Adding file location checks to the template editor

git-svn-id: https://ledger-smb.svn.sourceforge.net/svnroot/ledger-smb/trunk@175 4979c152-3d1c-0410-bac9-87ea11338e46

1 files changed, 28 insertions, 16 deletions

diff --git a/LedgerSMB/AM.pm b/LedgerSMB/AM.pm
index adae27b8..142111c1 100755
--- a/LedgerSMB/AM.pm
+++ b/LedgerSMB/AM.pm
@@ -1230,10 +1230,35 @@ sub update_recurring {
 }
 
 
+sub check_template_name {
+
+	my ($self, $myconfig, $form) = @_;
+
+	my @allowedsuff = qw(css tex txt html xml);
+	if ($form->{file} =~ /\.\./){
+		$form->error("Directory transversal not allowed.");
+	}
+	my $whitelisted = 0;
+	for (@allowedsuff){
+		if ($form->{file} =~ /$_$/){
+			$whitelisted = 1;
+		}
+	}
+	if (!$whitelisted){
+		$form->error("Error:  File is of type that is not allowed.");
+	}
+
+	if ($form->{file} !~ /^$myconfig->{templates}/){
+		$form->error("$!: $form->{file}") unless $form->{file} =~ /^css/;
+	}
+}
+
+
 sub load_template {
 
-	my ($self, $form) = @_;
+	my ($self, $myconfig, $form) = @_;
 
+	$self->check_template_name(\%$myconfig, \%$form);
 	open(TEMPLATE, "$form->{file}") or $form->error("$form->{file} : $!");
 
 	while (<TEMPLATE>) {
@@ -1247,22 +1272,9 @@ sub load_template {
 
 sub save_template {
 
-	my ($self, $form) = @_;
-
-	my @allowedsuff = qw(css tex txt html xml);
-	if ($form->{file} =~ /\.\./){
-		$form->error("Directory transversal not allowed.");
-	}
-	my $whitelisted = 0;
-	for (@allowedsuff){
-		if ($form->{file} =~ /$_$/){
-			$whitelisted = 1;
-		}
-	}
-	if (!$whitelisted){
-		$form->error("Error:  File is of type that is not allowed.");
-	}
+	my ($self, $myconfig, $form) = @_;
 
+	$self->check_template_name(\%$myconfig, \%$form);
 	open(TEMPLATE, ">$form->{file}") or $form->error("$form->{file} : $!");
 
 	# strip