From b824756407eeeec5ad6e1d55d9b1c17de495b041 Mon Sep 17 00:00:00 2001
From: Amit Gupta <amit.gupta@informaticsglobal.com>
Date: Thu, 11 Jul 2024 23:13:06 +0530
Subject: [PATCH] Bug 37323: Escape characters in patron image picture upload

To Test
1. Create a file name for example: test.zip`curl xxxxtesting.informaticsglobal.com`.zip
   where the domain is one you can watch the logs from.
2. Go to Tools and click on Upload patron images choose option zip file and upload the file.
3. Check /var/log/apache2/access.log and see the curl with the IP
   "xx.xxx.xx.xxx - - [11/Jul/2024:23:10:33 +0530] "GET / HTTP/1.1" 200 267 "-" "curl/7.68.0"
4. Apply the patch
5. Repeat 2 and 3 step and check no error is coming for the Remote execution error.
6. Test uploading actual zip file and images still works.

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
---
 tools/picture-upload.pl | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tools/picture-upload.pl b/tools/picture-upload.pl
index 1f4c62b5de..0c69a69a43 100755
--- a/tools/picture-upload.pl
+++ b/tools/picture-upload.pl
@@ -95,6 +95,7 @@ if ( ( $op eq 'Upload' ) && ($uploadfile || $uploadfiletext) ) {
 
     my $dirname = File::Temp::tempdir( CLEANUP => 1 );
     my $filesuffix;
+    $uploadfilename =~ s/[^A-Za-z0-9\-\.]//g;
     if ( $uploadfilename =~ m/(\..+)$/i ) {
         $filesuffix = $1;
     }
-- 
2.39.5