git.koha-community.org Git - koha.git/commit

]> git.koha-community.org Git - koha.git/commit

projects / koha.git / commit

summary | shortlog | log | commit | commitdiff | tree
(parent: eb00622) | patch

author	David Cook <dcook@prosentient.com.au>
	Fri, 21 Jun 2024 01:45:51 +0000 (01:45 +0000)
committer	Fridolin Somers <fridolin.somers@biblibre.com>
	Thu, 25 Jul 2024 07:58:11 +0000 (09:58 +0200)
commit	289e3a93de1f034f2fad70b162532b75a1318f11
tree	e803fa851a69acb13e14679fe895302944073437	tree \| snapshot
parent	eb0062227ec8cf1bf6b2ce6c8704507cc5e228d6	commit \| diff

Bug 37146: Prevent path traversal by validating input

This patch validates the plugin_name passed to plugin_launcher.pl
against the base path containing the "value_builder" directory.

Test plan:
0. Apply the patch
1. koha-plack --reload kohadev
2. Go to http://localhost:8081/cgi-bin/koha/cataloguing/addbiblio.pl?biblionumber=29
3. Check that the tag editor for leader still works
4. Go to http://localhost:8081/cgi-bin/koha/cataloguing/additem.pl?biblionumber=29
5. Check that the pluginf or "Date acquired" still works

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>

Koha/FrameworkPlugin.pm

diff | blob | history

Main Koha release repository