From 97867f7783899dc4581da2dbf6c8e15e44435afe Mon Sep 17 00:00:00 2001
From: =?utf8?q?Bernd=20Ble=C3=9Fmann?= <bernd@kivitendo-premium.de>
Date: Mon, 28 Sep 2015 23:54:35 +0200
Subject: [PATCH] Auftrags-Controller: PDF-Download: nur Dateien aus
 session_files erlauben.

Dazu an den Client nur den Dateinamen, nicht den Pfad schicken und vom Client
kommende Dateinamen vom Pfad befreien.
---
 SL/Controller/Order.pm | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/SL/Controller/Order.pm b/SL/Controller/Order.pm
index 334d2557f..1878cc7a2 100644
--- a/SL/Controller/Order.pm
+++ b/SL/Controller/Order.pm
@@ -25,6 +25,7 @@ use SL::Helper::CreatePDF qw(:all);
 use List::Util qw(max first);
 use List::MoreUtils qw(none pairwise);
 use English qw(-no_match_vars);
+use File::Spec;
 
 use Rose::Object::MakeMethods::Generic
 (
@@ -119,8 +120,9 @@ sub action_create_pdf {
   $sfile->fh->print($pdf);
   $sfile->fh->close;
 
-  my $tmp_filename = $sfile->file_name;
-  my $pdf_filename = t8('Sales Order') . '_' . $self->order->ordnumber . '.pdf';
+  # get temporary session filename with stripped path
+  my (undef, undef, $tmp_filename) = File::Spec->splitpath($sfile->file_name);
+  my $pdf_filename =  t8('Sales Order') . '_' . $self->order->ordnumber . '.pdf';
 
   $self->js
     ->run('download_pdf', $tmp_filename, $pdf_filename)
@@ -130,8 +132,11 @@ sub action_create_pdf {
 sub action_download_pdf {
   my ($self) = @_;
 
+  # given tmp_filename should contain no path, so strip if any
+  my (undef, undef, $tmp_filename) = File::Spec->splitpath($::form->{tmp_filename});
+  my $tmp_filename = File::Spec->catfile(SL::SessionFile->new->get_path, $tmp_filename);
   return $self->send_file(
-    $::form->{tmp_filename},
+    $tmp_filename,
     type => 'application/pdf',
     name => $::form->{pdf_filename},
   );
-- 
2.20.1