search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Bug 25898: Prohibit indirect object notation
[koha.git] / plugins / plugins-upload.pl
blobc81e6f175bd3e969e5d5ccd526e605b8d11233ed
1 #!/usr/bin/perl
2
3 #
4 # This file is part of Koha.
5 #
6 # Koha is free software; you can redistribute it and/or modify it
7 # under the terms of the GNU General Public License as published by
8 # the Free Software Foundation; either version 3 of the License, or
9 # (at your option) any later version.
10 #
11 # Koha is distributed in the hope that it will be useful, but
12 # WITHOUT ANY WARRANTY; without even the implied warranty of
13 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 # GNU General Public License for more details.
15 #
16 # You should have received a copy of the GNU General Public License
17 # along with Koha; if not, see <http://www.gnu.org/licenses>.
18
19 use Modern::Perl;
20
21 use Archive::Extract;
22 use CGI qw ( -utf8 );
23 use Mojo::UserAgent;
24 use File::Copy;
25 use File::Temp;
26
27 use C4::Context;
28 use C4::Auth;
29 use C4::Output;
30 use C4::Members;
31 use C4::Debug;
32 use Koha::Plugins;
33
34 my $plugins_enabled = C4::Context->config("enable_plugins");
35
36 my $input = CGI->new;
37
38 my ( $template, $loggedinuser, $cookie ) = get_template_and_user(
39 { template_name => ($plugins_enabled) ? "plugins/plugins-upload.tt" : "plugins/plugins-disabled.tt",
40 query => $input,
41 type => "intranet",
42 flagsrequired => { plugins => 'manage' },
43 debug => 1,
44 }
45 );
46
47 my $uploadfilename = $input->param('uploadfile');
48 my $uploadfile = $input->upload('uploadfile');
49 my $uploadlocation = $input->param('uploadlocation');
50 my $op = $input->param('op') || q{};
51
52 my ( $tempfile, $tfh );
53
54 my %errors;
55
56 if ($plugins_enabled) {
57 if ( ( $op eq 'Upload' ) && ( $uploadfile || $uploadlocation ) ) {
58 my $plugins_dir = C4::Context->config("pluginsdir");
59 $plugins_dir = ref($plugins_dir) eq 'ARRAY' ? $plugins_dir->[0] : $plugins_dir;
60
61 my $dirname = File::Temp::tempdir( CLEANUP => 1 );
62 $debug and warn "dirname = $dirname";
63
64 my $filesuffix;
65 $filesuffix = $1 if $uploadfilename =~ m/(\..+)$/i;
66 ( $tfh, $tempfile ) = File::Temp::tempfile( SUFFIX => $filesuffix, UNLINK => 1 );
67
68 $debug and warn "tempfile = $tempfile";
69
70 $errors{'NOTKPZ'} = 1 if ( $uploadfilename !~ /\.kpz$/i );
71 $errors{'NOWRITETEMP'} = 1 unless ( -w $dirname );
72 $errors{'NOWRITEPLUGINS'} = 1 unless ( -w $plugins_dir );
73
74 if ( $uploadlocation ) {
75 my $ua = Mojo::UserAgent->new(max_redirects => 5);
76 my $tx = $ua->get($uploadlocation);
77 $tx->result->content->asset->move_to($tempfile);
78 } else {
79 $errors{'EMPTYUPLOAD'} = 1 unless ( length($uploadfile) > 0 );
80 }
81
82 if (%errors) {
83 $template->param( ERRORS => [ \%errors ] );
84 } else {
85 if ( $uploadfile ) {
86 while (<$uploadfile>) {
87 print $tfh $_;
88 }
89 close $tfh;
90 }
91
92 my $ae = Archive::Extract->new( archive => $tempfile, type => 'zip' );
93 unless ( $ae->extract( to => $plugins_dir ) ) {
94 warn "ERROR: " . $ae->error;
95 $errors{'UZIPFAIL'} = $uploadfilename;
96 $template->param( ERRORS => [ \%errors ] );
97 output_html_with_http_headers $input, $cookie, $template->output;
98 exit;
99 }
100
101 Koha::Plugins->new()->InstallPlugins();
102 }
103 } elsif ( ( $op eq 'Upload' ) && !$uploadfile && !$uploadlocation ) {
104 warn "Problem uploading file or no file uploaded.";
105 }
106
107 if ( ($uploadfile || $uploadlocation) && !%errors && !$template->param('ERRORS') ) {
108 print $input->redirect("/cgi-bin/koha/plugins/plugins-home.pl");
109 } else {
110 output_html_with_http_headers $input, $cookie, $template->output;
111 }
112
113 } else {
114 output_html_with_http_headers $input, $cookie, $template->output;
115 }
Koha ILS