[Koha-bugs] [Bug 6874] File upload in MARC

Fri Sep 16 15:55:29 CEST 2011

http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6874

Frère Sébastien Marie <semarie-koha at latrappe.fr> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |semarie-koha at latrappe.fr

--- Comment #5 from Frère Sébastien Marie <semarie-koha at latrappe.fr> 2011-09-16 13:55:29 UTC ---
Hi,

Just some remarks...

1. Template name
The uploaded file for template are:
 - upload.tt
 - upload_delete_file.tt

'cataloguing/value_builder/upload.pl' use:
  my $template_name = $result || $delete ? "upload_delete_file.tmpl" :
"upload.tmpl";

So template extensions are bad (in perl script, I think).

2. A security consideration
in 'cataloguing/value_builder/upload.pl', in the sub "plugin", the
template_name could be constructed with untrusted user parameter ($result).

3. A second security consideration (near same as above)
in 'cataloguing/value_builder/upload.pl', in the sub "plugin", when a file is
requested for deletion, the code is:

> unlink("$upload_path/$result")

please consider that result come from untrusted input: $input->param('result').
So if $result contains something like "../../../" any file owned by http server
could be deleted...

4. And a ore general security consideration (sorry, professional deformation
:-) )

About permit uploading arbitrary file... how the filename is treated ?
specially the extension ? Be careful with filename like 'test.pl' on a http
server that served perl code (like Koha): this could result arbitrary command
execution. (same problem for all server-side executable script configured on
the server, like PHP, perl, python, cgi, SSI, ...). 

The minimal security is to advertise the administrator who want enable this
preference to have special http server configuration for the "upload_path" (in
order to disable all script execution, SSI, or others, and don't use user
configuration in the directory [like .htaccess])

5. Template remark for modified files (like MARCdetail.tt)

The code added is generally like:

[% IF ( subfiel.is_url ) %]
  <a href="[% subfiel.marc_value %]">[% subfiel.marc_value |html %]</a>
[% ELSIF (subfiel.is_url ) %]
  [% subfiel.marc_value %]
[% ELSE %]
  [% subfiel.marc_value |html %]
[% END %]

Why a second ELSIF with the same condition than before ? (subfiel.is_url)

That's all for now !
Thanks.

-- 
Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA Contact for the bug.