From bbb74562c0b170a5c7892b722253c0ba7a71aed8 Mon Sep 17 00:00:00 2001 From: Amit Gupta Date: Thu, 11 Jul 2024 23:13:06 +0530 Subject: [PATCH] Bug 37323: Escape characters in patron image picture upload To Test 1. Create a file name for example: test.zip`curl xxxxtesting.informaticsglobal.com`.zip where the domain is one you can watch the logs from. 2. Go to Tools and click on Upload patron images choose option zip file and upload the file. 3. Check /var/log/apache2/access.log and see the curl with the IP "xx.xxx.xx.xxx - - [11/Jul/2024:23:10:33 +0530] "GET / HTTP/1.1" 200 267 "-" "curl/7.68.0" 4. Apply the patch 5. Repeat 2 and 3 step and check no error is coming for the Remote execution error. 6. Test uploading actual zip file and images still works. Signed-off-by: Chris Cormack Signed-off-by: David Cook Signed-off-by: Nick Clemens Signed-off-by: Tomas Cohen Arazi --- tools/picture-upload.pl | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/picture-upload.pl b/tools/picture-upload.pl index 1f4c62b5de..0c69a69a43 100755 --- a/tools/picture-upload.pl +++ b/tools/picture-upload.pl @@ -95,6 +95,7 @@ if ( ( $op eq 'Upload' ) && ($uploadfile || $uploadfiletext) ) { my $dirname = File::Temp::tempdir( CLEANUP => 1 ); my $filesuffix; + $uploadfilename =~ s/[^A-Za-z0-9\-\.]//g; if ( $uploadfilename =~ m/(\..+)$/i ) { $filesuffix = $1; } -- 2.39.5