From 0e853fc1464ad6136d9bec1db063433b38a85fb9 Mon Sep 17 00:00:00 2001 From: Andreas Jonsson Date: Thu, 7 Mar 2024 09:12:25 +0000 Subject: [PATCH] Bug 36244: Do template toolkit processing first To avoid injection of template toolkit code from database fields that are controlled by untrusted sources. Test plan: * review subtest 'Template toolkit syntax in parameters' in t/db_dependent/Letters.t * Run the unit test: prove t/db_dependent/Letters.t Signed-off-by: Jonathan Druart Signed-off-by: Marcel de Rooy Signed-off-by: Kyle M Hall Signed-off-by: Lucas Gass --- C4/Letters.pm | 44 ++++++++++++++++++++++---------------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/C4/Letters.pm b/C4/Letters.pm index b2ad4c2d1d..6089072296 100644 --- a/C4/Letters.pm +++ b/C4/Letters.pm @@ -603,6 +603,28 @@ sub GetPreparedLetter { return; my $want_librarian = $params{want_librarian}; + $letter->{content} = _process_tt( + { + content => $letter->{content}, + lang => $lang, + loops => $loops, + objects => $objects, + substitute => $substitute, + tables => $tables, + } + ); + + $letter->{title} = _process_tt( + { + content => $letter->{title}, + lang => $lang, + loops => $loops, + objects => $objects, + substitute => $substitute, + tables => $tables, + } + ); + if (%$substitute) { while ( my ($token, $val) = each %$substitute ) { $val //= q{}; @@ -673,28 +695,6 @@ sub GetPreparedLetter { } } - $letter->{content} = _process_tt( - { - content => $letter->{content}, - lang => $lang, - loops => $loops, - objects => $objects, - substitute => $substitute, - tables => $tables, - } - ); - - $letter->{title} = _process_tt( - { - content => $letter->{title}, - lang => $lang, - loops => $loops, - objects => $objects, - substitute => $substitute, - tables => $tables, - } - ); - $letter->{content} =~ s/<<\S*>>//go; #remove any stragglers return $letter; -- 2.39.5