Merge branch 'File_security' into 'master'

Migration changes to support file obscurity is supported See merge request !411

Merge branch 'File_security' into 'master'
Migration changes to support file obscurity is supported See merge request !411
4efd0c15 · Prasad · b911c3f3 · 4bd5254d · 4efd0c15 · 4efd0c15
Commit 4efd0c15 authored 5 years ago by Prasad
--- a/modules/Documents/models/Record.php
+++ b/modules/Documents/models/Record.php
@@ -77,24 +77,29 @@ class Documents_Record_Model extends Vtiger_Record_Model {

 			if ($this->get('filelocationtype') == 'I') {
 				$fileName = html_entity_decode($fileName, ENT_QUOTES, vglobal('default_charset'));
-				$savedFile = $fileDetails['attachmentsid']."_".$storedFileName;
-
-				while(ob_get_level()) {
-					ob_end_clean();
-				}
-				$fileSize = filesize($filePath.$savedFile);
-				$fileSize = $fileSize + ($fileSize % 1024);
-
-				if (fopen($filePath.$savedFile, "r")) {
-					$fileContent = fread(fopen($filePath.$savedFile, "r"), $fileSize);
-
-					header("Content-type: ".$fileDetails['type']);
-					header("Pragma: public");
-					header("Cache-Control: private");
-					header("Content-Disposition: attachment; filename=\"$fileName\"");
-					header("Content-Description: PHP Generated Data");
-                    header("Content-Encoding: none");
-				}
+                if (!empty($fileName)) {
+                    if(!empty($storedFileName)){
+                        $savedFile = $fileDetails['attachmentsid']."_".$storedFileName;
+                    }else if(is_null($storedFileName)){
+                        $savedFile = $fileDetails['attachmentsid']."_".$fileName;
+                    }
+                    while(ob_get_level()) {
+                        ob_end_clean();
+                    }
+                    $fileSize = filesize($filePath.$savedFile);
+                    $fileSize = $fileSize + ($fileSize % 1024);
+
+                    if (fopen($filePath.$savedFile, "r")) {
+                        $fileContent = fread(fopen($filePath.$savedFile, "r"), $fileSize);
+
+                        header("Content-type: ".$fileDetails['type']);
+                        header("Pragma: public");
+                        header("Cache-Control: private");
+                        header("Content-Disposition: attachment; filename=\"$fileName\"");
+                        header("Content-Description: PHP Generated Data");
+                        header("Content-Encoding: none");
+                    }
+                }
 			}
 		}
 		echo $fileContent;

--- a/modules/Emails/actions/DownloadFile.php
+++ b/modules/Emails/actions/DownloadFile.php
@@ -36,17 +36,23 @@ class Emails_DownloadFile_Action extends Vtiger_Action_Controller {
            $filepath = $row["path"];
            $name = decode_html($name);
            $storedFileName = $row['storedname'];
-            $saved_filename = $attachmentId."_". $storedFileName;
-            $disk_file_size = filesize($filepath.$saved_filename);
-            $filesize = $disk_file_size + ($disk_file_size % 1024);
-            $fileContent = fread(fopen($filepath.$saved_filename, "r"), $filesize);
+            if (!empty($name)) {
+                if(!empty($storedFileName)){
+                    $saved_filename = $attachmentId."_". $storedFileName;
+                }else if(is_null($storedFileName)){
+                    $saved_filename = $attachmentId."_". $name;
+                }
+                $disk_file_size = filesize($filepath.$saved_filename);
+                $filesize = $disk_file_size + ($disk_file_size % 1024);
+                $fileContent = fread(fopen($filepath.$saved_filename, "r"), $filesize);

-            header("Content-type: $fileType");
-            header("Pragma: public");
-            header("Cache-Control: private");
-            header("Content-Disposition: attachment; filename=$name");
-            header("Content-Description: PHP Generated Data");
-            echo $fileContent;
+                header("Content-type: $fileType");
+                header("Pragma: public");
+                header("Cache-Control: private");
+                header("Content-Disposition: attachment; filename=$name");
+                header("Content-Description: PHP Generated Data");
+                echo $fileContent;
+            }
        }
    }
 }

--- a/modules/Migration/schema/711_to_720.php
+++ b/modules/Migration/schema/711_to_720.php
@@ -13,5 +13,5 @@ if (defined('VTIGER_UPGRADE')) {
 	$db = PearDatabase::getInstance();

 	// Added column storedname for vtiger_attachments to support reverse mapping.
-	$db->pquery('ALTER TABLE vtiger_attachments ADD COLUMN storedname varchar(255) NOT NULL AFTER path', array());
+	$db->pquery('ALTER TABLE vtiger_attachments ADD COLUMN storedname varchar(255) NULL AFTER path', array());
 }
--- a/modules/Vtiger/helpers/ShowFile.php
+++ b/modules/Vtiger/helpers/ShowFile.php
@@ -36,21 +36,25 @@ class Vtiger_ShowFile_Helper {
 			 * While saving the document applying decode_html to save in DB, but this is not happening for the images
 			 * This save happens from mailroom, inbox, record save, document save etc..
 			 */
-			if (!empty($encFileName) && !empty($storedFileName)) {
-				$finalFilePath = $filePath.$fileId.'_'.$storedFileName;
-				$isFileExist = false;
-				if (file_exists($finalFilePath)) {
-					$isFileExist = true;
-				} else {
-					$finalFilePath = $filePath.$fileId.'_'.$sanitizedFileName;
-					if (file_exists($finalFilePath)) {
-						$isFileExist = true;
-					}
-				}
-				if ($isFileExist) {
-					Vtiger_ShowFile_Helper::show($finalFilePath,$fileType);
-				}
-			}
+			if (!empty($encFileName)) {
+                if(!empty($storedFileName)){
+                    $finalFilePath = $filePath.$fileId.'_'.$storedFileName;
+                }else if(is_null($storedFileName)){
+                    $finalFilePath = $filePath.$fileId.'_'.$encFileName;
+                }
+                $isFileExist = false;
+                if (file_exists($finalFilePath)) {
+                    $isFileExist = true;
+                } else {
+                    $finalFilePath = $filePath.$fileId.'_'.$sanitizedFileName;
+                    if (file_exists($finalFilePath)) {
+                        $isFileExist = true;
+                    }
+                }
+                if ($isFileExist) {
+                    Vtiger_ShowFile_Helper::show($finalFilePath,$fileType);
+                }
+            }
 		}
 	}


--- a/modules/Vtiger/models/Record.php
+++ b/modules/Vtiger/models/Record.php
@@ -593,18 +593,24 @@ class Vtiger_Record_Model extends Vtiger_Base_Model {
 			$fileName = $fileDetails['name'];
            $storedFileName = $fileDetails['storedname'];
 			$fileName = html_entity_decode($fileName, ENT_QUOTES, vglobal('default_charset'));
-			$savedFile = $fileDetails['attachmentsid']."_".$storedFileName;
-			$fileSize = filesize($filePath.$savedFile);
-			$fileSize = $fileSize + ($fileSize % 1024);
-			if (fopen($filePath.$savedFile, "r")) {
-				$fileContent = fread(fopen($filePath.$savedFile, "r"), $fileSize);
-				header("Content-type: ".$fileDetails['type']);
-				header("Pragma: public");
-				header("Cache-Control: private");
-				header("Content-Disposition: attachment; filename=\"$fileName\"");
-				header("Content-Description: PHP Generated Data");
-				header("Content-Encoding: none");
-			}
+            if (!empty($fileName)) {
+                if(!empty($storedFileName)){
+                    $savedFile = $fileDetails['attachmentsid']."_".$storedFileName;
+                }else if(is_null($storedFileName)){
+                    $savedFile = $fileDetails['attachmentsid']."_".$fileName;
+                }
+                $fileSize = filesize($filePath.$savedFile);
+                $fileSize = $fileSize + ($fileSize % 1024);
+                if (fopen($filePath.$savedFile, "r")) {
+                    $fileContent = fread(fopen($filePath.$savedFile, "r"), $fileSize);
+                    header("Content-type: ".$fileDetails['type']);
+                    header("Pragma: public");
+                    header("Cache-Control: private");
+                    header("Content-Disposition: attachment; filename=\"$fileName\"");
+                    header("Content-Description: PHP Generated Data");
+                    header("Content-Encoding: none");
+                }
+            }
 		}
 		echo $fileContent;
 	}

--- a/schema/DatabaseSchema.xml
+++ b/schema/DatabaseSchema.xml
@@ -1014,6 +1014,7 @@
 		<field name="description" type="X" />
 		<field name="type" type="C" size="100" />
 		<field name="path" type="X" />
+                <field name="storedname" type="C" size="255" />
 		<field name="subject" type="C" size="255" />
 		<index name="attachments_attachmentsid_idx">
 			<col>attachmentsid</col>

--- a/vtigerversion.php
+++ b/vtigerversion.php
@@ -8,9 +8,9 @@
 * All Rights Reserved.
 ************************************************************************************/

-$patch_version = '20180308'; // -ve timestamp before release, +ve timestamp after release.
+$patch_version = '-20190904'; // -ve timestamp before release, +ve timestamp after release.
 $modified_database = '';
-$vtiger_current_version = '7.1.1';
+$vtiger_current_version = '7.2.0';
 $_SESSION['vtiger_version'] = $vtiger_current_version;

 ?>