(Retrofit from trunk) N°1227 New configuration parameter (disable_attachments_download_legacy_portal) to disable attachments download from the legacy portal. Default is "true"!

SVN:2.4[5184]
2026-05-17 06:18:44 +02:00 · 2017-12-29 13:59:41 +00:00
parent 96288db97b
commit 696a5d1a48
2 changed files with 11 additions and 1 deletions
--- a/core/config.class.inc.php
+++ b/core/config.class.inc.php
@@ -962,6 +962,14 @@ class Config
 			'source_of_value' => '',
 			'show_in_conf_sample' => false,
 		),
+		'disable_attachments_download_legacy_portal' => array(
+			'type' => 'bool',
+			'description' => 'Disable attachments download from legacy portal',
+			'default' => true,
+			'value' => true,
+			'source_of_value' => '',
+			'show_in_conf_sample' => true,
+		),
 	);

 	public function IsProperty($sPropCode)
--- a/pages/ajax.document.php
+++ b/pages/ajax.document.php
@@ -53,7 +53,9 @@ try
 	switch($operation)
 	{
 		case 'download_document':
-			LoginWebPage::DoLoginEx(null /* any portal */, false);
+			// Fixing security hole from bug N°1227, disabling by default attachment from legacy portal.
+			$sRequestedPortalId = (MetaModel::GetConfig()->Get('disable_attachments_download_legacy_portal') === true) ? 'backoffice' : null;
+			LoginWebPage::DoLoginEx($sRequestedPortalId, false);
 			$id = utils::ReadParam('id', '');
 			$sField = utils::ReadParam('field', '');
 			if ($sClass == 'Attachment')