my $htdocs = C4::Context->config($is_intranet ? 'intrahtdocs' : 'opachtdocs');
my ($theme, $lang, $availablethemes) = themelanguage($htdocs, $tmplbase, $interface, $query);
$lang //= 'en';
+ $theme //= '';
my $filename = "$htdocs/$theme/$lang/modules/$tmplbase";
return ($htdocs, $theme, $lang, $filename);
sub badtemplatecheck {
my ( $template ) = @_;
- Koha::Exceptions::NoPermission->throw( 'bad template path' )
- unless $template =~ m/^[a-zA-Z0-9_\-\/]+\.(tt|pref)$/;
+ if( !$template || $template !~ m/^[a-zA-Z0-9_\-\/]+\.(tt|pref)$/ ) {
+ # This also includes two dots
+ Koha::Exceptions::NoPermission->throw( 'bad template path' );
+ } else {
+ # Check allowed dirs
+ my $dirs = C4::Context->config("pluginsdir");
+ $dirs = [ $dirs ] if !ref($dirs);
+ unshift @$dirs, C4::Context->config('opachtdocs'), C4::Context->config('intrahtdocs');
+ my $found = 0;
+ foreach my $dir ( @$dirs ) {
+ $dir .= '/' if $dir !~ m/\/$/;
+ $found++ if $template =~ m/^$dir/;
+ last if $found;
+ }
+ Koha::Exceptions::NoPermission->throw( 'bad template path' ) if !$found;
+ }
}
sub gettemplate {
return;
};
-subtest 'Testing gettemplate' => sub {
- plan tests => 2;
+subtest 'Testing gettemplate/badtemplatecheck' => sub {
+ plan tests => 7;
+ my $cgi = CGI->new;
my $template;
- warning_like { eval { $template = C4::Templates::gettemplate( '/etc/passwd', 'opac', CGI->new, 1 ) }; warn $@ if $@; } qr/bad template/, 'Bad template check';
+ warning_like { eval { $template = C4::Templates::gettemplate( '/etc/passwd', 'opac', $cgi, 1 ) }; warn $@ if $@; } qr/bad template/, 'Bad template check';
is( $template ? $template->output: '', '', 'Check output' );
+
+ # Test a few more bad paths to gettemplate triggering badtemplatecheck
+ warning_like { eval { C4::Templates::gettemplate( '../topsecret.tt', 'opac', $cgi, 1 ) }; warn $@ if $@; } qr/bad template/, 'No safe chars';
+ warning_like { eval { C4::Templates::gettemplate( '/noaccess/topsecret.tt', 'opac', $cgi, 1 ) }; warn $@ if $@; } qr/bad template/, 'Directory not allowed';
+ warning_like { eval { C4::Templates::gettemplate( C4::Context->config('intrahtdocs') . '2/prog/en/modules/about.tt', 'intranet', $cgi, 1 ) }; warn $@ if $@; } qr/bad template/, 'Directory not allowed too';
+
+ # Allow templates from /tmp
+ t::lib::Mocks::mock_config( 'pluginsdir', [ '/tmp' ] );
+ warning_like { eval { C4::Templates::badtemplatecheck( '/tmp/about.tt' ) }; warn $@ if $@; } undef, 'No warn on template from plugin dir';
+ # Refuse wrong extension
+ warning_like { eval { C4::Templates::badtemplatecheck( '/tmp/about.tmpl' ) }; warn $@ if $@; } qr/bad template/, 'Warn on bad extension';
};