diff options
| author |  Inverle <inverle@proton.me>
| 2025-07-07 23:32:35 +0200 |
|---|---|---|
| committer |  GitHub <noreply@github.com>
| 2025-07-07 23:32:35 +0200 |
| commit | 6549932d59aef3b72a9da29294af0f30ffb77af5 (patch) | |
| tree | e116708c29d14232295a0d7994dd24c9f977b437 /app/Models | |
| parent | ce22997dfbe4a8f2a6efa6f77d5b0bfc7b2dabd1 (diff) | |
Disallow setting non-existent theme (#7722)
Related: https://github.com/FreshRSS/xExtension-Demo/pull/2, https://github.com/FreshRSS/FreshRSS/pull/7559#issuecomment-2858083635
Mostly to make sure that no one is able to break the demo instance
But the issues below could possibly be exploited in other scenarios too:
* Setting a theme like `../../lib/core-extensions/UserJS`: this directory contains `metadata.json` like themes do, so FreshRSS treats it as a theme after setting it and doesn't load any CSS
* Setting a theme like `x dropdown-menu`: the `dropdown-menu` class was able to get injected into the `<body>` element since https://github.com/FreshRSS/FreshRSS/pull/7559 and turn every page blank
Diffstat (limited to 'app/Models')
| -rw-r--r-- | app/Models/Themes.php | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/app/Models/Themes.php b/app/Models/Themes.php index ef44b0b75..bc220aa50 100644 --- a/app/Models/Themes.php +++ b/app/Models/Themes.php @@ -15,6 +15,12 @@ class FreshRSS_Themes extends Minz_Model { )); } + public static function exists(string $theme_id): bool { + $theme_dir = PUBLIC_PATH . self::$themesUrl . $theme_id; + return str_replace(['..', '/', DIRECTORY_SEPARATOR], '', $theme_id) === $theme_id + && file_exists($theme_dir . '/metadata.json'); + } + /** @return array<string,array{id:string,name:string,author:string,description:string,version:float|string,files:array<string>,theme-color?:string|array{dark?:string,light?:string,default?:string}}> */ public static function get(): array { $themes_list = self::getList(); |