C4::Context->interface( $in->{type} );
- my $safe_chars = 'a-zA-Z0-9_\-\/';
- die "bad template path" unless $in->{'template_name'} =~ m/^[$safe_chars]+\.tt$/ig; #sanitize input
-
$in->{'authnotrequired'} ||= 0;
+
+ # the following call includes a bad template check; might croak
my $template = C4::Templates::gettemplate(
$in->{'template_name'},
$in->{'type'},
use C4::Context;
use Koha::Cache::Memory::Lite;
+use Koha::Exceptions;
__PACKAGE__->mk_accessors(qw( theme activethemes preferredtheme lang filename htdocs interface vars));
return ($htdocs, $theme, $lang, $filename);
}
+=head2 badtemplatecheck
+
+ badtemplatecheck( $template_path );
+
+ The sub will throw an exception if the template path is not allowed.
+
+ Note: At this moment the sub is actually a helper routine for
+ sub gettemplate.
+
+=cut
+
+sub badtemplatecheck {
+ my ( $template ) = @_;
+ Koha::Exceptions::NoPermission->throw( 'bad template path' )
+ unless $template =~ m/^[a-zA-Z0-9_\-\/]+\.(tt|pref)$/;
+}
sub gettemplate {
my ( $tmplbase, $interface, $query, $is_plugin ) = @_;
($query) or warn "no query in gettemplate";
- die "bad template path" unless $tmplbase =~ m/^[a-zA-Z0-9_\-\/]+\.(tt|pref)$/; # Will be extended on bug 17989
- my $path = C4::Context->preference('intranet_includes') || 'includes';
my ($htdocs, $theme, $lang, $filename)
= _get_template_file($tmplbase, $interface, $query);
$filename = $tmplbase if ( $is_plugin );
+ badtemplatecheck( $filename ); # single trip for bad templates
my $template = C4::Templates->new($interface, $filename, $tmplbase, $query);
# NOTE: Commenting these out rather than deleting them so that those who need
isa => 'Koha::Exceptions::Exception',
description => 'One or more parameters are wrong',
},
+ 'Koha::Exceptions::NoPermission' => {
+ isa => 'Koha::Exceptions::Exception',
+ description => 'You do not have permission for this action',
+ },
'Koha::Exceptions::CannotAddLibraryLimit' => {
isa => 'Koha::Exceptions::Exception',
description => 'General problem adding a library limit'