diff --git a/include/utils/CommonUtils.php b/include/utils/CommonUtils.php
index 238dd5763a..40fd38c1c1 100644
--- a/include/utils/CommonUtils.php
+++ b/include/utils/CommonUtils.php
@@ -2348,7 +2348,8 @@ function validateImageFile($file_details) {
}
$filetype = strtolower($filetype);
}
- if (in_array($filetype, ['jpeg', 'png', 'jpg', 'pjpeg', 'x-png', 'gif', 'bmp', 'svg', 'svg+xml'])) {
+ if (in_array($filetype, ['jpeg', 'png', 'jpg', 'pjpeg', 'x-png', 'gif', 'bmp', 'svg', 'svg+xml', 'xml', 'text/xml'])) {
+ // we add XML to the array in order to apply validation rules to that type as it can contain executable code
$saveimage = 'true';
} else {
$saveimage = 'false';
@@ -2432,6 +2433,7 @@ function validateImageContents($filename) {
|| preg_match('/(/i', $contents) === 1 // XML
|| preg_match('/<\s*script\s*>/i', $contents) === 1
|| stripos($contents, '=') !== false
|| stripos($contents, '<%=') !== false
diff --git a/include/utils/DetailViewUtils.php b/include/utils/DetailViewUtils.php
index 623817fcae..f4727017bf 100644
--- a/include/utils/DetailViewUtils.php
+++ b/include/utils/DetailViewUtils.php
@@ -510,6 +510,8 @@ function getDetailViewOutputHtml($uitype, $fieldname, $fieldlabel, $col_fields,
$imagepath_array[] = $adb->query_result($result_image, $image_iter, 'path');
}
+ global $site_URL;
+ $baseimgurl = $site_URL.'/index.php?module=Utilities&action=UtilitiesAjax&file=ExecuteFunctions&functiontocall=downloadfile&entityid=';
if (count($image_array) > 1) {
if (count($image_array) < 4) {
$sides = count($image_array) * 2;
@@ -522,14 +524,14 @@ function getDetailViewOutputHtml($uitype, $fieldname, $fieldlabel, $col_fields,
';
$image_lists .= '';
$label_fld[] = $image_lists;
} elseif (count($image_array) == 1) {
- $label_fld[] = '';
+ $label_fld[]='';
} else {
$label_fld[] = '';
}
diff --git a/modules/Products/Products.php b/modules/Products/Products.php
index 21630a33f2..075597da75 100644
--- a/modules/Products/Products.php
+++ b/modules/Products/Products.php
@@ -271,6 +271,9 @@ public function insertIntoAttachment($id, $module, $direct_import = false) {
}
$files['original_name'] = str_replace('"', '', $files['original_name']);
$file_saved = $this->uploadAndSaveFile($id, $module, $files, '', $direct_import, 'imagename');
+ if (!$file_saved) {
+ return false;
+ }
}
unset($_FILES[$fileindex]);
}
@@ -296,6 +299,7 @@ public function insertIntoAttachment($id, $module, $direct_import = false) {
parent::insertIntoAttachment($id, $module, $direct_import);
}
$log->debug('< insertIntoAttachment');
+ return true;
}
/** function used to get the list of leads which are related to the product
diff --git a/modules/Products/UploadImage.php b/modules/Products/UploadImage.php
index 13e0ba2e5e..92f8328592 100644
--- a/modules/Products/UploadImage.php
+++ b/modules/Products/UploadImage.php
@@ -21,6 +21,11 @@
$record = vtlib_purify($_REQUEST['record']);
$product = CRMEntity::getInstance('Products');
$product->retrieve_entity_info($record, 'Products');
- $product->insertIntoAttachment($record, 'Products');
+ $file_saved = $product->insertIntoAttachment($record, 'Products');
+ if (!$file_saved) {
+ http_response_code(401);
+ header('Content-Type: text/plain; charset=utf-8');
+ echo getTranslatedString('LBL_IMAGESECURITY_ERROR');
+ }
}
?>