Issue with .. in filename

[Daviid-P]

Bug

dolibarr/htdocs/document.php

Lines 254 to 260 in 583480e

	// Security:
	// We refuse directory transversal change and pipes in file names
	if (preg_match('/\.\./', $fullpath_original_file) || preg_match('/[<>|]/', $fullpath_original_file)) {
	dol_syslog("Refused to deliver file ".$fullpath_original_file);
	print "ErrorFileNameInvalid: ".dol_escape_htmltag($original_file);
	exit;
	}

I have an invoice that comes from outside and has a ref like XXXXX. so the created file is XXXXX..pdf and .. gets caught.

Could I change it to (?:^|[\/\\\\])\.\.(?:[\/\\\\]|$)

to catch only .. that are meant for path traversal?

/path/to/file
../relative/path
..\\another\\path
C:\\Windows\..\System32/..//././../
file/in/directory/with/..
file\\in\\directory\\with\\..
INVOICE..pdf
file/with/no/../dots
directory\\with\\no\\dots

Dolibarr Version

No response

Environment PHP

No response

Environment Database

No response

Steps to reproduce the behavior and expected behavior

No response

Attached files

No response

[bos4711]

Which version?

[Daviid-P]

Which version?

The linked code is from develop branch

[bos4711]

Sorry, I didn't realize it was a link, I thought it was a screenshot.

Regarding your fix you have a +1 from me.