git.koha-community.org Git - koha.git/commit

author	Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
	Sun, 29 Jan 2017 14:40:14 +0000 (15:40 +0100)
committer	Julian Maurice <julian.maurice@biblibre.com>
	Fri, 31 Mar 2017 13:20:04 +0000 (15:20 +0200)
commit	093f902eafe4f721f88445ee3f5ef440c9768f30
tree	1e0a4372ae91dc0bf1184b024af024a42f762d82	tree \| snapshot
parent	65b29fdda57d66d8beb105ecaca4fe7eaa1fab50	commit \| diff

Bug 18010: Remove potential exposure from gettemplate

A similar bad template check from C4::Auth::get_template_and_user
should be applied in C4::Templates::gettemplate.

Before this patch it would be possible to expose files like:
my $template = C4::Templates::gettemplate(
    '/etc/passwd', 'intranet', CGI::new, 1
);
print $template->output;

Note that the is_plugin flag in the above call is the culprit. This patch
provides a quick security fix without touching get_template_and_user, and
can be backported to stable branches.
I will provide an enhanced and centralized check on report 17989, also
removing the is_plugin flag.

Note: We allow .pref here too for use in admin/preferences.pl.

Test plan:
[1] Run t/db_dependent/Auth.t (triggering get_template_and_user and
    gettemplate).
[2] Run t/db_dependent/Templates.t again (see first test plan).
    The tests should no longer fail.
[3] Open a page on opac or intranet.
[4] Open a systempreferences tab.
[5] Add a book to the cart and send it ([opac-]sendbasket uses gettemplate).

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit fbbd4b40f0d71b79194fc186e66f985488be26c6)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit 74fe3f5cda7cac22640f9ae3d68b3d62a6765dc0)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>