Bug 14408: Allow integers in template paths

Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

diff --git a/C4/Auth.pm b/C4/Auth.pm
index b9fe4d3..34c3f91 100644 (file)
--- a/C4/Auth.pm
+++ b/C4/Auth.pm
@@ -158,7 +158,7 @@ sub get_template_and_user {
 
     C4::Context->interface( $in->{type} );
 
-    my $safe_chars = 'a-zA-Z_\-\/';
+    my $safe_chars = 'a-zA-Z0-9_\-\/';
     die "bad template path" unless $in->{'template_name'} =~ m/^[$safe_chars]+.tt?$/ig; #sanitize input
 
     $in->{'authnotrequired'} ||= 0;

diff --git a/t/db_dependent/Auth.t b/t/db_dependent/Auth.t
index 8513240..43e1aa8 100644 (file)
--- a/t/db_dependent/Auth.t
+++ b/t/db_dependent/Auth.t
@@ -8,7 +8,7 @@ use Modern::Perl;
 use CGI qw ( -utf8 );
 use Test::MockModule;
 use List::MoreUtils qw/all any none/;
-use Test::More tests => 11;
+use Test::More tests => 12;
 use Test::Warn;
 use C4::Members;
 use Koha::AuthUtils qw/hash_password/;
@@ -127,6 +127,17 @@ $dbh->{RaiseError} = 1;
         };
         like ( $@, qr(^bad template path), 'The file $template_name should not be accessible' );
     }
+    ( $template, $loggedinuser, $cookies ) = get_template_and_user(
+        {
+            template_name   => 'errors/500.tt',
+            query           => $query,
+            type            => "intranet",
+            authnotrequired => 1,
+            flagsrequired   => { catalogue => 1 },
+        }
+    );
+    my $file_exists = ( -f $template->{filename} ) ? 1 : 0;
+    is ( $file_exists, 1, 'The file errors/500.tt should be accessible (contains integers)' );
 }
 
 # Check that there is always an OPACBaseURL set.