From 838de7c597ed06e333817add4eae9fc8b9a7d27b Mon Sep 17 00:00:00 2001 From: David Cook Date: Fri, 26 Jul 2024 04:01:43 +0000 Subject: [PATCH] Bug 37488: Validate paths in datalink.txt/idlink.txt files This change validates the paths in datalink.txt/idlink.txt, so that only images in the unpacked archive directory are allowed Test plan: 0. Apply the patch 1. koha-plack --reload kohadev 2. Create a datalink.txt file with the following: 42,selfie.jpg 3. Create a jpeg at selfie.jpg 4. ZIP the datalink.txt and selfie.jpg files 5. Upload to the "Upload patron images" tool (after enabling the "patronimages" system preference) 6. Note that the image uploads correctly Signed-off-by: Nick Clemens Signed-off-by: Marcel de Rooy Signed-off-by: Tomas Cohen Arazi (cherry picked from commit 8fcb767fe2836c90ceacb5b5d8211524571eb8aa) Signed-off-by: Tomas Cohen Arazi --- tools/picture-upload.pl | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/tools/picture-upload.pl b/tools/picture-upload.pl index 71d3a26944..809657dc63 100755 --- a/tools/picture-upload.pl +++ b/tools/picture-upload.pl @@ -249,7 +249,12 @@ sub handle_dir { $cardnumber =~ s/[\"\r\n]//g; # remove offensive characters $filename =~ s/[\"\r\n\s]//g; $logger->debug("Cardnumber: $cardnumber Filename: $filename"); - $source = "$dir/$filename"; + $source = Cwd::abs_path("$dir/$filename"); + if ( $source !~ /^\Q$dir\E/ ) { + + #NOTE: Unset $source if it points to a file outside of this unpacked ZIP archive + $source = ''; + } %counts = handle_file( $cardnumber, $source, $template, %counts ); } closedir $dir_h; -- 2.39.5