http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6874
Frère Sébastien Marie <semarie-k...@latrappe.fr> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |semarie-k...@latrappe.fr --- Comment #5 from Frère Sébastien Marie <semarie-k...@latrappe.fr> 2011-09-16 13:55:29 UTC --- Hi, Just some remarks... 1. Template name The uploaded file for template are: - upload.tt - upload_delete_file.tt 'cataloguing/value_builder/upload.pl' use: my $template_name = $result || $delete ? "upload_delete_file.tmpl" : "upload.tmpl"; So template extensions are bad (in perl script, I think). 2. A security consideration in 'cataloguing/value_builder/upload.pl', in the sub "plugin", the template_name could be constructed with untrusted user parameter ($result). 3. A second security consideration (near same as above) in 'cataloguing/value_builder/upload.pl', in the sub "plugin", when a file is requested for deletion, the code is: > unlink("$upload_path/$result") please consider that result come from untrusted input: $input->param('result'). So if $result contains something like "../../../" any file owned by http server could be deleted... 4. And a ore general security consideration (sorry, professional deformation :-) ) About permit uploading arbitrary file... how the filename is treated ? specially the extension ? Be careful with filename like 'test.pl' on a http server that served perl code (like Koha): this could result arbitrary command execution. (same problem for all server-side executable script configured on the server, like PHP, perl, python, cgi, SSI, ...). The minimal security is to advertise the administrator who want enable this preference to have special http server configuration for the "upload_path" (in order to disable all script execution, SSI, or others, and don't use user configuration in the directory [like .htaccess]) 5. Template remark for modified files (like MARCdetail.tt) The code added is generally like: [% IF ( subfiel.is_url ) %] <a href="[% subfiel.marc_value %]">[% subfiel.marc_value |html %]</a> [% ELSIF (subfiel.is_url ) %] [% subfiel.marc_value %] [% ELSE %] [% subfiel.marc_value |html %] [% END %] Why a second ELSIF with the same condition than before ? (subfiel.is_url) That's all for now ! Thanks. -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. _______________________________________________ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/