Fix #yogosha7494

htdocs/document.php

@@ -195,9 +195,11 @@ if (!in_array($type, array('text/x-javascript')) && !dolIsAllowedForPreview($ori
 }
 
 // Security: Delete string ../ or ..\ into $original_file
+$original_file = preg_replace('/\.\.+/','..', $original_file);	// Replace '... or more' with '..'
 $original_file = str_replace('../', '/', $original_file);
 $original_file = str_replace('..\\', '/', $original_file);
 
+
 // Find the subdirectory name as the reference
 $refname = basename(dirname($original_file)."/");
 

htdocs/viewimage.php

@@ -222,6 +222,7 @@ if (preg_match('/\.noexe$/i', $original_file)) {
 }
 
 // Security: Delete string ../ or ..\ into $original_file
+$original_file = preg_replace('/\.\.+/', '..', $original_file);	// Replace '... or more' with '..'
 $original_file = str_replace('../', '/', $original_file);
 $original_file = str_replace('..\\', '/', $original_file);