From 8664d195671c1a65af7b205b14099c1581c0500b Mon Sep 17 00:00:00 2001 From: Chris Cormack Date: Sat, 26 Nov 2011 07:39:51 +1300 Subject: [PATCH] Bug 6628 : Stopping a potential vulnerability MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Signed-off-by: Frère Sébastien Marie Signed-off-by: Katrin Fischer - verified help pages still work - verified /cgi-bin/koha/help.pl?url=koha/../catalogue/advsearch.pl does not show the template file (did work on master, not after applying patch) - verified cgi-bin/koha/help.pl?url=koha/../../../../../../etc/passwd%00.pl does not work (didn't work on master or after applying patch) Signed-off-by: Paul Poulain The potential vulnerability would allow anyone to see the content of any .tt file, and .tt only. Was much less critical than the vulnerability for 6629, but it's worth fixing ! --- help.pl | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/help.pl b/help.pl index 18d27ddee4..97f3462fa0 100755 --- a/help.pl +++ b/help.pl @@ -32,7 +32,9 @@ our $refer = $query->param('url'); $refer = $query->referer() if !$refer || $refer eq 'undefined'; $refer =~ /koha\/(.*)\.pl/; -my $from = "help/$1.tt"; +my $file = $1; +$file =~ s/[^a-zA-Z0-9_\-\/]*//g; +my $from = "help/$file.tt"; my $template = C4::Templates::gettemplate($from, 'intranet', $query); $template->param( referer => $refer ); -- 2.39.5