From 50968f4c3fec1d29a4b9980a355457e80fb5dbed Mon Sep 17 00:00:00 2001 From: Amit Gupta Date: Thu, 11 Jul 2024 23:13:06 +0530 Subject: [PATCH] Bug 37323: Escape characters in patron image picture upload To Test 1. Create a file name for example: test.zip`curl xxxxtesting.informaticsglobal.com`.zip where the domain is one you can watch the logs from. 2. Go to Tools and click on Upload patron images choose option zip file and upload the file. 3. Check /var/log/apache2/access.log and see the curl with the IP "xx.xxx.xx.xxx - - [11/Jul/2024:23:10:33 +0530] "GET / HTTP/1.1" 200 267 "-" "curl/7.68.0" 4. Apply the patch 5. Repeat 2 and 3 step and check no error is coming for the Remote execution error. 6. Test uploading actual zip file and images still works. Signed-off-by: Chris Cormack Signed-off-by: David Cook Signed-off-by: Nick Clemens Signed-off-by: Tomas Cohen Arazi (cherry picked from commit 5c931e00f73e91467581fd29721e5af8d7fa98ab) Signed-off-by: Tomas Cohen Arazi Signed-off-by: Katrin Fischer --- tools/picture-upload.pl | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/picture-upload.pl b/tools/picture-upload.pl index 2383fba885..4d6597fdee 100755 --- a/tools/picture-upload.pl +++ b/tools/picture-upload.pl @@ -89,6 +89,7 @@ if ( ( $op eq 'cud-Upload' ) && ($uploadfile || $uploadfiletext) ) { my $dirname = File::Temp::tempdir( CLEANUP => 1 ); my $filesuffix; + $uploadfilename =~ s/[^A-Za-z0-9\-\.]//g; if ( $uploadfilename =~ m/(\..+)$/i ) { $filesuffix = $1; } -- 2.39.5