$in->{'template_name'},
$in->{'type'},
$in->{'query'},
- $in->{'is_plugin'}
);
if ( $in->{'template_name'} !~ m/maintenance/ ) {
my ($theme, $lang, $availablethemes) = themelanguage($htdocs, $tmplbase, $interface, $query);
$lang //= 'en';
$theme //= '';
- my $filename = "$htdocs/$theme/$lang/modules/$tmplbase";
+ $tmplbase = "$htdocs/$theme/$lang/modules/$tmplbase" if $tmplbase !~ /^\//;
+ # do not prefix an absolute path
- return ($htdocs, $theme, $lang, $filename);
+ return ( $htdocs, $theme, $lang, $tmplbase );
}
=head2 badtemplatecheck
}
sub gettemplate {
- my ( $tmplbase, $interface, $query, $is_plugin ) = @_;
+ my ( $tmplbase, $interface, $query ) = @_;
($query) or warn "no query in gettemplate";
my ($htdocs, $theme, $lang, $filename)
= _get_template_file($tmplbase, $interface, $query);
- $filename = $tmplbase if ( $is_plugin );
badtemplatecheck( $filename ); # single trip for bad templates
my $template = C4::Templates->new($interface, $filename, $tmplbase, $query);
require C4::Auth;
+ my $template_name = $args->{'file'} // '';
+ # if not absolute, call mbf_path, which dies if file does not exist
+ $template_name = $self->mbf_path( $template_name )
+ if $template_name !~ m/^\//;
my ( $template, $loggedinuser, $cookie ) = C4::Auth::get_template_and_user(
- { template_name => abs_path( $self->mbf_path( $args->{'file'} ) ),
+ { template_name => $template_name,
query => $self->{'cgi'},
type => "intranet",
authnotrequired => 1,
- is_plugin => 1,
}
);
use Koha;
my $query = new CGI;
-my $template = C4::Templates::gettemplate( 'maintenance.tt', 'opac', $query, 0 );
+my $template = C4::Templates::gettemplate( 'maintenance.tt', 'opac', $query );
my $koha_db_version = C4::Context->preference('Version');
my $kohaversion = Koha::version();
}
);
};
- like ( $@, qr(^bad template path), 'The file $template_name should not be accessible' );
+ like ( $@, qr(^bad template path), "The file $template_name should not be accessible" );
}
( $template, $loggedinuser, $cookies ) = get_template_and_user(
{
use Modern::Perl;
-use Test::More tests => 31;
+use Test::More tests => 32;
+use CGI;
use File::Basename;
-use File::Temp qw( tempdir );
+use File::Spec;
+use File::Temp qw( tempdir tempfile );
use FindBin qw($Bin);
use Archive::Extract;
use Module::Load::Conditional qw(can_load);
+use Test::MockModule;
use C4::Context;
use t::lib::Mocks;
use_ok('Koha::Plugin::Test');
}
+my $mock_plugin = Test::MockModule->new( 'Koha::Plugin::Test' );
+$mock_plugin->mock( 'test_template', sub {
+ my ( $self, $file ) = @_;
+ my $template = $self->get_template({ file => $file });
+ $template->param( filename => $file );
+ return $template->output;
+});
+
ok( can_load( modules => { "Koha::Plugin::Test" => undef } ), 'Test can_load' );
-my $plugin = Koha::Plugin::Test->new({ enable_plugins => 1});
+my $plugin = Koha::Plugin::Test->new({ enable_plugins => 1, cgi => CGI->new });
isa_ok( $plugin, "Koha::Plugin::Test", 'Test plugin class' );
isa_ok( $plugin, "Koha::Plugins::Base", 'Test plugin parent class' );
is( $plugin->get_qualified_table_name('mytable'), 'koha_plugin_test_mytable', 'Test $plugin->get_qualified_table_name()' );
is( $plugin->get_plugin_http_path(), '/plugin/Koha/Plugin/Test', 'Test $plugin->get_plugin_http_path()' );
+# test absolute path change in get_template with Koha::Plugin::Test
+# using the mock set before
+# we also add tmpdir as an approved template dir
+t::lib::Mocks::mock_config( 'pluginsdir', [ File::Spec->tmpdir ] );
+my ( $fh, $fn ) = tempfile( SUFFIX => '.tt', UNLINK => 1 );
+print $fh 'I am [% filename %]';
+close $fh;
+my $classname = ref($plugin);
+like( $plugin->test_template($fn), qr/^I am $fn/, 'Template works' );
+
# testing GetPlugins
my @plugins = Koha::Plugins->new({ enable_plugins => 1 })->GetPlugins({
method => 'report'
use CGI;
-use Test::More tests => 7;
+use Test::More tests => 8;
use Test::Deep;
use Test::MockModule;
use Test::Warn;
+use File::Spec;
+use File::Temp qw/tempfile/;
use t::lib::Mocks;
+use C4::Auth qw//;
+
BEGIN {
use_ok( 'C4::Templates' );
can_ok( 'C4::Templates',
my $cgi = CGI->new;
my $template;
- warning_like { eval { $template = C4::Templates::gettemplate( '/etc/passwd', 'opac', $cgi, 1 ) }; warn $@ if $@; } qr/bad template/, 'Bad template check';
+ warning_like { eval { $template = C4::Templates::gettemplate( '/etc/passwd', 'opac', $cgi ) }; warn $@ if $@; } qr/bad template/, 'Bad template check';
is( $template ? $template->output: '', '', 'Check output' );
# Test a few more bad paths to gettemplate triggering badtemplatecheck
- warning_like { eval { C4::Templates::gettemplate( '../topsecret.tt', 'opac', $cgi, 1 ) }; warn $@ if $@; } qr/bad template/, 'No safe chars';
- warning_like { eval { C4::Templates::gettemplate( '/noaccess/topsecret.tt', 'opac', $cgi, 1 ) }; warn $@ if $@; } qr/bad template/, 'Directory not allowed';
- warning_like { eval { C4::Templates::gettemplate( C4::Context->config('intrahtdocs') . '2/prog/en/modules/about.tt', 'intranet', $cgi, 1 ) }; warn $@ if $@; } qr/bad template/, 'Directory not allowed too';
+ warning_like { eval { C4::Templates::gettemplate( '../topsecret.tt', 'opac', $cgi ) }; warn $@ if $@; } qr/bad template/, 'No safe chars';
+ warning_like { eval { C4::Templates::gettemplate( '/noaccess/topsecret.tt', 'opac', $cgi ) }; warn $@ if $@; } qr/bad template/, 'Directory not allowed';
+ warning_like { eval { C4::Templates::gettemplate( C4::Context->config('intrahtdocs') . '2/prog/en/modules/about.tt', 'intranet', $cgi ) }; warn $@ if $@; } qr/bad template/, 'Directory not allowed too';
# Allow templates from /tmp
t::lib::Mocks::mock_config( 'pluginsdir', [ '/tmp' ] );
warning_like { eval { C4::Templates::badtemplatecheck( '/tmp/about.tmpl' ) }; warn $@ if $@; } qr/bad template/, 'Warn on bad extension';
};
+subtest "Absolute path change in _get_template_file" => sub {
+ plan tests => 1;
+
+ # We create a simple template in /tmp.
+ # We simulate an anonymous OPAC session; the OPACBaseURL template variable
+ # should be filled by get_template_and_user.
+ t::lib::Mocks::mock_config( 'pluginsdir', [ File::Spec->tmpdir ] );
+ t::lib::Mocks::mock_preference( 'OPACBaseURL', 'without any doubt' );
+ my ( $fh, $fn ) = tempfile( SUFFIX => '.tt', UNLINK => 1 );
+ print $fh q|I am a [% quality %] template [% OPACBaseURL %]|;
+ close $fh;
+ my ( $template, $login, $cookie ) = C4::Auth::get_template_and_user({
+ template_name => $fn,
+ query => CGI::new,
+ type => "opac",
+ authnotrequired => 1,
+ });
+ $template->param( quality => 'good-for-nothing' );
+ like( $template->output, qr/a good.+template.+doubt/, 'Testing a template with an absolute path' );
+};