From d0ca53764aebe6055239cd9a0fca53b71ed6afa7 Mon Sep 17 00:00:00 2001 From: David Cook Date: Thu, 9 Nov 2023 00:23:45 +0000 Subject: [PATCH] Bug 35291: Don't allow symlinks for link files in cover image ZIP There's no reason to allow symlinks for link files in cover image ZIP files. Preventing their use prevents someone from uploading a symlink pointing to an existing file on the Koha server. Test plan: 0. Apply patch and restart/reload Koha 1. Create a PNG cover image 2. Create a datalink.txt file that contains something like the following: 29,Untitled.PNG 3. Turn on "LocalCoverImages" system preference 4. Upload via http://localhost:8081/cgi-bin/koha/tools/upload-cover-image.pl 5. Go to http://localhost:8081/cgi-bin/koha/catalogue/detail.pl?biblionumber=29 6. Note the cover image has been uploaded Signed-off-by: Nick Clemens Signed-off-by: Aleisha Amohia Signed-off-by: Tomas Cohen Arazi Signed-off-by: Jonathan Druart --- tools/upload-cover-image.pl | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/tools/upload-cover-image.pl b/tools/upload-cover-image.pl index 4cab684ae1..eba55bda75 100755 --- a/tools/upload-cover-image.pl +++ b/tools/upload-cover-image.pl @@ -141,11 +141,12 @@ if ($fileID) { } foreach my $dir (@directories) { my $file; - if ( -e "$dir/idlink.txt" ) { - $file = "$dir/idlink.txt"; - } - elsif ( -e "$dir/datalink.txt" ) { - $file = "$dir/datalink.txt"; + my $idlink = "$dir/idlink.txt"; + my $datalink = "$dir/datalink.txt"; + if ( -e $idlink && !-l $idlink ) { + $file = $idlink; + } elsif ( -e $datalink && !-l $datalink ) { + $file = $datalink; } else { next; -- 2.39.5