Bug 11661: sanitize file names supplied to edithelp.pl

This patch corrects an issue whereby edithelp.pl could
be used to create or modify arbitrary files on the server
with the permissions of the Apache user.

Signed-off-by: Galen Charlton <gmc@esilibrary.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>

edithelp.pl

@@ -65,7 +65,9 @@ my ( $template, $loggedinuser, $cookie ) = get_template_and_user(
 sub _get_filepath ($;$) {
     my $referer = shift;
     $referer =~ /koha\/(.*)\.pl/;
-    my $from = "help/$1.tt";
+    my $file = $1;
+    $file =~ s/[^0-9a-zA-Z_\-\/]*//g;
+    my $from = "help/$file.tt";
     my $htdocs = C4::Context->config('intrahtdocs');
     my ($theme, $lang, $availablethemes) = C4::Templates::themelanguage( $htdocs, $from, "intranet", $input );
 	$debug and print STDERR "help filepath: $htdocs/$theme/$lang/modules/$from";