Bug 14408: Allow integers in template paths

Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit f7912f86edfae2bbf55f60cb99388113baa2752e)

Conflicts:
	C4/Auth.pm

diff --git a/C4/Auth.pm b/C4/Auth.pm
index 23311f0..1d3482e 100644 (file)
--- a/C4/Auth.pm
+++ b/C4/Auth.pm
@@ -139,7 +139,7 @@ sub get_template_and_user {
     my $in       = shift;
     my ( $user, $cookie, $sessionID, $flags );
 
-    my $safe_chars = 'a-zA-Z_\-\/';
+    my $safe_chars = 'a-zA-Z0-9_\-\/';
     die "bad template path" unless $in->{'template_name'} =~ m/^[$safe_chars]+.tt?$/ig; #sanitize input
 
     $in->{'authnotrequired'} ||= 0;

diff --git a/t/db_dependent/Auth.t b/t/db_dependent/Auth.t
index 095029e..de2e396 100644 (file)
--- a/t/db_dependent/Auth.t
+++ b/t/db_dependent/Auth.t
@@ -127,6 +127,17 @@ $dbh->{RaiseError} = 1;
         };
         like ( $@, qr(^bad template path), 'The file $template_name should not be accessible' );
     }
+    ( $template, $loggedinuser, $cookies ) = get_template_and_user(
+        {
+            template_name   => 'errors/500.tt',
+            query           => $query,
+            type            => "intranet",
+            authnotrequired => 1,
+            flagsrequired   => { catalogue => 1 },
+        }
+    );
+    my $file_exists = ( -f $template->{filename} ) ? 1 : 0;
+    is ( $file_exists, 1, 'The file errors/500.tt should be accessible (contains integers)' );
 }
 
 my $hash1 = hash_password('password');