diff options
author | Harald Eilertsen <haraldei@anduin.net> | 2022-03-15 23:42:53 +0100 |
---|---|---|
committer | Harald Eilertsen <haraldei@anduin.net> | 2022-03-20 15:34:17 +0100 |
commit | 30ae198b898a987e0d934a0e049cc6811f500475 (patch) | |
tree | 36c8ec145df293eb7f55394687a72466410ccbde /view/theme/redbasic | |
parent | 1beadfc6e769cfe21d6c3d6c13f7db29210e40fb (diff) | |
download | volse-hubzilla-30ae198b898a987e0d934a0e049cc6811f500475.tar.gz volse-hubzilla-30ae198b898a987e0d934a0e049cc6811f500475.tar.bz2 volse-hubzilla-30ae198b898a987e0d934a0e049cc6811f500475.zip |
CVE-2022-27257: LFI in Redbasic theme.
Limit valid chars in schema names, and discard attempts at loading
schemas with invalid names.
This prevents a local file inclusion vulnerability where an
unauthenticated attacker can include arbitrary php files readable by the
server process and potentially obtain remote code execution.
Valid schema names may consist of ascii letters, numbers, hyphens and
underscores. Should be good enough for most cases, I think.
Fixes https://framagit.org/hubzilla/core/-/issues/1665
Diffstat (limited to 'view/theme/redbasic')
-rw-r--r-- | view/theme/redbasic/php/style.php | 5 |
1 files changed, 2 insertions, 3 deletions
diff --git a/view/theme/redbasic/php/style.php b/view/theme/redbasic/php/style.php index 9cb835ec6..8485c00bc 100644 --- a/view/theme/redbasic/php/style.php +++ b/view/theme/redbasic/php/style.php @@ -36,9 +36,8 @@ if(! App::$install) { // not --- like the mobile theme does instead. // Allow layouts to over-ride the schema - -if($_REQUEST['schema']) { - $schema = $_REQUEST['schema']; +if (isset($_REQUEST['schema']) && preg_match('/^[\w_-]+$/i', $_REQUEST['schema'])) { + $schema = $_REQUEST['schema']; } if (($schema) && ($schema != '---')) { |