From 3bd50e3547773b73bd7e1d8bc44b37df3e149b39 Mon Sep 17 00:00:00 2001 From: Chris Cormack Date: Sat, 1 Feb 2014 15:06:58 +1300 Subject: [PATCH] Bug 11661: sanitize file names supplied to edithelp.pl This patch corrects an issue whereby edithelp.pl could be used to create or modify arbitrary files on the server with the permissions of the Apache user. Signed-off-by: Galen Charlton Signed-off-by: Jonathan Druart Signed-off-by: Galen Charlton (cherry picked from commit 7baf02c263a627b1454577b3141a0af4b8f963d1) Signed-off-by: Fridolin Somers --- edithelp.pl | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/edithelp.pl b/edithelp.pl index de4e9b12c1..62b449f4aa 100755 --- a/edithelp.pl +++ b/edithelp.pl @@ -65,7 +65,9 @@ my ( $template, $loggedinuser, $cookie ) = get_template_and_user( sub _get_filepath ($;$) { my $referer = shift; $referer =~ /koha\/(.*)\.pl/; - my $from = "help/$1.tt"; + my $file = $1; + $file =~ s/[^0-9a-zA-Z_\-\/]*//g; + my $from = "help/$file.tt"; my $htdocs = C4::Context->config('intrahtdocs'); my ($theme, $lang, $availablethemes) = C4::Templates::themelanguage( $htdocs, $from, "intranet", $input ); $debug and print STDERR "help filepath: $htdocs/$theme/$lang/modules/$from"; -- 2.39.5