[Patches] [PATCH] [3.4.x] Bug 6628 fixing security vulnerability

[koha-patchbot at kohaaloha.com]

From: Chris Cormack <chrisc at catalyst.net.nz>
Date: Sat, 26 Nov 2011 07:39:51 +1300
Subject: [PATCH] [3.4.x] Bug 6628 fixing security vulnerability
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Frère Sébastien Marie <semarie-koha at latrappe.fr>
 - patch taken from master
 - I also corrected two invalid calls to themelanguage (tests are not possible else)
---
 help.pl |    8 +++++---
 1 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/help.pl b/help.pl
index 7208a8a..bb9c043 100755
--- a/help.pl
+++ b/help.pl
@@ -32,13 +32,15 @@ our $refer = $query->param('url');
 $refer = $query->referer()  if !$refer || $refer eq 'undefined';
 
 $refer =~ /koha\/(.*)\.pl/;
-my $from = "modules/help/$1.tt";
+my $file = $1;
+$file =~ s/[^a-zA-Z0-9_\-\/]*//g;
+my $from = "modules/help/$file.tt";
 
 my $htdocs = C4::Context->config('intrahtdocs');
-my ( $theme, $lang ) = themelanguage( $htdocs, $from, "intranet", $query );
+my ( $theme, $lang ) = C4::Templates::themelanguage( $htdocs, $from, "intranet", $query );
 unless ( -e "$htdocs/$theme/$lang/$from" ) {
     $from = "modules/help/nohelp.tt";
-    ( $theme, $lang ) = themelanguage( $htdocs, $from, "intranet", $query );
+    ( $theme, $lang ) = C4::Templates::themelanguage( $htdocs, $from, "intranet", $query );
 }
 my $template = C4::Templates->new('intranet', "$htdocs/$theme/$lang/$from");
 $template->param( referer => $refer );
-- 
1.7.2.5