From 30ae198b898a987e0d934a0e049cc6811f500475 Mon Sep 17 00:00:00 2001 From: Harald Eilertsen Date: Tue, 15 Mar 2022 23:42:53 +0100 Subject: CVE-2022-27257: LFI in Redbasic theme. Limit valid chars in schema names, and discard attempts at loading schemas with invalid names. This prevents a local file inclusion vulnerability where an unauthenticated attacker can include arbitrary php files readable by the server process and potentially obtain remote code execution. Valid schema names may consist of ascii letters, numbers, hyphens and underscores. Should be good enough for most cases, I think. Fixes https://framagit.org/hubzilla/core/-/issues/1665 --- view/theme/redbasic/php/style.php | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'view/theme') diff --git a/view/theme/redbasic/php/style.php b/view/theme/redbasic/php/style.php index 9cb835ec6..8485c00bc 100644 --- a/view/theme/redbasic/php/style.php +++ b/view/theme/redbasic/php/style.php @@ -36,9 +36,8 @@ if(! App::$install) { // not --- like the mobile theme does instead. // Allow layouts to over-ride the schema - -if($_REQUEST['schema']) { - $schema = $_REQUEST['schema']; +if (isset($_REQUEST['schema']) && preg_match('/^[\w_-]+$/i', $_REQUEST['schema'])) { + $schema = $_REQUEST['schema']; } if (($schema) && ($schema != '---')) { -- cgit v1.2.3