From 378be559c20c2cb51fe24860499af5f3b0e5a5e5 Mon Sep 17 00:00:00 2001 From: Andreas Jonsson Date: Thu, 7 Mar 2024 09:12:25 +0000 Subject: [PATCH] Bug 36244: Do template toolkit processing first To avoid injection of template toolkit code from database fields that are controlled by untrusted sources. Test plan: * review subtest 'Template toolkit syntax in parameters' in t/db_dependent/Letters.t * Run the unit test: prove t/db_dependent/Letters.t Signed-off-by: Jonathan Druart Signed-off-by: Marcel de Rooy Signed-off-by: Kyle M Hall Signed-off-by: Katrin Fischer (cherry picked from commit 07ac3b0b9450f812bb48cfecf7bf3f47f63279b5) Signed-off-by: Fridolin Somers --- C4/Letters.pm | 44 ++++++++++++++++++++++---------------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/C4/Letters.pm b/C4/Letters.pm index a0404ac707..e300c00d51 100644 --- a/C4/Letters.pm +++ b/C4/Letters.pm @@ -618,6 +618,28 @@ sub GetPreparedLetter { return; my $want_librarian = $params{want_librarian}; + $letter->{content} = _process_tt( + { + content => $letter->{content}, + lang => $lang, + loops => $loops, + objects => $objects, + substitute => $substitute, + tables => $tables, + } + ); + + $letter->{title} = _process_tt( + { + content => $letter->{title}, + lang => $lang, + loops => $loops, + objects => $objects, + substitute => $substitute, + tables => $tables, + } + ); + if (%$substitute) { while ( my ($token, $val) = each %$substitute ) { $val //= q{}; @@ -688,28 +710,6 @@ sub GetPreparedLetter { } } - $letter->{content} = _process_tt( - { - content => $letter->{content}, - lang => $lang, - loops => $loops, - objects => $objects, - substitute => $substitute, - tables => $tables, - } - ); - - $letter->{title} = _process_tt( - { - content => $letter->{title}, - lang => $lang, - loops => $loops, - objects => $objects, - substitute => $substitute, - tables => $tables, - } - ); - $letter->{content} =~ s/<<\S*>>//go; #remove any stragglers return $letter; -- 2.39.5