Counter counter patch
Please test well, including with the null byte %00, this uses a whitelisting to only allow files ending with .tt
and not allowing ../etc
Note the previous patch tries to protect against /etc/passwd
but //etc/passwd is now vulnerable. I do think a whitelist is safer than trying to do a blacklist
/cgi-bin/koha/svc/virtualshelves/search
/cgi-bin/koha/svc/members/search
Are vulnerable
To test:
1/ Hit /cgi-bin/koha/svc/members/search?template_path=members/tables/members_results.tt
Notice you get a valid JSON response
2/ Hit
/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
(You may have add more ..%2f or remove them to get the correct path)
Notice you can see the contents of the /etc/passwd file
3/ Hit
/cgi-bin/koha/svc/members/search?template_path=test%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
4/ Apply patch
5/ Hit the first url again, notice it still works
6/ Hit the second url notice it now errors with a file not found
7/ Hit the third url notice it now errors with a file not found
Repeat for the other script also
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
C4::Context->interface( $in->{type} );
+ my $safe_chars = 'a-zA-Z_\-\/';
+ die "bad template path" unless $in->{'template_name'} =~ m/^[$safe_chars]+.tt?$/ig; #sanitize input
+
$in->{'authnotrequired'} ||= 0;
my $template = C4::Templates::gettemplate(
$in->{'template_name'},