Bug 37488: Validate paths in datalink.txt/idlink.txt files
This change validates the paths in datalink.txt/idlink.txt, so that only images in the unpacked archive directory are allowed Test plan: 0. Apply the patch 1. koha-plack --reload kohadev 2. Create a datalink.txt file with the following: 42,selfie.jpg 3. Create a jpeg at selfie.jpg 4. ZIP the datalink.txt and selfie.jpg files 5. Upload to the "Upload patron images" tool (after enabling the "patronimages" system preference) 6. Note that the image uploads correctly Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> (cherry picked from commit 8fcb767fe2836c90ceacb5b5d8211524571eb8aa) Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This commit is contained in:
parent
4e7f850c59
commit
751e72dfda
1 changed files with 6 additions and 1 deletions
|
@ -249,7 +249,12 @@ sub handle_dir {
|
||||||
$cardnumber =~ s/[\"\r\n]//g; # remove offensive characters
|
$cardnumber =~ s/[\"\r\n]//g; # remove offensive characters
|
||||||
$filename =~ s/[\"\r\n\s]//g;
|
$filename =~ s/[\"\r\n\s]//g;
|
||||||
$logger->debug("Cardnumber: $cardnumber Filename: $filename");
|
$logger->debug("Cardnumber: $cardnumber Filename: $filename");
|
||||||
$source = "$dir/$filename";
|
$source = Cwd::abs_path("$dir/$filename");
|
||||||
|
if ( $source !~ /^\Q$dir\E/ ) {
|
||||||
|
|
||||||
|
#NOTE: Unset $source if it points to a file outside of this unpacked ZIP archive
|
||||||
|
$source = '';
|
||||||
|
}
|
||||||
%counts = handle_file( $cardnumber, $source, $template, %counts );
|
%counts = handle_file( $cardnumber, $source, $template, %counts );
|
||||||
}
|
}
|
||||||
closedir $dir_h;
|
closedir $dir_h;
|
||||||
|
|
Loading…
Reference in a new issue