Bug 37488: Validate paths in datalink.txt/idlink.txt files

This change validates the paths in datalink.txt/idlink.txt,
so that only images in the unpacked archive directory are allowed

Test plan:
0. Apply the patch
1. koha-plack --reload kohadev
2. Create a datalink.txt file with the following:
42,selfie.jpg
3. Create a jpeg at selfie.jpg
4. ZIP the datalink.txt and selfie.jpg files
5. Upload to the "Upload patron images" tool
(after enabling the "patronimages" system preference)
6. Note that the image uploads correctly

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 8fcb767fe2836c90ceacb5b5d8211524571eb8aa)
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>

tools/picture-upload.pl

@@ -249,7 +249,12 @@ sub handle_dir {
             $cardnumber =~ s/[\"\r\n]//g; # remove offensive characters
             $filename   =~ s/[\"\r\n\s]//g;
             $logger->debug("Cardnumber: $cardnumber Filename: $filename");
-            $source = "$dir/$filename";
+            $source = Cwd::abs_path("$dir/$filename");
+            if ( $source !~ /^\Q$dir\E/ ) {
+
+                #NOTE: Unset $source if it points to a file outside of this unpacked ZIP archive
+                $source = '';
+            }
             %counts = handle_file( $cardnumber, $source, $template, %counts );
         }
         closedir $dir_h;