[Patches] [PATCH] Bug 6629 : Follow up to trap vuln in webinstaller and fixing

koha-patchbot at kohaaloha.com koha-patchbot at kohaaloha.com
Sun Nov 27 21:30:03 NZDT 2011 

From: Chris Cormack <chrisc at catalyst.net.nz>
Date: Sun, 27 Nov 2011 21:18:29 +1300
Subject: [PATCH] Bug 6629 : Follow up to trap vuln in webinstaller and fixing
 the error

Signed-off-by: Katrin Fischer <Katrin.Fischer.83 at web.de>
Patch fixes problem occuring in web installer.
---
 installer/InstallAuth.pm |   18 ++++++++++--------
 1 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/installer/InstallAuth.pm b/installer/InstallAuth.pm
index 2c07bbe..10cbea3 100644
--- a/installer/InstallAuth.pm
+++ b/installer/InstallAuth.pm
@@ -117,7 +117,7 @@ sub get_template_and_user {
     $tmplbase=~ s/\.tmpl$/.tt/;
     my $filename = "$path/modules/" . $tmplbase;
     my $interface = 'intranet';
-    my $template = C4::Templates->new( $interface, $filename, $tmplbase);
+    my $template = C4::Templates->new( $interface, $filename, $tmplbase, $query);
     
     my ( $user, $cookie, $sessionID, $flags ) = checkauth(
         $in->{'query'},
@@ -158,12 +158,14 @@ sub get_template_and_user {
 }
 
 sub _get_template_language {
-  #verify if opac language exists in staff (bug 5660)
-  #conditions are 1) dir exists and 2) enabled in prefs
-  my ($opaclang)= @_;
-  return 'en' unless $opaclang;
-  my $path= C4::Context->config('intrahtdocs')."/prog/$opaclang";
-  -d $path ? $opaclang : 'en';
+
+    #verify if opac language exists in staff (bug 5660)
+    #conditions are 1) dir exists and 2) enabled in prefs
+    my ($opaclang) = @_;
+    return 'en' unless $opaclang;
+    $opaclang =~ s/[^a-zA-Z_-]*//g;
+    my $path = C4::Context->config('intrahtdocs') . "/prog/$opaclang";
+    -d $path ? $opaclang : 'en';
 }
 
 =item checkauth
@@ -365,7 +367,7 @@ sub checkauth {
     my $filename = "$path/modules/$template_name";
     $filename =~ s/\.tmpl$/.tt/;
     my $interface = 'intranet';
-    my $template = C4::Templates->new( $interface, $filename);
+    my $template = C4::Templates->new( $interface, $filename, '', $query);
     $template->param(
         INPUTS => \@inputs,
 
-- 
1.7.5.4

More information about the Patches mailing list