From f6094bd90a3c81f8c9c30f45fab1b7c9a0e3f7e2 Mon Sep 17 00:00:00 2001 From: Andreas Jonsson Date: Thu, 7 Mar 2024 09:12:25 +0000 Subject: [PATCH] Bug 36244: Do template toolkit processing first To avoid injection of template toolkit code from database fields that are controlled by untrusted sources. Test plan: * review subtest 'Template toolkit syntax in parameters' in t/db_dependent/Letters.t * Run the unit test: prove t/db_dependent/Letters.t Signed-off-by: Jonathan Druart Signed-off-by: Marcel de Rooy Signed-off-by: Kyle M Hall Signed-off-by: Wainui Witika-Park --- C4/Letters.pm | 38 +++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/C4/Letters.pm b/C4/Letters.pm index 6b19fc7252..1e4e817e03 100644 --- a/C4/Letters.pm +++ b/C4/Letters.pm @@ -597,6 +597,25 @@ sub GetPreparedLetter { return; my $want_librarian = $params{want_librarian}; + $letter->{content} = _process_tt( + { + content => $letter->{content}, + tables => $tables, + loops => $loops, + substitute => $substitute, + lang => $lang + } + ); + + $letter->{title} = _process_tt( + { + content => $letter->{title}, + tables => $tables, + loops => $loops, + substitute => $substitute, + } + ); + if (%$substitute) { while ( my ($token, $val) = each %$substitute ) { $val //= q{}; @@ -667,25 +686,6 @@ sub GetPreparedLetter { } } - $letter->{content} = _process_tt( - { - content => $letter->{content}, - tables => $tables, - loops => $loops, - substitute => $substitute, - lang => $lang - } - ); - - $letter->{title} = _process_tt( - { - content => $letter->{title}, - tables => $tables, - loops => $loops, - substitute => $substitute, - } - ); - $letter->{content} =~ s/<<\S*>>//go; #remove any stragglers return $letter; -- 2.39.5