From 97867f7783899dc4581da2dbf6c8e15e44435afe Mon Sep 17 00:00:00 2001 From: =?utf8?q?Bernd=20Ble=C3=9Fmann?= Date: Mon, 28 Sep 2015 23:54:35 +0200 Subject: [PATCH] Auftrags-Controller: PDF-Download: nur Dateien aus session_files erlauben. Dazu an den Client nur den Dateinamen, nicht den Pfad schicken und vom Client kommende Dateinamen vom Pfad befreien. --- SL/Controller/Order.pm | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/SL/Controller/Order.pm b/SL/Controller/Order.pm index 334d2557f..1878cc7a2 100644 --- a/SL/Controller/Order.pm +++ b/SL/Controller/Order.pm @@ -25,6 +25,7 @@ use SL::Helper::CreatePDF qw(:all); use List::Util qw(max first); use List::MoreUtils qw(none pairwise); use English qw(-no_match_vars); +use File::Spec; use Rose::Object::MakeMethods::Generic ( @@ -119,8 +120,9 @@ sub action_create_pdf { $sfile->fh->print($pdf); $sfile->fh->close; - my $tmp_filename = $sfile->file_name; - my $pdf_filename = t8('Sales Order') . '_' . $self->order->ordnumber . '.pdf'; + # get temporary session filename with stripped path + my (undef, undef, $tmp_filename) = File::Spec->splitpath($sfile->file_name); + my $pdf_filename = t8('Sales Order') . '_' . $self->order->ordnumber . '.pdf'; $self->js ->run('download_pdf', $tmp_filename, $pdf_filename) @@ -130,8 +132,11 @@ sub action_create_pdf { sub action_download_pdf { my ($self) = @_; + # given tmp_filename should contain no path, so strip if any + my (undef, undef, $tmp_filename) = File::Spec->splitpath($::form->{tmp_filename}); + my $tmp_filename = File::Spec->catfile(SL::SessionFile->new->get_path, $tmp_filename); return $self->send_file( - $::form->{tmp_filename}, + $tmp_filename, type => 'application/pdf', name => $::form->{pdf_filename}, ); -- 2.20.1