diff --git a/admin/lang/egw_en.lang b/admin/lang/egw_en.lang index 91fc2ce6b5..3e36ff2b54 100644 --- a/admin/lang/egw_en.lang +++ b/admin/lang/egw_en.lang @@ -351,7 +351,7 @@ document root (default) admin en Document root (default) domainname admin en Domain name down admin en Down download csv admin en Download CSV -each value is a line like id[=label], or use @path to read options from a file in egroupware directory admin en each value is a line like id[=label], or use @path to read options from a file in EGroupware directory +each value is a line like id[=label], or use @path to read options from a file in egroupware directory admin en each value is a line like id[=label], or use @path to read options from a file in the VFS each value is a line like label=[javascript] admin en each value is a line like label=[javascript] edit account admin en Edit account edit application admin en Edit application diff --git a/api/js/etemplate/et2_extension_nextmatch.ts b/api/js/etemplate/et2_extension_nextmatch.ts index 3aaeddef4f..ca944ae9b4 100644 --- a/api/js/etemplate/et2_extension_nextmatch.ts +++ b/api/js/etemplate/et2_extension_nextmatch.ts @@ -4194,8 +4194,7 @@ export class et2_nextmatch_customfields extends et2_customfields_list implements field.type == 'select-account' ? 'et2-nextmatch-header-account' : "et2-nextmatch-header-filter", { id: cf_id, - empty_label: field.label, - select_options: field.values + empty_label: field.label }, this ); diff --git a/api/src/Storage/Customfields.php b/api/src/Storage/Customfields.php index 4e3435d6cc..a1ae6d8121 100644 --- a/api/src/Storage/Customfields.php +++ b/api/src/Storage/Customfields.php @@ -272,9 +272,7 @@ class Customfields implements \IteratorAggregate /** * Read the options of a 'select' or 'radio' custom field from a file * - * For security reasons that file has to be relative to the eGW root - * (to not use that feature to explore arbitrary files on the server) - * and it has to be a php file setting one variable called options, + * For security reasons it has to be a php file setting one variable called options, * (to not display it to anonymously by the webserver). * The $options var has to be an array with value => label pairs, eg: * @@ -292,12 +290,11 @@ class Customfields implements \IteratorAggregate { $options = array(); - if (!($path = realpath($file[0] == '/' ? $file : EGW_SERVER_ROOT.'/'.$file)) || // file does not exist - substr($path,0,strlen(EGW_SERVER_ROOT)+1) != EGW_SERVER_ROOT.'/' || // we are NOT inside the eGW root - basename($path,'.php').'.php' != basename($path) || // extension is NOT .php - basename($path) == 'header.inc.php') // dont allow to include our header again + if(!($path = Api\Vfs::resolve_url($file)) || // file does not exist // we are NOT inside the eGW root + basename($path, '.php') . '.php' != basename($path) || // extension is NOT .php + basename($path) == 'header.inc.php') // dont allow to include our header again { - return array(lang("'%1' is no php file in the eGW server root (%2)!".': '.$path,$file,EGW_SERVER_ROOT)); + return array(lang("'%1' is no php file in the eGW server root (%2)!" . ': ' . $path, $file, EGW_SERVER_ROOT)); } include($path);