projet/document.php?id=".$id.'&file='.urldecode($file);
elseif (in_array($modulepart, array('propal'))) $backtourl = DOL_URL_ROOT."/comm/propal/document.php?id=".$id.'&file='.urldecode($file);
elseif (in_array($modulepart, array('societe'))) $backtourl = DOL_URL_ROOT."/societe/document.php?id=".$id.'&file='.urldecode($file);
elseif (in_array($modulepart, array('tax'))) $backtourl = DOL_URL_ROOT."/compta/sociales/document.php?id=".$id.'&file='.urldecode($file);
elseif (in_array($modulepart, array('ticket'))) $backtourl = DOL_URL_ROOT."/ticket/document.php?id=".$id.'&file='.urldecode($file);
elseif (in_array($modulepart, array('user'))) $backtourl = DOL_URL_ROOT."/user/document.php?id=".$id.'&file='.urldecode($file);
elseif (in_array($modulepart, array('bank')) && preg_match('/\/statement\/([^\/]+)\//', $file, $regs)) {
$num = $regs[1];
$backtourl = DOL_URL_ROOT."/compta/bank/account_statement_document.php?id=".$id.'&num='.urlencode($num).'&file='.urldecode($file);
}
elseif (in_array($modulepart, array('bank'))) $backtourl = DOL_URL_ROOT."/compta/bank/document.php?id=".$id.'&file='.urldecode($file);
elseif (in_array($modulepart, array('mrp'))) $backtourl = DOL_URL_ROOT."/mrp/mo_document.php?id=".$id.'&file='.urldecode($file);
else $backtourl = DOL_URL_ROOT."/".$modulepart."/".$modulepart."_document.php?id=".$id.'&file='.urldecode($file);
}


Expand All @@ -283,11 +293,11 @@
}
}

if ($action == 'confirm_resize' && (isset($_POST["file"]) != "") && (isset($_POST["sizex"]) != "") && (isset($_POST["sizey"]) != ""))
if ($action == 'confirm_resize' && GETPOSTISSET("file") && GETPOSTISSET("sizex") && GETPOSTISSET("sizey"))
{
$fullpath = $dir."/".$original_file;

$result = dol_imageResizeOrCrop($fullpath, 0, $_POST['sizex'], $_POST['sizey']);
$result = dol_imageResizeOrCrop($fullpath, 0, GETPOST('sizex', 'int'), GETPOST('sizey', 'int'));

if ($result == $fullpath)
{
Expand Down Expand Up @@ -357,7 +367,7 @@
$fullpath = $dir."/".$original_file;

//var_dump($_POST['w'].'x'.$_POST['h'].'-'.$_POST['x'].'x'.$_POST['y']);exit;
$result = dol_imageResizeOrCrop($fullpath, 1, $_POST['w'], $_POST['h'], $_POST['x'], $_POST['y']);
$result = dol_imageResizeOrCrop($fullpath, 1, GETPOST('w', 'int'), GETPOST('h', 'int'), GETPOST('x', 'int'), GETPOST('y', 'int'));

if ($result == $fullpath)
{
Expand Down Expand Up @@ -445,7 +455,7 @@
*/

print '<!-- Form to resize -->'."\n";
print '<form name="redim_file" action="'.$_SERVER["PHP_SELF"].'?id='.$id.'" method="POST">';
print '<form name="redim_file" action="'.$_SERVER["PHP_SELF"].'?id='.$id.($num ? '&num='.$num : '').'" method="POST">';
print '<input type="hidden" name="token" value="'.newToken().'">';

print '<fieldset id="redim_file">';
Expand All @@ -454,7 +464,7 @@
print $langs->trans("NewLength").': <input name="sizex" type="number" class="flat maxwidth50"> px &nbsp; '.$langs->trans("or").' &nbsp; ';
print $langs->trans("NewHeight").': <input name="sizey" type="number" class="flat maxwidth50"> px &nbsp; <br>';

print '<input type="hidden" name="file" value="'.dol_escape_htmltag(GETPOST('file')).'" />';
print '<input type="hidden" name="file" value="'.dol_escape_htmltag($file).'" />';
print '<input type="hidden" name="action" value="confirm_resize" />';
print '<input type="hidden" name="product" value="'.$id.'" />';
print '<input type="hidden" name="modulepart" value="'.dol_escape_htmltag($modulepart).'" />';
Expand Down Expand Up @@ -497,7 +507,8 @@
print '<img src="'.DOL_URL_ROOT.'/viewimage.php?modulepart='.$modulepart.'&entity='.$object->entity.'&file='.urlencode($original_file).'" alt="" id="cropbox" width="'.$widthforcrop.'px"/>';
print '</div>';
print '</div><br>';
print '<form action="'.$_SERVER["PHP_SELF"].'?id='.$id.'" method="POST">';

print '<form action="'.$_SERVER["PHP_SELF"].'?id='.$id.($num ? '&num='.$num : '').'" method="POST">';
print '<input type="hidden" name="token" value="'.newToken().'">';
print '
<div class="jc_coords">
Expand Down
3 changes: 2 additions & 1 deletion htdocs/core/tpl/document_actions_post_headers.tpl.php
View file
Expand Up @@ -23,6 +23,7 @@
// $permissiontoadd = permission or not to add a file (can use also $permission) and permission or not to edit file name or crop file (can use also $permtoedit)
// $modulepart = for download
// $param = param to add to download links
// $moreparam = param to add to download link for the form_attach_new_file function
// $upload_dir
// $object
// $filearray
Expand Down Expand Up @@ -109,7 +110,7 @@

// Show upload form (document and links)
$formfile->form_attach_new_file(
$_SERVER["PHP_SELF"].'?id='.$object->id.(empty($withproject)?'':'&withproject=1'),
$_SERVER["PHP_SELF"].'?id='.$object->id.(empty($withproject)?'':'&withproject=1').(empty($moreparam)?'':$moreparam),
'',
0,
0,
Expand Down

0 comments on commit 6366881

Please sign in to comment.