From f7912f86edfae2bbf55f60cb99388113baa2752e Mon Sep 17 00:00:00 2001
From: Jonathan Druart <jonathan.druart@koha-community.org>
Date: Mon, 22 Jun 2015 10:24:51 +0200
Subject: [PATCH] Bug 14408: Allow integers in template paths

Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
---
 C4/Auth.pm            |  2 +-
 t/db_dependent/Auth.t | 11 +++++++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/C4/Auth.pm b/C4/Auth.pm
index 092a1b9d04..fe550ed451 100644
--- a/C4/Auth.pm
+++ b/C4/Auth.pm
@@ -137,7 +137,7 @@ sub get_template_and_user {
 
     C4::Context->interface($in->{type});
 
-    my $safe_chars = 'a-zA-Z_\-\/';
+    my $safe_chars = 'a-zA-Z0-9_\-\/';
     die "bad template path" unless $in->{'template_name'} =~ m/^[$safe_chars]+.tt?$/ig; #sanitize input
 
     $in->{'authnotrequired'} ||= 0;
diff --git a/t/db_dependent/Auth.t b/t/db_dependent/Auth.t
index 095029ef60..de2e396a71 100644
--- a/t/db_dependent/Auth.t
+++ b/t/db_dependent/Auth.t
@@ -127,6 +127,17 @@ $dbh->{RaiseError} = 1;
         };
         like ( $@, qr(^bad template path), 'The file $template_name should not be accessible' );
     }
+    ( $template, $loggedinuser, $cookies ) = get_template_and_user(
+        {
+            template_name   => 'errors/500.tt',
+            query           => $query,
+            type            => "intranet",
+            authnotrequired => 1,
+            flagsrequired   => { catalogue => 1 },
+        }
+    );
+    my $file_exists = ( -f $template->{filename} ) ? 1 : 0;
+    is ( $file_exists, 1, 'The file errors/500.tt should be accessible (contains integers)' );
 }
 
 my $hash1 = hash_password('password');
-- 
2.39.5