From fd1d295e6170eead8028fd850427a0635f873e97 Mon Sep 17 00:00:00 2001
From: David Cook <dcook@prosentient.com.au>
Date: Fri, 26 Jul 2024 04:01:43 +0000
Subject: [PATCH] Bug 37488: Validate paths in datalink.txt/idlink.txt files

This change validates the paths in datalink.txt/idlink.txt,
so that only images in the unpacked archive directory are allowed

Test plan:
0. Apply the patch
1. koha-plack --reload kohadev
2. Create a datalink.txt file with the following:
42,selfie.jpg
3. Create a jpeg at selfie.jpg
4. ZIP the datalink.txt and selfie.jpg files
5. Upload to the "Upload patron images" tool
(after enabling the "patronimages" system preference)
6. Note that the image uploads correctly

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
---
 tools/picture-upload.pl | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/tools/picture-upload.pl b/tools/picture-upload.pl
index 3c4e228f81..1fe071f174 100755
--- a/tools/picture-upload.pl
+++ b/tools/picture-upload.pl
@@ -266,7 +266,12 @@ sub handle_dir {
             $cardnumber =~ s/[\"\r\n]//g; # remove offensive characters
             $filename   =~ s/[\"\r\n\s]//g;
             $logger->debug("Cardnumber: $cardnumber Filename: $filename");
-            $source = "$dir/$filename";
+            $source = Cwd::abs_path("$dir/$filename");
+            if ( $source !~ /^\Q$dir\E/ ) {
+
+                #NOTE: Unset $source if it points to a file outside of this unpacked ZIP archive
+                $source = '';
+            }
             %counts = handle_file( $cardnumber, $source, $template, %counts );
         }
         closedir $dir_h;
-- 
2.39.5