N°1921 Process InlineImage from another iTop as external images

* Notifications : do not embed InlineImage with wrong secret
* HtmlSanitizer : remove data-img-* attributes if not the same iTop (using approot from Config)
* move \HTMLDOMSanitizer::ProcessImage to \InlineImage::ProcessImageTag
* data-img-* attributes name are now InlineImage class constants

(cherry picked from commit 0aab80917a)

core/email.class.inc.php

@@ -234,19 +234,28 @@ class EMail
 			$oDOMDoc = new DOMDocument();
 			$oDOMDoc->preserveWhitespace = true;
 			@$oDOMDoc->loadHTML('<?xml encoding="UTF-8"?>'.$this->m_aData['body']['body']); // For loading HTML chunks where the character set is not specified
-			
+
 			$oXPath = new DOMXPath($oDOMDoc);
-			$sXPath = "//img[@data-img-id]";
+			$sXPath = '//img[@'.InlineImage::DOM_ATTR_ID.']';
 			$oImagesList = $oXPath->query($sXPath);
-			
+
 			if ($oImagesList->length != 0)
 			{
 				foreach($oImagesList as $oImg)
 				{
-					$iAttId = $oImg->getAttribute('data-img-id');
+					$iAttId = $oImg->getAttribute(InlineImage::DOM_ATTR_ID);
 					$oAttachment = MetaModel::GetObject('InlineImage', $iAttId, false, true /* Allow All Data */);
 					if ($oAttachment)
 					{
+						$sImageSecret = $oImg->getAttribute('data-img-secret');
+						$sAttachmentSecret = $oAttachment->Get('secret');
+						if ($sImageSecret !== $sAttachmentSecret)
+						{
+							// @see N°1921
+							// If copying from another iTop we could get an IMG pointing to an InlineImage with wrong secret
+							continue;
+						}
+
 						$oDoc = $oAttachment->Get('contents');
 						$oSwiftImage = new Swift_Image($oDoc->GetData(), $oDoc->GetFileName(), $oDoc->GetMimeType());
 						$sCid = $this->m_oMessage->embed($oSwiftImage);

core/htmlsanitizer.class.inc.php

@@ -348,7 +348,7 @@ class HTMLDOMSanitizer extends HTMLSanitizer
 					$this->CleanNode($oNode);
 					if (($oNode instanceof DOMElement) && (strtolower($oNode->tagName) == 'img'))
 					{
-						$this->ProcessImage($oNode);
+						InlineImage::ProcessImageTag($oNode);
 					}
 				}
 			}
@@ -359,24 +359,7 @@ class HTMLDOMSanitizer extends HTMLSanitizer
 			}
 		}
 	}
-	
-	/**
-	 * Add an extra attribute data-img-id for images which are based on an actual InlineImage
-	 * so that we can later reconstruct the full "src" URL when needed
-	 * @param DOMNode $oElement
-	 */
-	protected function ProcessImage(DOMNode $oElement)
-	{
-		$sSrc = $oElement->getAttribute('src');
-		$sDownloadUrl = str_replace(array('.', '?'), array('\.', '\?'), INLINEIMAGE_DOWNLOAD_URL); // Escape . and ?
-		$sUrlPattern = '|'.$sDownloadUrl.'([0-9]+)&s=([0-9a-f]+)|';
-		if (preg_match($sUrlPattern, $sSrc, $aMatches))
-		{
-			$oElement->setAttribute('data-img-id', $aMatches[1]);
-			$oElement->setAttribute('data-img-secret', $aMatches[2]);
-		}
-	}
-	
+
 	protected function CleanStyle($sStyle)
 	{
 		$aAllowedStyles = array();

core/inlineimage.class.inc.php

@@ -27,6 +27,11 @@ define('INLINEIMAGE_DOWNLOAD_URL', 'pages/ajax.document.php?operation=download_i
 
 class InlineImage extends DBObject
 {
+	/** @var string attribute to be added to IMG tags to contain ID */
+	const DOM_ATTR_ID = 'data-img-id';
+	/** @var string attribute to be added to IMG tags to contain secret */
+	const DOM_ATTR_SECRET = 'data-img-secret';
+
 	public static function Init()
 	{
 		$aParams = array
@@ -178,18 +183,19 @@ class InlineImage extends DBObject
 				$oInlineImage->DBUpdate();
 			}
 		}
-		else
-		{
-			IssueLog::Error('InlineImage: Error during FinalizeInlineImages(), no transaction ID for object '.get_class($oObject).'#'.$oObject->GetKey().'.');
-
-			IssueLog::Error('|- Call stack:');
-			$oException = new Exception();
-			$sStackTrace = $oException->getTraceAsString();
-			IssueLog::Error($sStackTrace);
-
-			IssueLog::Error('|- POST vars:');
-			IssueLog::Error(print_r($_POST, true));
-		}
+// For tracing issues with Inline Images... but beware not all updates are interactive, so this trace happens when creating objects non-interactively (REST, Synchro...)
+// 		else
+//		{
+//			IssueLog::Error('InlineImage: Error during FinalizeInlineImages(), no transaction ID for object '.get_class($oObject).'#'.$oObject->GetKey().'.');
+//
+//			IssueLog::Error('|- Call stack:');
+//			$oException = new Exception();
+//			$sStackTrace = $oException->getTraceAsString();
+//			IssueLog::Error($sStackTrace);
+//
+//			IssueLog::Error('|- POST vars:');
+//			IssueLog::Error(print_r($_POST, true));
+//		}
 	}
 	
 	/**
@@ -220,7 +226,8 @@ class InlineImage extends DBObject
 		$aNeedles = array();
 		$aReplacements = array();
 		// Find img tags with an attribute data-img-id
-		if (preg_match_all('/<img ([^>]*)data-img-id="([0-9]+)"([^>]*)>/i', $sHtml, $aMatches, PREG_SET_ORDER | PREG_OFFSET_CAPTURE))
+		if (preg_match_all('/<img ([^>]*)'.self::DOM_ATTR_ID.'="([0-9]+)"([^>]*)>/i',
+			$sHtml, $aMatches, PREG_SET_ORDER | PREG_OFFSET_CAPTURE))
 		{
 			$sUrl = utils::GetAbsoluteUrlAppRoot().INLINEIMAGE_DOWNLOAD_URL;
 			foreach($aMatches as $aImgInfo)
@@ -242,6 +249,42 @@ class InlineImage extends DBObject
 		return $sHtml;
 	}
 
+	/**
+	 * Add an extra attribute data-img-id for images which are based on an actual InlineImage
+	 * so that we can later reconstruct the full "src" URL when needed
+	 *
+	 * @param \DOMElement $oElement
+	 */
+	public static function ProcessImageTag(DOMElement $oElement)
+	{
+		$sSrc = $oElement->getAttribute('src');
+		$sDownloadUrl = str_replace(array('.', '?'), array('\.', '\?'), INLINEIMAGE_DOWNLOAD_URL); // Escape . and ?
+		$sUrlPattern = '|'.$sDownloadUrl.'([0-9]+)&s=([0-9a-f]+)|';
+		$bIsInlineImage = preg_match($sUrlPattern, $sSrc, $aMatches);
+		if (!$bIsInlineImage)
+		{
+			return;
+		}
+		$iInlineImageId = $aMatches[1];
+		$sInlineIMageSecret = $aMatches[2];
+
+		$sAppRoot = utils::GetAbsoluteUrlAppRoot();
+		$sAppRootPattern = '/^'.preg_quote($sAppRoot, '/').'/';
+		$bIsSameItop = preg_match($sAppRootPattern, $sSrc);
+		if (!$bIsSameItop)
+		{
+			// @see N°1921
+			// image from another iTop should be treated as external images
+			$oElement->removeAttribute(self::DOM_ATTR_ID);
+			$oElement->removeAttribute(self::DOM_ATTR_SECRET);
+
+			return;
+		}
+
+		$oElement->setAttribute(self::DOM_ATTR_ID, $iInlineImageId);
+		$oElement->setAttribute(self::DOM_ATTR_SECRET, $sInlineIMageSecret);
+	}
+
 	/**
 	 * Get the javascript fragment  - to be added to "on document ready" - to adjust (on the fly) the width on Inline Images
 	 */

datamodels/2.x/itop-request-mgmt-itil/datamodel.itop-request-mgmt-itil.xml

@@ -1725,7 +1725,7 @@
 		</class>
         <class id="Organization">
             <fields>
-                <field id="overview" xsi:type="AttributeDashboard">
+                <field id="overview" xsi:type="AttributeDashboard" _delta="if_exists">
                     <definition>
                         <cells>
                             <cell id="9000" _delta="delete">

datamodels/2.x/itop-request-mgmt/datamodel.itop-request-mgmt.xml

@@ -1747,7 +1747,7 @@
         </class>
         <class id="Organization">
             <fields>
-                <field id="overview" xsi:type="AttributeDashboard">
+                <field id="overview" xsi:type="AttributeDashboard" _delta="if_exists">
                     <definition>
                         <cells>
                             <cell id="9000" _delta="delete">

install.txt

@@ -1,3 +1,3 @@
 For installation instructions, please refer to:
 
-https://wiki.openitop.org/doku.php?id=2_4_0:install:start
+https://wiki.openitop.org/doku.php?id=2_6_0:install:start

setup/extensionsmap.class.inc.php

@@ -308,12 +308,12 @@ class iTopExtensionsMap
 							$sModuleVersion = '0.0.1';
 						}
 						
-						if ($sParentExtensionId !== null)
+						if (($sParentExtensionId !== null) && (array_key_exists($sParentExtensionId, $this->aExtensions)) && ($this->aExtensions[$sParentExtensionId] instanceof iTopExtension))
 						{
 							// Already inside an extension, let's add this module the list of modules belonging to this extension
 							$this->aExtensions[$sParentExtensionId]->aModules[] = $sModuleName;
 							$this->aExtensions[$sParentExtensionId]->aModuleVersion[$sModuleName] = $sModuleVersion;
-							}
+						}
 						else
 						{
 							// Not already inside an folder containing an 'extension.xml' file