From 3013b10c9a2774391dab423646d35f6b7111f8e2 Mon Sep 17 00:00:00 2001 From: Chris Cormack Date: Thu, 18 Jul 2024 23:57:32 +0000 Subject: [PATCH] Bug 37323: Don't allow symlinks in link files in zip and validate filepaths Test plan: 0. Apply patch and restart/reload Koha 1. Test that uploading a patron image still works, in single file format and as a zip Work as suggested Signed-off-by: Amit Gupta Signed-off-by: David Cook Signed-off-by: Nick Clemens Signed-off-by: Tomas Cohen Arazi --- tools/picture-upload.pl | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/tools/picture-upload.pl b/tools/picture-upload.pl index 0c69a69a43..f754893f79 100755 --- a/tools/picture-upload.pl +++ b/tools/picture-upload.pl @@ -25,6 +25,8 @@ use File::Temp; use CGI qw ( -utf8 ); use GD; use MIME::Base64; +use Cwd; + use C4::Context; use C4::Auth qw( get_template_and_user ); use C4::Output qw( output_and_exit output_html_with_http_headers ); @@ -230,13 +232,15 @@ sub handle_dir { my $dir_h; opendir $dir_h, $dir; while ( my $filename = readdir $dir_h ) { - $file = "$dir/$filename" - if ( $filename =~ m/datalink\.txt/i - || $filename =~ m/idlink\.txt/i ); + + if ( ($filename =~ m/datalink\.txt/i + || $filename =~ m/idlink\.txt/i ) && ( -e "$dir/$filename" && !-l "$dir/$filename")) { + $file = Cwd::abs_path("$dir/$filename"); + } } my $fh; unless ( open( $fh, '<', $file ) ) { - warn "Opening $dir/$file failed!"; + warn "Opening $file failed!"; $direrrors{'OPNLINK'} = $file; # This error is fatal to the import of this directory contents # so bail and return the error to the caller -- 2.39.5