From 382b4c2b3da83a8058c3faebc0b0d224a785c2c0 Mon Sep 17 00:00:00 2001 From: Chris Cormack Date: Sat, 26 Nov 2011 07:39:51 +1300 Subject: [PATCH] Bug 6628 fixing security vulnerability MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Signed-off-by: Frère Sébastien Marie - patch taken from master - I also corrected two invalid calls to themelanguage (tests are not possible else) Signed-off-by: Chris Nighswonger --- help.pl | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/help.pl b/help.pl index 7208a8a7cb..bb9c043ac6 100755 --- a/help.pl +++ b/help.pl @@ -32,13 +32,15 @@ our $refer = $query->param('url'); $refer = $query->referer() if !$refer || $refer eq 'undefined'; $refer =~ /koha\/(.*)\.pl/; -my $from = "modules/help/$1.tt"; +my $file = $1; +$file =~ s/[^a-zA-Z0-9_\-\/]*//g; +my $from = "modules/help/$file.tt"; my $htdocs = C4::Context->config('intrahtdocs'); -my ( $theme, $lang ) = themelanguage( $htdocs, $from, "intranet", $query ); +my ( $theme, $lang ) = C4::Templates::themelanguage( $htdocs, $from, "intranet", $query ); unless ( -e "$htdocs/$theme/$lang/$from" ) { $from = "modules/help/nohelp.tt"; - ( $theme, $lang ) = themelanguage( $htdocs, $from, "intranet", $query ); + ( $theme, $lang ) = C4::Templates::themelanguage( $htdocs, $from, "intranet", $query ); } my $template = C4::Templates->new('intranet', "$htdocs/$theme/$lang/$from"); $template->param( referer => $refer ); -- 2.39.5