aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHarald Eilertsen <haraldei@anduin.net>2022-03-15 23:42:53 +0100
committerHarald Eilertsen <haraldei@anduin.net>2022-03-20 15:34:17 +0100
commit30ae198b898a987e0d934a0e049cc6811f500475 (patch)
tree36c8ec145df293eb7f55394687a72466410ccbde
parent1beadfc6e769cfe21d6c3d6c13f7db29210e40fb (diff)
downloadvolse-hubzilla-30ae198b898a987e0d934a0e049cc6811f500475.tar.gz
volse-hubzilla-30ae198b898a987e0d934a0e049cc6811f500475.tar.bz2
volse-hubzilla-30ae198b898a987e0d934a0e049cc6811f500475.zip
CVE-2022-27257: LFI in Redbasic theme.
Limit valid chars in schema names, and discard attempts at loading schemas with invalid names. This prevents a local file inclusion vulnerability where an unauthenticated attacker can include arbitrary php files readable by the server process and potentially obtain remote code execution. Valid schema names may consist of ascii letters, numbers, hyphens and underscores. Should be good enough for most cases, I think. Fixes https://framagit.org/hubzilla/core/-/issues/1665
-rw-r--r--view/theme/redbasic/php/style.php5
1 files changed, 2 insertions, 3 deletions
diff --git a/view/theme/redbasic/php/style.php b/view/theme/redbasic/php/style.php
index 9cb835ec6..8485c00bc 100644
--- a/view/theme/redbasic/php/style.php
+++ b/view/theme/redbasic/php/style.php
@@ -36,9 +36,8 @@ if(! App::$install) {
// not --- like the mobile theme does instead.
// Allow layouts to over-ride the schema
-
-if($_REQUEST['schema']) {
- $schema = $_REQUEST['schema'];
+if (isset($_REQUEST['schema']) && preg_match('/^[\w_-]+$/i', $_REQUEST['schema'])) {
+ $schema = $_REQUEST['schema'];
}
if (($schema) && ($schema != '---')) {