Bug 37146: Prevent path traversal by validating input
This patch validates the plugin_name passed to plugin_launcher.pl against the base path containing the "value_builder" directory. Test plan: 0. Apply the patch 1. koha-plack --reload kohadev 2. Go to http://localhost:8081/cgi-bin/koha/cataloguing/addbiblio.pl?biblionumber=29 3. Check that the tag editor for leader still works 4. Go to http://localhost:8081/cgi-bin/koha/cataloguing/additem.pl?biblionumber=29 5. Check that the pluginf or "Date acquired" still works Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz> Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
This commit is contained in:
parent
843dce6cf5
commit
0aad8e6818
1 changed files with 10 additions and 0 deletions
|
|
@ -111,6 +111,7 @@ Koha::FrameworkPlugin - Facilitate use of plugins in MARC/items editor
|
|||
=cut
|
||||
|
||||
use Modern::Perl;
|
||||
use Cwd qw//;
|
||||
|
||||
use base qw(Class::Accessor);
|
||||
|
||||
|
|
@ -213,7 +214,16 @@ sub _load {
|
|||
my ( $rv, $file );
|
||||
return $self->_error( 'Plugin needs a name' ) if !$self->{name}; #2chk
|
||||
$self->{path} //= _valuebuilderpath();
|
||||
#NOTE: Resolve symlinks and relative path components if present,
|
||||
#so the base will compare correctly lower down
|
||||
my $abs_base_path = Cwd::abs_path( $self->{path} );
|
||||
$file= $self->{path}. '/'. $self->{name};
|
||||
#NOTE: Resolve relative path components to prevent loading files outside the base path
|
||||
my $abs_file_path = Cwd::abs_path($file);
|
||||
if ( $abs_file_path !~ /^\Q$abs_base_path\E/ ) {
|
||||
warn "Attempt to load $file ($abs_file_path) in framework plugin!";
|
||||
return $self->_error('File not found');
|
||||
}
|
||||
return $self->_error( 'File not found' ) if !-e $file;
|
||||
|
||||
# undefine oldschool subroutines before defining them again
|
||||
|
|
|
|||
Loading…
Reference in a new issue