Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity

Bug 36244: Do template toolkit processing first

Browse source 
To avoid injection of template toolkit code
from database fields that are controlled by
untrusted sources.

Test plan:

* review subtest 'Template toolkit syntax in
  parameters' in t/db_dependent/Letters.t
* Run the unit test:
  prove t/db_dependent/Letters.t

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
This commit is contained in:
Andreas Jonsson 2024-03-07 09:12:25 +00:00 committed by Lucas Gass
parent fbbaad4ac3
commit 0e853fc146
1 changed files with 22 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

44
C4/Letters.pm
View file

@ -603,6 +603,28 @@ sub GetPreparedLetter {
return;
my $want_librarian = $params{want_librarian};
$letter->{content} = _process_tt(
{
content => $letter->{content},
lang => $lang,
loops => $loops,
objects => $objects,
substitute => $substitute,
tables => $tables,
}
);
$letter->{title} = _process_tt(
{
content => $letter->{title},
lang => $lang,
loops => $loops,
objects => $objects,
substitute => $substitute,
tables => $tables,
}
);
if (%$substitute) {
while ( my ($token, $val) = each %$substitute ) {
$val //= q{};
@ -673,28 +695,6 @@ sub GetPreparedLetter {
}
}
$letter->{content} = _process_tt(
{
content => $letter->{content},
lang => $lang,
loops => $loops,
objects => $objects,
substitute => $substitute,
tables => $tables,
}
);
$letter->{title} = _process_tt(
{
content => $letter->{title},
lang => $lang,
loops => $loops,
objects => $objects,
substitute => $substitute,
tables => $tables,
}
);
$letter->{content} =~ s/<<\S*>>//go; #remove any stragglers
return $letter;