7.11.16

README.md

@@ -2,7 +2,7 @@
   <img width="180px" height="41px" src="https://suitecrm.com/wp-content/uploads/2017/12/logo.png" align="right" />
 </a>
 
-# SuiteCRM 7.11.15
+# SuiteCRM 7.11.16
 
 [![Build Status](https://travis-ci.org/salesagility/SuiteCRM.svg?branch=hotfix)](https://travis-ci.org/salesagility/SuiteCRM)
 [![codecov](https://codecov.io/gh/salesagility/SuiteCRM/branch/hotfix/graph/badge.svg)](https://codecov.io/gh/salesagility/SuiteCRM/branch/hotfix)

download.php

@@ -46,7 +46,7 @@
 
 if ((!isset($_REQUEST['isProfile']) && empty($_REQUEST['id'])) || empty($_REQUEST['type']) || !isset($_SESSION['authenticated_user_id'])) {
     die("Not a Valid Entry Point");
-} else {
+}
     require_once("data/BeanFactory.php");
     $file_type = ''; // bug 45896
     require_once("data/BeanFactory.php");
@@ -146,10 +146,9 @@
             set_time_limit(0);
             readfile('include/SugarFields/Fields/Image/no_image.png');
             die();
-        } else {
-            die($app_strings['ERR_INVALID_FILE_REFERENCE']);
         }
-    } else {
+        die($app_strings['ERR_INVALID_FILE_REFERENCE']);
+    }
         $doQuery = true;
 
         if ($file_type == 'documents' && !isset($image_field)) {
@@ -185,10 +184,17 @@
 
         // Fix for issue 1506 and issue 1304 : IE11 and Microsoft Edge cannot display generic 'application/octet-stream' (which is defined as "arbitrary binary data" in RFC 2046).
         $mime_type = mime_content_type($local_location);
-        if ($mime_type == null || $mime_type == '') {
-            $mime_type = 'application/octet-stream';
-        }
 
+        switch ($mime_type) {
+            case 'text/html':
+                $mime_type = 'text/plain';
+            break;
+            case null:
+            case '':
+                $mime_type = 'application/octet-stream';
+            break;
+        }
+
         if ($doQuery && isset($query)) {
             $rs = DBManagerFactory::getInstance()->query($query);
             $row = DBManagerFactory::getInstance()->fetchByAssoc($rs);
@@ -243,7 +249,7 @@
             }
         } else {
             header('Content-type: ' . $mime_type);
-            if (isset($_REQUEST['preview']) && $_REQUEST['preview'] === 'yes') {
+            if (isset($_REQUEST['preview']) && $_REQUEST['preview'] === 'yes' && $mime_type !== 'text/html') {
                 header('Content-Disposition: inline; filename="' . $name . '";');
             } else {
                 header('Content-Disposition: attachment; filename="' . $name . '";');
@@ -261,6 +267,10 @@
             ;
         }
 
-        readfile($download_location);
-    }
-}
+        ob_start();
+        echo clean_file_output(file_get_contents($download_location), $mime_type);
+
+        $output = ob_get_contents();
+        ob_end_clean();
+
+        echo $output;

include/SugarFields/Fields/File/DetailView.tpl

@@ -42,10 +42,20 @@
 <span class="sugar_field" id="{{if empty($displayParams.idName)}}{{sugarvar key='name'}}{{else}}{{$displayParams.idName}}{{/if}}">
 <a href="index.php?entryPoint=download&id={$fields.{{$vardef.fileId}}.value}&type={{$vardef.linkModule}}" class="tabDetailViewDFLink" target='_blank'>{{sugarvar key='value'}}</a>
 &nbsp;
-<a href="index.php?preview=yes&entryPoint=download&id={$fields.{{$vardef.fileId}}.value}&type={{$vardef.linkModule}}" class="tabDetailViewDFLink" target='_blank' style="border-bottom: 0px;">
-	<i class="glyphicon glyphicon-eye-open"></i>
-</a>
+
+{if $fields.show_preview.value !== false}
+	<a href="index.php?preview=yes&
+		entryPoint=download&
+		id={$fields.{{$vardef.fileId}}.value}&
+		type={{$vardef.linkModule}}" 
+		class="tabDetailViewDFLink" 
+		target='_blank' 
+		style="border-bottom: 0px;">
+		<i class="glyphicon glyphicon-eye-open"></i>
+	</a>
+{/if}
 </span>
+
 {{if isset($vardef) && isset($vardef.allowEapm) && $vardef.allowEapm}}
 {if isset($fields.{{$vardef.docType}}) && !empty($fields.{{$vardef.docType}}.value) && $fields.{{$vardef.docType}}.value != 'SugarCRM' && !empty($fields.{{$vardef.docUrl}}.value) }
 {capture name=imageNameCapture assign=imageName}
@@ -55,5 +65,5 @@
 {/if}
 {{/if}}
 {{if !empty($displayParams.enableConnectors)}}
-{{sugarvar_connector view='DetailView'}}
+	{{sugarvar_connector view='DetailView'}}
 {{/if}}

include/SugarFields/Fields/File/ListView.tpl

@@ -39,17 +39,21 @@
  */
 
 *}
+
 <a href="index.php?entryPoint=download&id={$parentFieldArray.ID}&type={if empty($vardef.displayParams.module)}{$displayParams.module}{else}{$vardef.displayParams.module}{/if}" class="tabDetailViewDFLink" target='_blank'>{sugar_fetch object=$parentFieldArray key=$col}
 {if isset($vardef.allowEapm) && $vardef.allowEapm && isset($parentFieldArray.DOC_TYPE) }
 {capture name=imageNameCapture assign=imageName}
-{sugar_fetch object=$parentFieldArray key=DOC_TYPE}_image_inline.png
+	{sugar_fetch object=$parentFieldArray key=DOC_TYPE}_image_inline.png
 {/capture}
 {capture name=imageURLCapture assign=imageURL}
-{sugar_getimagepath file=$imageName}
+	{sugar_getimagepath file=$imageName}
 {/capture}
 {if strlen($imageURL)>1}{sugar_getimage name=$imageName alt=$imageName other_attributes='border="0" '}{/if}
 {/if}
 </a>&nbsp;
-<a href="index.php?preview=yes&entryPoint=download&id={$parentFieldArray.ID}&type={if empty($vardef.displayParams.module)}{$displayParams.module}{else}{$vardef.displayParams.module}{/if}" class="tabDetailViewDFLink" target='_blank' style="border-bottom: 0px;">
-	<i class="glyphicon glyphicon-eye-open"></i>
-</a>
+
+{if isset($parentFieldArray.SHOW_PREVIEW) && $parentFieldArray.SHOW_PREVIEW !== false }
+	<a href="index.php?preview=yes&entryPoint=download&id={$parentFieldArray.ID}&type={if empty($vardef.displayParams.module)}{$displayParams.module}{else}{$vardef.displayParams.module}{/if}" class="tabDetailViewDFLink" target='_blank' style="border-bottom: 0px;">
+		<i class="glyphicon glyphicon-eye-open"></i>
+	</a>
+{/if}

include/SugarObjects/templates/file/File.php

@@ -56,6 +56,7 @@ class File extends Basic
     public $uploadfile;
     public $status;
     public $file_mime_type;
+    public $show_preview = true;
 
 
     /**
@@ -117,6 +118,10 @@ public function fill_in_additional_detail_fields()
             $img_name_bare = strtolower($this->file_ext) . '_image_inline';
         }
 
+        if (empty($this->filename) || stripos($this->filename, 'svg') || stripos($this->file_mime_type , 'svg')){
+            $this->show_preview = false;
+        }
+
         //set default file name.
         if (!empty($img_name) && file_exists($img_name)) {
             $img_name = $img_name_bare;

include/SugarObjects/templates/file/vardefs.php

@@ -140,5 +140,11 @@
             'source' => 'non-db',
             'Comment' => 'Document status for Meta-Data framework',
         ),
+        'show_preview' => array(
+            'name' => 'show_preview',
+            'type' => 'bool',
+            'source' => 'non-db',
+            'reportable' => false
+        ),
     )
 );

include/utils.php

@@ -2303,6 +2303,20 @@ function clean_string($str, $filter = 'STANDARD', $dieOnBadData = true)
     return $str;
 }
 
+function clean_file_output($string, $mine_type)
+{
+    $patterns = [];
+
+    if ($mine_type === 'image/svg+xml') {
+        $patterns[] = "/onload=\"window.location='(.*?)'\"/";
+    }
+
+    $string = preg_replace($patterns, '', $string);
+
+    return $string;
+}
+
+
 function clean_special_arguments()
 {
     if (isset($_SERVER['PHP_SELF'])) {
@@ -2499,7 +2513,10 @@ function securexss($value)
 
         return $new;
     }
+
     static $xss_cleanup = ['&quot;' => '&#38;', '"' => '&quot;', "'" => '&#039;', '<' => '&lt;', '>' => '&gt;', '`' => '&#96;'];
+
+    $value = preg_replace('/^[=@+-]/', '', $value);
     $value = preg_replace(array('/javascript:/i', '/\0/'), array('java script:', ''), $value);
     $value = preg_replace('/javascript:/i', 'java script:', $value);
 

install.php

@@ -5,7 +5,7 @@
  * SugarCRM, Inc. Copyright (C) 2004-2013 SugarCRM Inc.
  *
  * SuiteCRM is an extension to SugarCRM Community Edition developed by SalesAgility Ltd.
- * Copyright (C) 2011 - 2018 SalesAgility Ltd.
+ * Copyright (C) 2011 - 2020 SalesAgility Ltd.
  *
  * This program is free software; you can redistribute it and/or modify it under
  * the terms of the GNU Affero General Public License version 3 as published by the
@@ -37,9 +37,10 @@
  * reasonably feasible for technical reasons, the Appropriate Legal Notices must
  * display the words "Powered by SugarCRM" and "Supercharged by SuiteCRM".
  */
- if (!defined('sugarEntry')) {
-     define('sugarEntry', true);
- }
+
+if (!defined('sugarEntry')) {
+    define('sugarEntry', true);
+}
 
 require_once 'include/utils.php';
 @session_start();
@@ -180,6 +181,39 @@ function getSupportedInstallLanguages()
 //get the url for the helper link
 $help_url = get_help_button_url();
 
+if (isset($sugar_config['installer_locked']) && $sugar_config['installer_locked'] == true) {
+    if (!empty($_POST['current_step']) && $_POST['current_step'] === '3' && !empty($_POST['goto']) && $_POST['goto'] === $mod_strings['LBL_NEXT']) {
+        session_unset();
+        $the_file = 'complete_install.php';
+    } else {
+        $the_file = 'installDisabled.php';
+        $disabled_title = $mod_strings['LBL_DISABLED_DESCRIPTION'];
+        $disabled_title_2 = $mod_strings['LBL_DISABLED_TITLE_2'];
+        $disabled_text = <<<EOQ
+            <p>{$mod_strings['LBL_DISABLED_DESCRIPTION']}</p>
+            <pre>
+                'installer_locked' => false,
+            </pre>
+            <p>{$mod_strings['LBL_DISABLED_DESCRIPTION_2']}</p>
+        
+            <p>{$mod_strings['LBL_DISABLED_HELP_1']} <a href="{$mod_strings['LBL_DISABLED_HELP_LNK']}" target="_blank">{$mod_strings['LBL_DISABLED_HELP_2']}</a>.</p>
+EOQ;
+
+    }
+    $the_file = 'install/' . clean_string($the_file, 'FILE');
+
+    if (is_file($the_file)) {
+        installerHook('pre_installFileRequire', ['the_file' => $the_file]);
+        require($the_file);
+        die();
+    }
+    LoggerManager::getLogger()->fatal('Install file not found: ' . $the_file);
+    die('SuiteCRM Installation has been Disabled');
+}
+
+
+
+
 //if this license print, then redirect and exit,
 if (isset($_REQUEST['page']) && $_REQUEST['page'] == 'licensePrint') {
     include('install/licensePrint.php');
@@ -720,7 +754,7 @@ function getSupportedInstallLanguages()
                 $sugar_config['unique_key'] = md5(create_guid());
             }
 
-            $validation_errors = validate_dbConfig('a');
+            $validation_errors = validate_dbConfig();
             if (count($validation_errors) > 0) {
                 $the_file = 'dbConfig_a.php';
                 $si_errors = true;

install/installDisabled.php

@@ -82,13 +82,6 @@
     <tr>
       <td align="right" colspan="2" height="20">
         <hr>
-        <form action="install.php" method="post" name="form" id="form">
-        <table cellspacing="0" cellpadding="0" border="0" class="stdTable">
-          <tr>
-            <td><input class="button" type="submit" value="{$mod_strings['LBL_START']}" /></td>
-          </tr>
-        </table>
-        </form>
       </td>
     </tr>
   </table>

modules/Configurator/Configurator.php

@@ -77,6 +77,11 @@ public function populateFromPost()
         $sugarConfig = SugarConfig::getInstance();
         foreach ($_POST as $key => $value) {
             if ($key == "logger_file_ext") {
+                if ($value === '') {
+                    $GLOBALS['log']->security("Log file extension can't be blank.");
+                    continue;
+                }
+
                 $trim_value = preg_replace('/.*\.([^\.]+)$/', '\1', $value);
                 if (in_array($trim_value, $this->config['upload_badext'])) {
                     $GLOBALS['log']->security("Invalid log file extension: trying to use invalid file extension '$value'.");

modules/Documents/Document.php

@@ -100,6 +100,7 @@ class Document extends File
     );
 
     public $authenticated = null;
+    public $show_preview = true;
 
     public function __construct()
     {
@@ -276,9 +277,14 @@ public function fill_in_additional_detail_fields()
             //if file is not found then default image file will be used.
             global $img_name;
             global $img_name_bare;
+
             if (!empty($row['file_ext'])) {
                 $img_name = SugarThemeRegistry::current()->getImageURL(strtolower($row['file_ext']) . "_image_inline.gif");
                 $img_name_bare = strtolower($row['file_ext']) . "_image_inline";
+
+                if ($row['file_ext'] == 'svg') {
+                    $this->show_preview = false;
+                }
             }
         }
 

modules/Documents/vardefs.php

@@ -428,6 +428,12 @@
             'source' => 'non-db',
             'module' => 'AOS_Contracts',
         ),
+        'show_preview' => array(
+            'name' => 'show_preview',
+            'type' => 'bool',
+            'source' => 'non-db',
+            'reportable' => false
+        ),
 
     ),
     'indices' => array(

modules/Notes/vardefs.php

@@ -276,6 +276,13 @@
                 'source'=>'non-db',
                 'options'=> 'record_type_display_notes',
             ],
+        'show_preview' =>
+            [
+                'name' => 'show_preview',
+                'type' => 'bool',
+                'source' => 'non-db',
+                'reportable' => false
+            ],
 
          'contact_name'=>
             [

suitecrm_version.php

@@ -3,5 +3,5 @@
     die('Not A Valid Entry Point');
 }
 
-$suitecrm_version = '7.11.15';
-$suitecrm_timestamp = '2020-06-11 12:00:00';
+$suitecrm_version = '7.11.16';
+$suitecrm_timestamp = '2020-10-28 12:00:00';

tests/unit/phpunit/modules/Notes/NoteTest.php

@@ -135,6 +135,7 @@ public function testget_list_view_data()
                       'PARENT_TYPE' => 'Account',
                       'EMBED_FLAG' => '0',
                       'DELETED' => 0,
+                      'SHOW_PREVIEW' => true,
                       'CONTACT_NAME' => 'test contact',
                       'PARENT_MODULE' => 'Account',
                       'STATUS' => 'Note',