From 5aaa108274712440c98b92efdbad8657dccfad24 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Fri, 19 Jun 2015 10:25:30 +0200 Subject: [PATCH] Bug 14408: Add tests to get_template_and_user Signed-off-by: Jonathan Druart Signed-off-by: Katrin Fischer Signed-off-by: Mason James --- t/db_dependent/Auth.t | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/t/db_dependent/Auth.t b/t/db_dependent/Auth.t index 6a100bc5dc..095029ef60 100644 --- a/t/db_dependent/Auth.t +++ b/t/db_dependent/Auth.t @@ -9,6 +9,7 @@ use CGI; use Test::MockModule; use List::MoreUtils qw/all any none/; use Test::More tests => 6; +use Test::Warn; use C4::Members; use Koha::AuthUtils qw/hash_password/; @@ -105,6 +106,27 @@ $dbh->{RaiseError} = 1; ok( ( any { $_->name eq 'KohaOpacLanguage' and $_->value eq 'en' } @$cookies ), 'BZ9735: invalid language, then default to en'); + + for my $template_name ( + qw( + ../../../../../../../../../../../../../../../etc/passwd + test/../../../../../../../../../../../../../../etc/passwd + /etc/passwd + ) + ) { + eval { + ( $template, $loggedinuser, $cookies ) = get_template_and_user( + { + template_name => $template_name, + query => $query, + type => "intranet", + authnotrequired => 1, + flagsrequired => { catalogue => 1 }, + } + ); + }; + like ( $@, qr(^bad template path), 'The file $template_name should not be accessible' ); + } } my $hash1 = hash_password('password'); -- 2.39.5