From 696a5d1a48ca6ec4f1ee485ef919740a587b64ed Mon Sep 17 00:00:00 2001 From: Guillaume Lajarige Date: Fri, 29 Dec 2017 13:59:41 +0000 Subject: [PATCH] =?UTF-8?q?(Retrofit=20from=20trunk)=20N=C2=B01227=20New?= =?UTF-8?q?=20configuration=20parameter=20(disable=5Fattachments=5Fdownloa?= =?UTF-8?q?d=5Flegacy=5Fportal)=20to=20disable=20attachments=20download=20?= =?UTF-8?q?from=20the=20legacy=20portal.=20Default=20is=20"true"!?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit SVN:2.4[5184] --- core/config.class.inc.php | 8 ++++++++ pages/ajax.document.php | 4 +++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/core/config.class.inc.php b/core/config.class.inc.php index 4c25f77fd0..b014601429 100644 --- a/core/config.class.inc.php +++ b/core/config.class.inc.php @@ -962,6 +962,14 @@ class Config 'source_of_value' => '', 'show_in_conf_sample' => false, ), + 'disable_attachments_download_legacy_portal' => array( + 'type' => 'bool', + 'description' => 'Disable attachments download from legacy portal', + 'default' => true, + 'value' => true, + 'source_of_value' => '', + 'show_in_conf_sample' => true, + ), ); public function IsProperty($sPropCode) diff --git a/pages/ajax.document.php b/pages/ajax.document.php index 29818ef541..681f81653a 100644 --- a/pages/ajax.document.php +++ b/pages/ajax.document.php @@ -53,7 +53,9 @@ try switch($operation) { case 'download_document': - LoginWebPage::DoLoginEx(null /* any portal */, false); + // Fixing security hole from bug N°1227, disabling by default attachment from legacy portal. + $sRequestedPortalId = (MetaModel::GetConfig()->Get('disable_attachments_download_legacy_portal') === true) ? 'backoffice' : null; + LoginWebPage::DoLoginEx($sRequestedPortalId, false); $id = utils::ReadParam('id', ''); $sField = utils::ReadParam('field', ''); if ($sClass == 'Attachment')