Merge pull request #748 from mgage/scoringDownloadBug

pstaabp · web-flow · commit 94b4a422bc1d · 2017-06-21T11:24:52.000-04:00
Sanitize ScoringDownload  getFile parameter.  Fixes bug #3793
diff --git a/lib/WeBWorK/ContentGenerator/Instructor/ScoringDownload.pm b/lib/WeBWorK/ContentGenerator/Instructor/ScoringDownload.pm
@@ -34,9 +34,18 @@ sub pre_header_initialize {
 	my $scoringDir = $ce->{courseDirs}->{scoring};
 	my $file       = $r->param('getFile');
 	my $user       = $r->param('user');
-	
+ 
+# the parameter 'getFile" needs to be sanitized. (see bug #3793 )
+# See checkName in FileManager.pm for a more complete sanitization.
 	if ($authz->hasPermissions($user, "score_sets")) {
-		$self->reply_with_file("text/comma-separated-values", "$scoringDir/$file", $file, 0); # 0==don't delete file after downloading
+		if ($file =~ m!/!) {  #
+			$self->addbadmessage("Your file name may not contain a path component");
+		} elsif (($file =~ m!~!)){
+			$self->addbadmessage("Your file name may not contain a tilde. ");
+		} else {
+			$self->reply_with_file("text/comma-separated-values", "$scoringDir/$file", $file, 0); 
+			# 0==don't delete file after downloading
+		}
 	} else {
 		$self->addbadmessage("You do not have permission to access scoring data.");
 	}
