From 30ae198b898a987e0d934a0e049cc6811f500475 Mon Sep 17 00:00:00 2001
From: Harald Eilertsen <haraldei@anduin.net>
Date: Tue, 15 Mar 2022 23:42:53 +0100
Subject: CVE-2022-27257: LFI in Redbasic theme.

Limit valid chars in schema names, and discard attempts at loading
schemas with invalid names.

This prevents a local file inclusion vulnerability where an
unauthenticated attacker can include arbitrary php files readable by the
server process and potentially obtain remote code execution.

Valid schema names may consist of ascii letters, numbers, hyphens and
underscores. Should be good enough for most cases, I think.

Fixes https://framagit.org/hubzilla/core/-/issues/1665
---
 view/theme/redbasic/php/style.php | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

(limited to 'view')

diff --git a/view/theme/redbasic/php/style.php b/view/theme/redbasic/php/style.php
index 9cb835ec6..8485c00bc 100644
--- a/view/theme/redbasic/php/style.php
+++ b/view/theme/redbasic/php/style.php
@@ -36,9 +36,8 @@ if(! App::$install) {
 // not --- like the mobile theme does instead.
 
 // Allow layouts to over-ride the schema
-
-if($_REQUEST['schema']) {
-	$schema = $_REQUEST['schema'];
+if (isset($_REQUEST['schema']) && preg_match('/^[\w_-]+$/i', $_REQUEST['schema'])) {
+  $schema = $_REQUEST['schema'];
 }
 
 if (($schema) && ($schema != '---')) {
-- 
cgit v1.2.3