From 939079de756fdda1ca8f62c48efe0e2e3034ae32 Mon Sep 17 00:00:00 2001 From: Galen Charlton Date: Sat, 1 Feb 2014 02:11:38 +0000 Subject: [PATCH] Bug 11662: remove disused member-picupload.pl This script is no longer used, and in addition has problematic handling of its parameters that could lead to writing to arbitrary files on the server. To test: [1] Verify that member-picupload.pl is no longer referred to in the codebase after applying this patch. [2] Verify that there are no regressions in patron photo management. Signed-off-by: Galen Charlton Signed-off-by: Chris Cormack Signed-off-by: Katrin Fischer Found no regressions in removing this script. Signed-off-by: Galen Charlton --- members/member-picupload.pl | 77 ------------------------------------- 1 file changed, 77 deletions(-) delete mode 100755 members/member-picupload.pl diff --git a/members/member-picupload.pl b/members/member-picupload.pl deleted file mode 100755 index 75bbea48ca..0000000000 --- a/members/member-picupload.pl +++ /dev/null @@ -1,77 +0,0 @@ -#!/usr/bin/perl - - -# script to upload a picture to a borrowerimages directory. -# checks to see if its either displaying the upload form -# or doing the actual upload. -# written by Waylon Robertson (genjimoto@sourceforge) 2005/08/22 - - -# Copyright 2000-2002 Katipo Communications -# -# This file is part of Koha. -# -# Koha is free software; you can redistribute it and/or modify it under the -# terms of the GNU General Public License as published by the Free Software -# Foundation; either version 2 of the License, or (at your option) any later -# version. -# -# Koha is distributed in the hope that it will be useful, but WITHOUT ANY -# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR -# A PARTICULAR PURPOSE. See the GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with Koha; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - -use strict; -use warnings; - -use C4::Auth; -use C4::Context; -use C4::Output; -use CGI; - - -my $input = new CGI; -my $name = $input->param('name'); -my $borrowernumber = $input->param('borrowernumber'); -my $photo = $input->param('photo'); - -my $template_name; -my $htdocs = C4::Context->config('intrahtdocs'); -my $upload_dir = $htdocs."/borrowerimages"; -if($photo eq ""){ - $template_name = "members/member-picupload.tmpl"; -} else { - $template_name = "members/moremember.tmpl"; -} - -my ($template, $loggedinuser, $cookie) - = get_template_and_user({template_name => $template_name, - query => $input, - type => "intranet", - authnotrequired => 0, - flagsrequired => {borrowers => 1}, - debug => 1, - }); -if ($photo){ - - my $filename=$borrowernumber.'.jpg'; - my $upload_filehandle = $input->upload("photo"); - open (my $upload_fh, '>', "$upload_dir/$filename"); - binmode $upload_fh; - while ( <$upload_filehandle> ) - { - print $upload_fh; - } - close $upload_fh; -} -else { - $template->param( - borrowernumber => $borrowernumber, - name => $name - ); - output_html_with_http_headers $input, $cookie, $template->output; -} -print $input->redirect("http://intranet/cgi-bin/koha/members/moremember.pl?borrowernumber=$borrowernumber"); -- 2.39.5