Bug 14408: Allow integers in template paths

Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 64e47c63dc59669c3c651b93630c470e06107fd6)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
(cherry picked from commit beedae80631f0f34be341274ee63c6b0aeeb75d6)

Conflicts:
	C4/Auth.pm
	t/db_dependent/Auth.t

diff --git a/C4/Auth.pm b/C4/Auth.pm
index 23311f0..1d3482e 100644 (file)
--- a/C4/Auth.pm
+++ b/C4/Auth.pm
@@ -139,7 +139,7 @@ sub get_template_and_user {
     my $in       = shift;
     my ( $user, $cookie, $sessionID, $flags );
 
-    my $safe_chars = 'a-zA-Z_\-\/';
+    my $safe_chars = 'a-zA-Z0-9_\-\/';
     die "bad template path" unless $in->{'template_name'} =~ m/^[$safe_chars]+.tt?$/ig; #sanitize input
 
     $in->{'authnotrequired'} ||= 0;

diff --git a/t/db_dependent/Auth.t b/t/db_dependent/Auth.t
index 279d8a5..764a30d 100644 (file)
--- a/t/db_dependent/Auth.t
+++ b/t/db_dependent/Auth.t
@@ -8,7 +8,7 @@ use Modern::Perl;
 use CGI;
 use Test::MockModule;
 use List::MoreUtils qw/all any none/;
-use Test::More tests => 9;
+use Test::More tests => 10;
 use Test::Warn;
 use C4::Members;
 use Koha::AuthUtils qw/hash_password/;
@@ -127,6 +127,17 @@ $dbh->{RaiseError} = 1;
         };
         like ( $@, qr(^bad template path), 'The file $template_name should not be accessible' );
     }
+    ( $template, $loggedinuser, $cookies ) = get_template_and_user(
+        {
+            template_name   => 'errors/500.tt',
+            query           => $query,
+            type            => "intranet",
+            authnotrequired => 1,
+            flagsrequired   => { catalogue => 1 },
+        }
+    );
+    my $file_exists = ( -f $template->{filename} ) ? 1 : 0;
+    is ( $file_exists, 1, 'The file errors/500.tt should be accessible (contains integers)' );
 }
 
 my $hash1 = hash_password('password');