From fbbd4b40f0d71b79194fc186e66f985488be26c6 Mon Sep 17 00:00:00 2001 From: Marcel de Rooy Date: Sun, 29 Jan 2017 15:40:14 +0100 Subject: [PATCH] Bug 18010: Remove potential exposure from gettemplate A similar bad template check from C4::Auth::get_template_and_user should be applied in C4::Templates::gettemplate. Before this patch it would be possible to expose files like: my $template = C4::Templates::gettemplate( '/etc/passwd', 'intranet', CGI::new, 1 ); print $template->output; Note that the is_plugin flag in the above call is the culprit. This patch provides a quick security fix without touching get_template_and_user, and can be backported to stable branches. I will provide an enhanced and centralized check on report 17989, also removing the is_plugin flag. Note: We allow .pref here too for use in admin/preferences.pl. Test plan: [1] Run t/db_dependent/Auth.t (triggering get_template_and_user and gettemplate). [2] Run t/db_dependent/Templates.t again (see first test plan). The tests should no longer fail. [3] Open a page on opac or intranet. [4] Open a systempreferences tab. [5] Add a book to the cart and send it ([opac-]sendbasket uses gettemplate). Signed-off-by: Marcel de Rooy Signed-off-by: Chris Cormack Signed-off-by: Jonathan Druart Signed-off-by: Brendan A Gallagher --- C4/Templates.pm | 1 + 1 file changed, 1 insertion(+) diff --git a/C4/Templates.pm b/C4/Templates.pm index 10d028334a..17746e85cf 100644 --- a/C4/Templates.pm +++ b/C4/Templates.pm @@ -171,6 +171,7 @@ sub _get_template_file { sub gettemplate { my ( $tmplbase, $interface, $query, $is_plugin ) = @_; ($query) or warn "no query in gettemplate"; + die "bad template path" unless $tmplbase =~ m/^[a-zA-Z0-9_\-\/]+\.(tt|pref)$/; # Will be extended on bug 17989 my $path = C4::Context->preference('intranet_includes') || 'includes'; my ($htdocs, $theme, $lang, $filename) = _get_template_file($tmplbase, $interface, $query); -- 2.39.5