#Fixes::156999305::Chaitanya N::Vtiger image layout path is exposed issue is fixed

8a9ca56f · root · 0c4c8699 · 8a9ca56f · 8a9ca56f · 8a9ca56f
Commit 8a9ca56f authored 11 months ago by root
--- a/modules/Reports/models/ScheduleReports.php
+++ b/modules/Reports/models/ScheduleReports.php
@@ -341,7 +341,7 @@ class Reports_ScheduleReports_Model extends Vtiger_Base_Model {
 		$site_URL = vglobal('site_URL');
 		$currentModule = vglobal('currentModule');
 		$companydetails = getCompanyDetails();
-		$logo = $site_URL.'/test/logo/'.$companydetails['logoname'];
+		$logo = Vtiger_Functions::getLogoPublicURL($companydetails['logoname']);
 		$body = '<table width="700" cellspacing="0" cellpadding="0" border="0" align="center" style="font-family: Arial,Helvetica,sans-serif; font-size: 12px; font-weight: normal; text-decoration: none; ">
 			<tr>

--- a/modules/Settings/Vtiger/models/CompanyDetails.php
+++ b/modules/Settings/Vtiger/models/CompanyDetails.php
@@ -93,11 +93,12 @@ class Settings_Vtiger_CompanyDetails_Model extends Settings_Vtiger_Module_Model
 		$logoPath = $this->logoPath;
 		$handler = @opendir($logoPath);
 		$logoName = decode_html($this->get('logoname'));
+		$logoPath = Vtiger_Functions::getLogoPublicURL($logoName);
 		if ($logoName && $handler) {
 			while ($file = readdir($handler)) {
 				if($logoName === $file && in_array(str_replace('.', '', strtolower(substr($file, -4))), self::$logoSupportedFormats) && $file != "." && $file!= "..") {
 					closedir($handler);
-					return $logoPath.$logoName;
+					return $logoPath;
 				}
 			}
 		}

--- a/modules/Vtiger/models/CompanyDetails.php
+++ b/modules/Vtiger/models/CompanyDetails.php
@@ -22,7 +22,7 @@ class Vtiger_CompanyDetails_Model extends Vtiger_Base_Model {
 		$logoModel = new Vtiger_Image_Model();
 		if(!empty($logoName)) {
 			$companyLogo = array();
-			$companyLogo['imagepath'] = "test/logo/$logoName";
+			$companyLogo['imagepath'] = Vtiger_Functions::getLogoPublicURL($logoName);
 			$companyLogo['alt'] = $companyLogo['title'] = $companyLogo['imagename'] = $logoName;
 			$logoModel->setData($companyLogo);
 		}

--- a/public.php
+++ b/public.php
@@ -12,4 +12,18 @@ include_once 'vendor/autoload.php';
 include_once 'vtlib/Vtiger/Module.php';
 vimport('includes.runtime.EntryPoint');
+if(isset($_REQUEST['type']) && isset($_REQUEST['key']) && $_REQUEST['type'] == 'logo'){
+	$logoPath = 'test/logo/';
+	$allowedLogoImageFormats = Settings_Vtiger_CompanyDetails_Model::$logoSupportedFormats;
+	$fileName = vtlib_purify($_REQUEST['key']);
+	$finalFilePath = $logoPath.$fileName;
+	$extension = explode('.', $fileName);
+	$imageFormat = strtolower($extension[1]);
+	if (in_array($imageFormat, $allowedLogoImageFormats)) {
+		checkFileAccess($finalFilePath);
+		Vtiger_ShowFile_Helper::show($finalFilePath, $imageFormat);
+	}
+	return;
+}
 Vtiger_ShowFile_Helper::handle(vtlib_purify($_REQUEST['fid']), vtlib_purify($_REQUEST['key']));
--- a/vtlib/Vtiger/Functions.php
+++ b/vtlib/Vtiger/Functions.php
@@ -1613,7 +1613,17 @@ class Vtiger_Functions {
 		}
 		return $publicUrl;
 	}
+	/**
+	 * Function to get logo public url
+	 * @param <String> $logoName
+	 * @return <String> $sourceUrl
+	 */
+	public static function getLogoPublicURL($logoName) {
+		$publicUrl = "public.php?type=logo&key=$logoName";
+		return $publicUrl;
+	}
    /**
     * Function to get the attachmentsid to given crmid
     * @param type $crmid