Bug 6628 : Stopping a potential vulnerability

Signed-off-by: Frère Sébastien Marie <semarie-koha@latrappe.fr> Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de> - verified help pages still work - verified /cgi-bin/koha/help.pl?url=koha/../catalogue/advsearch.pl does not show the template file (did work on master, not after applying patch) - verified cgi-bin/koha/help.pl?url=koha/../../../../../../etc/passwd%00.pl does not work (didn't work on master or after applying patch) Signed-off-by: Paul Poulain <paul.poulain@biblibre.com> The potential vulnerability would allow anyone to see the content of any .tt file, and .tt only. Was much less critical than the vulnerability for 6629, but it's worth fixing !
12 years ago · 8664d19567
1 changed files with 3 additions and 1 deletions
--- a/help.pl
+++ b/help.pl
@ -32,7 +32,9 @@ our $refer = $query->param('url');
 $refer = $query->referer()  if !$refer || $refer eq 'undefined';

 $refer =~ /koha\/(.*)\.pl/;
-my $from = "help/$1.tt";
+my $file = $1;
+$file =~ s/[^a-zA-Z0-9_\-\/]*//g;
+my $from = "help/$file.tt";

 my $template = C4::Templates::gettemplate($from, 'intranet', $query);
 $template->param( referer => $refer );