From 7a15b321a34f0b2a8a4a5361fa3633f26c68da5f Mon Sep 17 00:00:00 2001
From: Amit Gupta <amit.gupta@informaticsglobal.com>
Date: Thu, 11 Jul 2024 23:13:06 +0530
Subject: [PATCH] Bug 37323: Escape characters in patron image picture upload

To Test
1. Create a file name for example: test.zip`curl xxxxtesting.informaticsglobal.com`.zip
   where the domain is one you can watch the logs from.
2. Go to Tools and click on Upload patron images choose option zip file and upload the file.
3. Check /var/log/apache2/access.log and see the curl with the IP
   "xx.xxx.xx.xxx - - [11/Jul/2024:23:10:33 +0530] "GET / HTTP/1.1" 200 267 "-" "curl/7.68.0"
4. Apply the patch
5. Repeat 2 and 3 step and check no error is coming for the Remote execution error.
6. Test uploading actual zip file and images still works.

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 5c931e00f73e91467581fd29721e5af8d7fa98ab)
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
---
 tools/picture-upload.pl | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tools/picture-upload.pl b/tools/picture-upload.pl
index 2383fba885..4d6597fdee 100755
--- a/tools/picture-upload.pl
+++ b/tools/picture-upload.pl
@@ -89,6 +89,7 @@ if ( ( $op eq 'cud-Upload' ) && ($uploadfile || $uploadfiletext) ) {
 
     my $dirname = File::Temp::tempdir( CLEANUP => 1 );
     my $filesuffix;
+    $uploadfilename =~ s/[^A-Za-z0-9\-\.]//g;
     if ( $uploadfilename =~ m/(\..+)$/i ) {
         $filesuffix = $1;
     }
-- 
2.39.5