From 2dcde0864641941b60c87a07177da78fb313214f Mon Sep 17 00:00:00 2001
From: Chris Cormack <chris@bigballofwax.co.nz>
Date: Sat, 1 Feb 2014 15:06:58 +1300
Subject: [PATCH] Bug 11661: sanitize file names supplied to edithelp.pl

This patch corrects an issue whereby edithelp.pl could
be used to create or modify arbitrary files on the server
with the permissions of the Apache user.

Signed-off-by: Galen Charlton <gmc@esilibrary.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
(cherry picked from commit 7baf02c263a627b1454577b3141a0af4b8f963d1)
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
(cherry picked from commit 677e9299da6e808bd4c76dc036da9e39c4277edd)
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
(cherry picked from commit 677e9299da6e808bd4c76dc036da9e39c4277edd)
---
 edithelp.pl | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/edithelp.pl b/edithelp.pl
index 28586b3910..6fd961d413 100755
--- a/edithelp.pl
+++ b/edithelp.pl
@@ -65,7 +65,9 @@ my ( $template, $loggedinuser, $cookie ) = get_template_and_user(
 sub _get_filepath ($;$) {
     my $referer = shift;
     $referer =~ /koha\/(.*)\.pl/;
-    my $from = "help/$1.tt";
+    my $file = $1;
+    $file =~ s/[^0-9a-zA-Z_\-\/]*//g;
+    my $from = "help/$file.tt";
     my $htdocs = C4::Context->config('intrahtdocs');
     my ($theme, $lang, $availablethemes) = C4::Templates::themelanguage( $htdocs, $from, "intranet", $input );
 	$debug and print STDERR "help filepath: $htdocs/$theme/$lang/modules/$from";
-- 
2.39.5