From 3517a9399588c4b7be6abebfeeb58facab06405f Mon Sep 17 00:00:00 2001
From: Chris Cormack <chris@bigballofwax.co.nz>
Date: Sat, 1 Feb 2014 15:06:58 +1300
Subject: [PATCH] Bug 11661: sanitize file names supplied to edithelp.pl

This patch corrects an issue whereby edithelp.pl could
be used to create or modify arbitrary files on the server
with the permissions of the Apache user.

Signed-off-by: Galen Charlton <gmc@esilibrary.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
---
 edithelp.pl | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/edithelp.pl b/edithelp.pl
index 5cde3149d4..3c7a985680 100755
--- a/edithelp.pl
+++ b/edithelp.pl
@@ -65,7 +65,9 @@ my ( $template, $loggedinuser, $cookie ) = get_template_and_user(
 sub _get_filepath ($;$) {
     my $referer = shift;
     $referer =~ /koha\/(.*)\.pl/;
-    my $from = "help/$1.tt";
+    my $file = $1;
+    $file =~ s/[^0-9a-zA-Z_\-\/]*//g;
+    my $from = "help/$file.tt";
     my $htdocs = C4::Context->config('intrahtdocs');
     my ($theme, $lang) = C4::Templates::themelanguage( $htdocs, $from, "intranet", $input );
 	$debug and print STDERR "help filepath: $htdocs/$theme/$lang/modules/$from";
-- 
2.39.5