Dolibarr ERP CRM is a modern software package to manage your company or foundation's activity (contacts, suppliers, invoices, orders, stocks, agenda, accounting, ...). it's an open source Web application (written in PHP) designed for businesses of any sizes, foundations and freelancers.
I saw that @eldy made some change for security reason on $acceptlocallinktomedia in core/lib/functions2.lib.php
In order to browse the server for inserting some images into your mail template (admin/mail_templates.php) you have to :
configure a "https:// " dolibarr_main_url_root
having a server IP that isn't into a local range 10.X.X.X / 172.16.X.X ~172.32.X.X / 192.168.X.X
and more ...
Here is the code
// If $acceptlocallinktomedia is true, we can add link media files int email templates (we already can do this into HTML editor of an email).
// Note that local link to a file into medias are replaced with a real link by email in CMailFile.class.php with value $urlwithroot defined like this:
// $urlwithouturlroot = preg_replace('/'.preg_quote(DOL_URL_ROOT, '/').'$/i', '', trim($dolibarr_main_url_root));
// $urlwithroot = $urlwithouturlroot.DOL_URL_ROOT; // This is to use external domain name found into config file
$acceptlocallinktomedia = getDolGlobalInt('MAIN_DISALLOW_MEDIAS_IN_EMAIL_TEMPLATES') ? 0 : 1;
if ($acceptlocallinktomedia) {
global $dolibarr_main_url_root;
$urlwithouturlroot = preg_replace('/'.preg_quote(DOL_URL_ROOT, '/').'$/i', '', trim($dolibarr_main_url_root));
// Parse $newUrl
$newUrlArray = parse_url($urlwithouturlroot);
$hosttocheck = $newUrlArray['host'];
$hosttocheck = str_replace(array('[', ']'), '', $hosttocheck); // Remove brackets of IPv6
if (function_exists('gethostbyname')) {
$iptocheck = gethostbyname($hosttocheck);
} else {
$iptocheck = $hosttocheck;
}
//var_dump($iptocheck.' '.$acceptlocallinktomedia);
if (!filter_var($iptocheck, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {
// If ip of public url is a private network IP, we do not allow this.
$acceptlocallinktomedia = 1;
// TODO Show a warning
}
if (preg_match('/http:/i', $urlwithouturlroot)) {
// If public url is not a https, we do not allow to add medias link. It will generate security alerts when email will be sent.
$acceptlocallinktomedia = 0;
// TODO Show a warning
}
if (!empty($user->socid)) {
$acceptlocallinktomedia = 0;
}
}
//return 1;
return $acceptlocallinktomedia;
}
The problem is that i have Dolibarrs instances behind a proxy. The Proxy is here to handle traffic like redirecting URL to the good server, fail2ban etc...
If i test $iptocheck on those Dolibarrs i will get a local IP like 10.0.10.16 so $acceptlocallinktomedia will always be 0
So i won't be able to add media correctly in admin/mail_templates.php and users/card.php
It works on all other pages because this check isn't made.
Why is this check important on those pages ?
Because if i prepare a Mail template on societe/card.php, i can insert images with "Browse The Server" then copy the source code and get in admin/mail_templates.php and paste it.
Bug
I saw that @eldy made some change for security reason on $acceptlocallinktomedia in core/lib/functions2.lib.php
In order to browse the server for inserting some images into your mail template (admin/mail_templates.php) you have to : configure a "https:// " dolibarr_main_url_root having a server IP that isn't into a local range 10.X.X.X / 172.16.X.X ~172.32.X.X / 192.168.X.X and more ... Here is the code
The problem is that i have Dolibarrs instances behind a proxy. The Proxy is here to handle traffic like redirecting URL to the good server, fail2ban etc... If i test $iptocheck on those Dolibarrs i will get a local IP like 10.0.10.16 so $acceptlocallinktomedia will always be 0 So i won't be able to add media correctly in admin/mail_templates.php and users/card.php It works on all other pages because this check isn't made.
Why is this check important on those pages ? Because if i prepare a Mail template on societe/card.php, i can insert images with "Browse The Server" then copy the source code and get in admin/mail_templates.php and paste it.
Environment Version
14~19
Environment OS
Not relevant
Environment Web server
Not relevant Apache or Nginx
Environment PHP
7.4 and 8.0
Environment Database
MariaDB