From 64e47c63dc59669c3c651b93630c470e06107fd6 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Mon, 22 Jun 2015 10:24:51 +0200 Subject: [PATCH] Bug 14408: Allow integers in template paths Signed-off-by: Jonathan Druart Signed-off-by: Katrin Fischer Signed-off-by: Tomas Cohen Arazi --- C4/Auth.pm | 2 +- t/db_dependent/Auth.t | 13 ++++++++++++- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/C4/Auth.pm b/C4/Auth.pm index b9fe4d3184..34c3f91ffe 100644 --- a/C4/Auth.pm +++ b/C4/Auth.pm @@ -158,7 +158,7 @@ sub get_template_and_user { C4::Context->interface( $in->{type} ); - my $safe_chars = 'a-zA-Z_\-\/'; + my $safe_chars = 'a-zA-Z0-9_\-\/'; die "bad template path" unless $in->{'template_name'} =~ m/^[$safe_chars]+.tt?$/ig; #sanitize input $in->{'authnotrequired'} ||= 0; diff --git a/t/db_dependent/Auth.t b/t/db_dependent/Auth.t index 8513240b1b..43e1aa8646 100644 --- a/t/db_dependent/Auth.t +++ b/t/db_dependent/Auth.t @@ -8,7 +8,7 @@ use Modern::Perl; use CGI qw ( -utf8 ); use Test::MockModule; use List::MoreUtils qw/all any none/; -use Test::More tests => 11; +use Test::More tests => 12; use Test::Warn; use C4::Members; use Koha::AuthUtils qw/hash_password/; @@ -127,6 +127,17 @@ $dbh->{RaiseError} = 1; }; like ( $@, qr(^bad template path), 'The file $template_name should not be accessible' ); } + ( $template, $loggedinuser, $cookies ) = get_template_and_user( + { + template_name => 'errors/500.tt', + query => $query, + type => "intranet", + authnotrequired => 1, + flagsrequired => { catalogue => 1 }, + } + ); + my $file_exists = ( -f $template->{filename} ) ? 1 : 0; + is ( $file_exists, 1, 'The file errors/500.tt should be accessible (contains integers)' ); } # Check that there is always an OPACBaseURL set. -- 2.39.5