From 6549932d59aef3b72a9da29294af0f30ffb77af5 Mon Sep 17 00:00:00 2001
From: Inverle <inverle@proton.me>
Date: Mon, 7 Jul 2025 23:32:35 +0200
Subject: Disallow setting non-existent theme (#7722)

Related: https://github.com/FreshRSS/xExtension-Demo/pull/2, https://github.com/FreshRSS/FreshRSS/pull/7559#issuecomment-2858083635

Mostly to make sure that no one is able to break the demo instance
But the issues below could possibly be exploited in other scenarios too:
* Setting a theme like `../../lib/core-extensions/UserJS`: this directory contains `metadata.json` like themes do, so FreshRSS treats it as a theme after setting it and doesn't load any CSS
* Setting a theme like `x dropdown-menu`: the `dropdown-menu` class was able to get injected into the `<body>` element since https://github.com/FreshRSS/FreshRSS/pull/7559 and turn every page blank
---
 app/Models/Themes.php | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'app/Models')

diff --git a/app/Models/Themes.php b/app/Models/Themes.php
index ef44b0b75..bc220aa50 100644
--- a/app/Models/Themes.php
+++ b/app/Models/Themes.php
@@ -15,6 +15,12 @@ class FreshRSS_Themes extends Minz_Model {
 		));
 	}
 
+	public static function exists(string $theme_id): bool {
+		$theme_dir = PUBLIC_PATH . self::$themesUrl . $theme_id;
+		return str_replace(['..', '/', DIRECTORY_SEPARATOR], '', $theme_id) === $theme_id
+			&& file_exists($theme_dir . '/metadata.json');
+	}
+
 	/** @return array<string,array{id:string,name:string,author:string,description:string,version:float|string,files:array<string>,theme-color?:string|array{dark?:string,light?:string,default?:string}}> */
 	public static function get(): array {
 		$themes_list = self::getList();
-- 
cgit v1.2.3