Fix #32193 Add verification on extension file for upload

htdocs/admin/security_file.php

@@ -104,7 +104,8 @@ if ($action == 'updateform') {
 		$res4 = dolibarr_set_const($db, "MAIN_UMASK", $tmpumask, 'chaine', 0, '', $conf->entity);
 		$res5 = dolibarr_set_const($db, "MAIN_ANTIVIRUS_COMMAND", trim($antivircommand), 'chaine', 0, '', $conf->entity);
 		$res6 = dolibarr_set_const($db, "MAIN_ANTIVIRUS_PARAM", trim($antivirparam), 'chaine', 0, '', $conf->entity);
-		if ($res3 && $res4 && $res5 && $res6) {
+		$res7 = dolibarr_set_const($db, "MAIN_FILE_EXTENSION_UPLOAD_RESTRICTION", GETPOST('MAIN_FILE_EXTENSION_UPLOAD_RESTRICTION', 'alpha'), 'chaine', 0, '', $conf->entity);
+		if ($res3 && $res4 && $res5 && $res6 && $res7) {
 			setEventMessages($langs->trans("RecordModifiedSuccessfully"), null, 'mesgs');
 		}
 	}
@@ -217,6 +218,15 @@ if (defined('MAIN_ANTIVIRUS_PARAM')) {
 print "</td>";
 print '</tr>';
 
+print '<tr class="oddeven">';
+print '<td>'.$langs->trans("UploadExtensionRestriction").'<br>';
+print '<span class="opacitymedium">'.$langs->trans("UploadExtensionRestrictionExemple").'</span>';
+print '</td>';
+print '<td>';
+print '<input type="text" name="MAIN_FILE_EXTENSION_UPLOAD_RESTRICTION" class="minwidth500imp" value="'.getDolGlobalString('MAIN_FILE_EXTENSION_UPLOAD_RESTRICTION').'">';
+print "</td>";
+print '</tr>';
+
 print '</table>';
 print '</div>';
 

htdocs/core/lib/files.lib.php

@@ -1955,6 +1955,18 @@ function dol_add_file_process($upload_dir, $allowoverwrite = 0, $updatesessionor
 				$info = pathinfo($destfile);
 				$destfile = dol_sanitizeFileName($info['filename'].($info['extension'] != '' ? ('.'.strtolower($info['extension'])) : ''));
 
+				$fileextensionrestriction = getDolGlobalString("MAIN_FILE_EXTENSION_UPLOAD_RESTRICTION");
+				if (!empty($info['extension']) && !empty($fileextensionrestriction)) {
+					$fileextensionrestrictionarr = explode(",", $fileextensionrestriction);
+					foreach ($fileextensionrestrictionarr as $key => $fileextension) {
+						if (preg_match('/'.trim($fileextension).'/', $info['extension'])) {
+							$langs->load("errors"); // key must be loaded because we can't rely on loading during output, we need var substitution to be done now.
+							setEventMessages($langs->trans("ErrorFilenameExtensionNotAllowed", $filenameto), null, 'errors');
+							return -1;
+						}
+					}
+				}
+
 				// We apply dol_string_nohtmltag also to clean file names (this remove duplicate spaces) because
 				// this function is also applied when we rename and when we make try to download file (by the GETPOST(filename, 'alphanohtml') call).
 				$destfile = dol_string_nohtmltag($destfile);

htdocs/langs/en_US/admin.lang

@@ -2597,3 +2597,5 @@ AttributeCodeHelp=A code of your choice (without special char and space) to iden
 ThereIsMoreThanXAnswers=There is more than %s answers with your filter. Please add more filters...
 PdfAddTermOfSaleHelp=Upload the condition of sales from file input at the bottom of this setup page
 WarningOnlineSignature=Please note that this function allows a person (customer, supplier...) to insert, online, the image of his signature in the PDF document. As for a handwritten signature, such a signature can be made by anyone and does not have the same legal value as a legal electronic signature system going through a paying trusted third party. If you need this level of security, you can contact an integrator for more information or check for addons on www.dolistore.org.
+UploadExtensionRestriction=File exension list forbidden to upload
+UploadExtensionRestrictionExemple=html, js, php

htdocs/langs/en_US/errors.lang

@@ -437,3 +437,4 @@ ErrorThisContactXIsAlreadyDefinedAsThisType=%s is already defined as contact for
 ErrorThisGroupIsAlreadyDefinedAsThisType=The contacts with this group are already defined as contact for this type.
 EmptyMessageNotAllowedError=Empty message is not allowed
 ErrorIsNotInError=%s is not in error
+ErrorFilenameExtensionNotAllowed=File %s has a forbidden file extension