aboutsummaryrefslogtreecommitdiffstats
path: root/view/theme
diff options
context:
space:
mode:
authorHarald Eilertsen <haraldei@anduin.net>2022-03-15 23:42:53 +0100
committerHarald Eilertsen <haraldei@anduin.net>2022-03-20 15:34:17 +0100
commit30ae198b898a987e0d934a0e049cc6811f500475 (patch)
tree36c8ec145df293eb7f55394687a72466410ccbde /view/theme
parent1beadfc6e769cfe21d6c3d6c13f7db29210e40fb (diff)
downloadvolse-hubzilla-30ae198b898a987e0d934a0e049cc6811f500475.tar.gz
volse-hubzilla-30ae198b898a987e0d934a0e049cc6811f500475.tar.bz2
volse-hubzilla-30ae198b898a987e0d934a0e049cc6811f500475.zip
CVE-2022-27257: LFI in Redbasic theme.
Limit valid chars in schema names, and discard attempts at loading schemas with invalid names. This prevents a local file inclusion vulnerability where an unauthenticated attacker can include arbitrary php files readable by the server process and potentially obtain remote code execution. Valid schema names may consist of ascii letters, numbers, hyphens and underscores. Should be good enough for most cases, I think. Fixes https://framagit.org/hubzilla/core/-/issues/1665
Diffstat (limited to 'view/theme')
-rw-r--r--view/theme/redbasic/php/style.php5
1 files changed, 2 insertions, 3 deletions
diff --git a/view/theme/redbasic/php/style.php b/view/theme/redbasic/php/style.php
index 9cb835ec6..8485c00bc 100644
--- a/view/theme/redbasic/php/style.php
+++ b/view/theme/redbasic/php/style.php
@@ -36,9 +36,8 @@ if(! App::$install) {
// not --- like the mobile theme does instead.
// Allow layouts to over-ride the schema
-
-if($_REQUEST['schema']) {
- $schema = $_REQUEST['schema'];
+if (isset($_REQUEST['schema']) && preg_match('/^[\w_-]+$/i', $_REQUEST['schema'])) {
+ $schema = $_REQUEST['schema'];
}
if (($schema) && ($schema != '---')) {