Bug 35291: Don't allow symlinks for link files in cover image ZIP

There's no reason to allow symlinks for link files in cover image ZIP files. Preventing their use prevents someone from uploading a symlink pointing to an existing file on the Koha server. Test plan: 0. Apply patch and restart/reload Koha 1. Create a PNG cover image 2. Create a datalink.txt file that contains something like the following: 29,Untitled.PNG 3. Turn on "LocalCoverImages" system preference 4. Upload via http://localhost:8081/cgi-bin/koha/tools/upload-cover-image.pl 5. Go to http://localhost:8081/cgi-bin/koha/catalogue/detail.pl?biblionumber=29 6. Note the cover image has been uploaded Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Pedro Amorim <pedro.amorim@ptfs-europe.com>
2023-11-09 00:23:45 +00:00 · 2023-11-09 00:23:45 +00:00 · 9982fdf0d6
commit 9982fdf0d6
parent bcfa13c93d
1 changed files with 6 additions and 5 deletions
--- a/tools/upload-cover-image.pl
+++ b/tools/upload-cover-image.pl
@ -158,11 +158,12 @@ if ($fileID) {
            }
            foreach my $dir (@directories) {
                my $file;
-                if ( -e "$dir/idlink.txt" ) {
-                    $file = "$dir/idlink.txt";
-                }
-                elsif ( -e "$dir/datalink.txt" ) {
-                    $file = "$dir/datalink.txt";
+                my $idlink   = "$dir/idlink.txt";
+                my $datalink = "$dir/datalink.txt";
+                if ( -e $idlink && !-l $idlink ) {
+                    $file = $idlink;
+                } elsif ( -e $datalink && !-l $datalink ) {
+                    $file = $datalink;
                }
                else {
                    next;