From bae5256216f3ad911af3ef4dd944174448c85eaa Mon Sep 17 00:00:00 2001
From: David Cook <dcook@prosentient.com.au>
Date: Thu, 9 Nov 2023 00:49:54 +0000
Subject: [PATCH] Bug 35291: Validate filepaths in linking files

Validate that the files in linking files are contained within the ZIP.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
---
 tools/upload-cover-image.pl | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/tools/upload-cover-image.pl b/tools/upload-cover-image.pl
index bf43928b58..7ddd13adbc 100755
--- a/tools/upload-cover-image.pl
+++ b/tools/upload-cover-image.pl
@@ -38,6 +38,7 @@ resized, maintaining aspect ratio.
 =cut
 
 use Modern::Perl;
+use Cwd;
 
 use File::Temp;
 use CGI qw ( -utf8 );
@@ -187,7 +188,11 @@ if ($fileID) {
                             $filename =~ s/[\"\r\n]//g;
                             $filename =~ s/^\s+//;
                             $filename =~ s/\s+$//;
-                            my $srcimage = GD::Image->new("$dir/$filename");
+                            my $full_filename = Cwd::abs_path("$dir/$filename"); #Resolve any relative filepath references
+                            my $srcimage;
+                            if ( $full_filename =~ /^\Q$dir\E/ ){
+                                $srcimage = GD::Image->new($full_filename);
+                            }
                             my $biblio;
                             my $item;
                             if ( defined $srcimage ) {
-- 
2.39.5