Merged in bugfix/PMCORE-1191 (pull request #7309)

PMCORE-1191 Approved-by: Julio Cesar Laura Avendaño <contact@julio-laura.com>
2020-04-14 21:24:06 +00:00
parent 9cc9bafbf9 fd1694fd2e
commit 527c06d5e5
4 changed files with 38 additions and 12 deletions
--- a/workflow/engine/methods/cases/cases_ShowDocument.php
+++ b/workflow/engine/methods/cases/cases_ShowDocument.php
@@ -46,7 +46,7 @@ if (empty($_GET['v'])) {
 //Send the parameter a = Case UID
 if ($RBAC->userCanAccess('PM_FOLDERS_ALL') != 1 && defined('DISABLE_DOWNLOAD_DOCUMENTS_SESSION_VALIDATION') && DISABLE_DOWNLOAD_DOCUMENTS_SESSION_VALIDATION == 0) {
    if (!$oAppDocument->canDownloadInput($_SESSION['USER_LOGGED'], $_GET['a'], $docVersion)) {
-        G::header('Location: /errors/error403.php');
+        G::header('Location: /errors/error403.php?url=' . urlencode($_SERVER['REQUEST_URI']));
        die();
    }
 }
--- a/workflow/engine/methods/cases/cases_ShowOutputDocument.php
+++ b/workflow/engine/methods/cases/cases_ShowOutputDocument.php
@@ -53,20 +53,21 @@ if ($RBAC->userCanAccess('PM_FOLDERS_ALL') != 1 && defined('DISABLE_DOWNLOAD_DOC
        $sAppDocUid
    )
    ) {
-        G::header('Location: /errors/error403.php');
+        G::header('Location: /errors/error403.php?url=' . urlencode($_SERVER['REQUEST_URI']));
        die();
    }
 }

 $docFileName = fixContentDispositionFilename($oAppDocument->getAppDocFilename());
 $info = pathinfo($docFileName);
+
 if (!isset($_GET['ext'])) {
-    $ext = $info['extension'];
+    $ext = (!empty($info['extension'])) ? $info['extension']: 'pdf';
 } else {
    if ($_GET['ext'] != '') {
        $ext = $_GET['ext'];
    } else {
-        $ext = $info['extension'];
+        $ext = (!empty($info['extension'])) ? $info['extension']: 'pdf';
    }
 }
 $ver = (isset($_GET['v']) && $_GET['v'] != '') ? '_' . $_GET['v'] : '';
--- a/workflow/engine/methods/login/login.php
+++ b/workflow/engine/methods/login/login.php
@@ -39,20 +39,40 @@ $aFields = array();

 //Validated redirect url
 $aFields['URL'] = '';
-if (!empty($_GET['u'])) {
+if (!empty($_GET['u']) || !empty($_GET['url'])) {
    //clean url with protocols
    $flagUrl = true;
    //Most used protocols
    $protocols = ['https://', 'http://', 'ftp://', 'sftp://','smb://', 'file:', 'mailto:'];
    foreach ($protocols as $protocol) {
-        if (strpos($_GET['u'], $protocol) !== false) {
-            $_GET['u'] = '';
-            $flagUrl = false;
-            break;
+        if (!empty($_GET['u'])) {
+            if (strpos($_GET['u'], $protocol) !== false) {
+                $_GET['u'] = '';
+                $flagUrl = false;
+                break;
+            }
+        }
+        if (!empty($_GET['url'])) {
+            if (strpos($_GET['url'], $protocol) !== false) {
+                $_GET['url'] = '';
+                $flagUrl = false;
+                break;
+            }
        }
    }
    if ($flagUrl) {
-        $aFields['URL'] = htmlspecialchars(addslashes(stripslashes(strip_tags(trim(urldecode($_GET['u']))))));
+        if (!empty($_GET['u'])) {
+            $aFields['URL'] = htmlspecialchars(addslashes(stripslashes(strip_tags(trim(urldecode($_GET['u']))))));
+        } elseif (!empty($_GET['url'])) {
+            $aFields['URL'] = htmlspecialchars(addslashes(stripslashes(strip_tags(trim(urldecode($_GET['url']))))));
+        }
+        //The following validations are only for the links to an output document
+        if(!empty($_GET['v']) && (strpos($aFields['URL'], '/cases/cases_ShowOutputDocument') != false)) {
+            $aFields['URL'] .= "&v=" . $_GET['v'];
+        }
+        if(!empty($_GET['ext']) && (strpos($aFields['URL'], '/cases/cases_ShowOutputDocument') != false)) {
+            $aFields['URL'] .= "&ext=" . $_GET['ext'];
+        }
    }
 }