Sanitize theme path items

- Sanitize theme style/color/scheme path items
This commit is contained in:
Hypolite Petovan 2019-03-31 21:50:00 -04:00
parent 6aac84dc8e
commit b529c03a20
9 changed files with 65 additions and 50 deletions

View file

@ -30,6 +30,8 @@ use Friendica\Util\Temporal;
function get_theme_config_file($theme) function get_theme_config_file($theme)
{ {
$theme = Strings::sanitizeFilePathItem($theme);
$a = \get_app(); $a = \get_app();
$base_theme = defaults($a->theme_info, 'extends'); $base_theme = defaults($a->theme_info, 'extends');
@ -877,40 +879,30 @@ function settings_content(App $a)
$default_mobile_theme = 'none'; $default_mobile_theme = 'none';
} }
$allowed_themes_str = Config::get('system', 'allowed_themes'); $allowed_themes = Theme::getAllowedList();
$allowed_themes_raw = explode(',', $allowed_themes_str);
$allowed_themes = [];
if (count($allowed_themes_raw)) {
foreach ($allowed_themes_raw as $x) {
if (strlen(trim($x)) && is_dir("view/theme/$x")) {
$allowed_themes[] = trim($x);
}
}
}
$themes = []; $themes = [];
$mobile_themes = ["---" => L10n::t('No special theme for mobile devices')]; $mobile_themes = ["---" => L10n::t('No special theme for mobile devices')];
if ($allowed_themes) { foreach ($allowed_themes as $theme) {
foreach ($allowed_themes as $theme) { $is_experimental = file_exists('view/theme/' . $theme . '/experimental');
$is_experimental = file_exists('view/theme/' . $theme . '/experimental'); $is_unsupported = file_exists('view/theme/' . $theme . '/unsupported');
$is_unsupported = file_exists('view/theme/' . $theme . '/unsupported'); $is_mobile = file_exists('view/theme/' . $theme . '/mobile');
$is_mobile = file_exists('view/theme/' . $theme . '/mobile'); if (!$is_experimental || ($is_experimental && (Config::get('experimentals', 'exp_themes')==1 || is_null(Config::get('experimentals', 'exp_themes'))))) {
if (!$is_experimental || ($is_experimental && (Config::get('experimentals', 'exp_themes')==1 || is_null(Config::get('experimentals', 'exp_themes'))))) { $theme_name = ucfirst($theme);
$theme_name = ucfirst($theme); if ($is_unsupported) {
if ($is_unsupported) { $theme_name = L10n::t('%s - (Unsupported)', $theme_name);
$theme_name = L10n::t("%s - \x28Unsupported\x29", $theme_name); } elseif ($is_experimental) {
} elseif ($is_experimental) { $theme_name = L10n::t('%s - (Experimental)', $theme_name);
$theme_name = L10n::t("%s - \x28Experimental\x29", $theme_name); }
}
if ($is_mobile) { if ($is_mobile) {
$mobile_themes[$theme] = $theme_name; $mobile_themes[$theme] = $theme_name;
} else { } else {
$themes[$theme] = $theme_name; $themes[$theme] = $theme_name;
}
} }
} }
} }
$theme_selected = defaults($_SESSION, 'theme' , $default_theme); $theme_selected = defaults($_SESSION, 'theme' , $default_theme);
$mobile_theme_selected = defaults($_SESSION, 'mobile-theme', $default_mobile_theme); $mobile_theme_selected = defaults($_SESSION, 'mobile-theme', $default_mobile_theme);

View file

@ -1,6 +1,7 @@
<?php <?php
use Friendica\App; use Friendica\App;
use Friendica\Util\Strings;
/** /**
* load view/theme/$current_theme/style.php with friendica context * load view/theme/$current_theme/style.php with friendica context
@ -11,12 +12,15 @@ function view_init(App $a)
{ {
header("Content-Type: text/css"); header("Content-Type: text/css");
if ($a->argc == 4){ if ($a->argc == 4) {
$theme = $a->argv[2]; $theme = $a->argv[2];
$theme = Strings::sanitizeFilePathItem($theme);
// set the path for later use in the theme styles // set the path for later use in the theme styles
$THEMEPATH = "view/theme/$theme"; $THEMEPATH = "view/theme/$theme";
if(file_exists("view/theme/$theme/style.php")) if (file_exists("view/theme/$theme/style.php")) {
require_once("view/theme/$theme/style.php"); require_once("view/theme/$theme/style.php");
}
} }
exit(); exit();

View file

@ -10,12 +10,14 @@ use DOMXPath;
use Exception; use Exception;
use Friendica\Core\Config\Cache\IConfigCache; use Friendica\Core\Config\Cache\IConfigCache;
use Friendica\Core\Config\Configuration; use Friendica\Core\Config\Configuration;
use Friendica\Core\Theme;
use Friendica\Database\DBA; use Friendica\Database\DBA;
use Friendica\Model\Profile; use Friendica\Model\Profile;
use Friendica\Network\HTTPException\InternalServerErrorException; use Friendica\Network\HTTPException\InternalServerErrorException;
use Friendica\Util\Config\ConfigFileLoader; use Friendica\Util\Config\ConfigFileLoader;
use Friendica\Util\HTTPSignature; use Friendica\Util\HTTPSignature;
use Friendica\Util\Profiler; use Friendica\Util\Profiler;
use Friendica\Util\Strings;
use Psr\Log\LoggerInterface; use Psr\Log\LoggerInterface;
/** /**
@ -975,8 +977,6 @@ class App
// Sane default // Sane default
$this->currentTheme = $system_theme; $this->currentTheme = $system_theme;
$allowed_themes = explode(',', $this->config->get('system', 'allowed_themes', $system_theme));
$page_theme = null; $page_theme = null;
// Find the theme that belongs to the user whose stuff we are looking at // Find the theme that belongs to the user whose stuff we are looking at
if ($this->profile_uid && ($this->profile_uid != local_user())) { if ($this->profile_uid && ($this->profile_uid != local_user())) {
@ -1007,8 +1007,9 @@ class App
$theme_name = $user_theme; $theme_name = $user_theme;
} }
$theme_name = Strings::sanitizeFilePathItem($theme_name);
if ($theme_name if ($theme_name
&& in_array($theme_name, $allowed_themes) && in_array($theme_name, Theme::getAllowedList())
&& (file_exists('view/theme/' . $theme_name . '/style.css') && (file_exists('view/theme/' . $theme_name . '/style.css')
|| file_exists('view/theme/' . $theme_name . '/style.php')) || file_exists('view/theme/' . $theme_name . '/style.php'))
) { ) {

View file

@ -8,6 +8,7 @@ namespace Friendica\Core;
use Friendica\BaseObject; use Friendica\BaseObject;
use Friendica\Model\Profile; use Friendica\Model\Profile;
use Friendica\Util\Strings;
require_once 'boot.php'; require_once 'boot.php';
@ -50,6 +51,8 @@ class Theme
*/ */
public static function getInfo($theme) public static function getInfo($theme)
{ {
$theme = Strings::sanitizeFilePathItem($theme);
$info = [ $info = [
'name' => $theme, 'name' => $theme,
'description' => "", 'description' => "",
@ -113,31 +116,37 @@ class Theme
*/ */
public static function getScreenshot($theme) public static function getScreenshot($theme)
{ {
$theme = Strings::sanitizeFilePathItem($theme);
$exts = ['.png', '.jpg']; $exts = ['.png', '.jpg'];
foreach ($exts as $ext) { foreach ($exts as $ext) {
if (file_exists('view/theme/' . $theme . '/screenshot' . $ext)) { if (file_exists('view/theme/' . $theme . '/screenshot' . $ext)) {
return(System::baseUrl() . '/view/theme/' . $theme . '/screenshot' . $ext); return System::baseUrl() . '/view/theme/' . $theme . '/screenshot' . $ext;
} }
} }
return(System::baseUrl() . '/images/blank.png'); return System::baseUrl() . '/images/blank.png';
} }
// install and uninstall theme
public static function uninstall($theme) public static function uninstall($theme)
{ {
Logger::log("Addons: uninstalling theme " . $theme); $theme = Strings::sanitizeFilePathItem($theme);
include_once "view/theme/$theme/theme.php"; // silently fail if theme was removed or if $theme is funky
if (function_exists("{$theme}_uninstall")) { if (file_exists("view/theme/$theme/theme.php")) {
$func = "{$theme}_uninstall"; Logger::log("Addons: uninstalling theme " . $theme);
$func();
if (function_exists("{$theme}_uninstall")) {
$func = "{$theme}_uninstall";
$func();
}
} }
} }
public static function install($theme) public static function install($theme)
{ {
// silently fail if theme was removed $theme = Strings::sanitizeFilePathItem($theme);
// silently fail if theme was removed or if $theme is funky
if (!file_exists("view/theme/$theme/theme.php")) { if (!file_exists("view/theme/$theme/theme.php")) {
return false; return false;
} }
@ -183,10 +192,10 @@ class Theme
$parent = 'NOPATH'; $parent = 'NOPATH';
} }
$theme = \get_app()->getCurrentTheme(); $theme = \get_app()->getCurrentTheme();
$thname = $theme; $parent = Strings::sanitizeFilePathItem($parent);
$ext = substr($file, strrpos($file, '.') + 1); $ext = substr($file, strrpos($file, '.') + 1);
$paths = [ $paths = [
"{$root}view/theme/$thname/$ext/$file", "{$root}view/theme/$theme/$ext/$file",
"{$root}view/theme/$parent/$ext/$file", "{$root}view/theme/$parent/$ext/$file",
"{$root}view/$ext/$file", "{$root}view/$ext/$file",
]; ];
@ -212,6 +221,8 @@ class Theme
*/ */
public static function getStylesheetPath($theme) public static function getStylesheetPath($theme)
{ {
$theme = Strings::sanitizeFilePathItem($theme);
if (!file_exists('view/theme/' . $theme . '/style.php')) { if (!file_exists('view/theme/' . $theme . '/style.php')) {
return 'view/theme/' . $theme . '/style.css'; return 'view/theme/' . $theme . '/style.css';
} }

View file

@ -2,7 +2,7 @@
### A bootstrap based theme for friendica ### A bootstrap based theme for friendica
This Theme was started as an experiment to give the user a good looking and modern theme for friendica. This Theme was started as an experiment to give the user a good looking and modern theme for friendica.
I conentrated on 3 topics: I concentrated on 3 topics:
1. A Modern, mobile friendly UI with bootstrap and awesome font 1. A Modern, mobile friendly UI with bootstrap and awesome font
2. Try to get a new UX for friendica (e.g. use modals where it seems to be useful) 2. Try to get a new UX for friendica (e.g. use modals where it seems to be useful)

View file

@ -19,6 +19,7 @@
*/ */
use Friendica\Core\PConfig; use Friendica\Core\PConfig;
use Friendica\Util\Strings;
function get_scheme_info($scheme) function get_scheme_info($scheme)
{ {
@ -28,6 +29,8 @@ function get_scheme_info($scheme)
$scheme = PConfig::get(local_user(), 'frio', 'scheme', PConfig::get(local_user(), 'frio', 'schema')); $scheme = PConfig::get(local_user(), 'frio', 'scheme', PConfig::get(local_user(), 'frio', 'schema'));
} }
$scheme = Strings::sanitizeFilePathItem($scheme);
$info = [ $info = [
'name' => $scheme, 'name' => $scheme,
'description' => '', 'description' => '',

View file

@ -5,9 +5,11 @@
use Friendica\Core\Config; use Friendica\Core\Config;
use Friendica\Core\PConfig; use Friendica\Core\PConfig;
use Friendica\Util\Strings;
require_once 'view/theme/frio/php/PHPColors/Color.php'; require_once 'view/theme/frio/php/PHPColors/Color.php';
$scheme = '';
$schemecss = ''; $schemecss = '';
$schemecssfile = false; $schemecssfile = false;
$scheme_modified = 0; $scheme_modified = 0;
@ -67,9 +69,7 @@ if (!empty($_REQUEST['scheme'])) {
$scheme = $_REQUEST['scheme']; $scheme = $_REQUEST['scheme'];
} }
// Sanitize the data. $scheme = Strings::sanitizeFilePathItem($scheme);
$scheme = !empty($scheme) ? basename($scheme) : '';
if (($scheme) && ($scheme != '---')) { if (($scheme) && ($scheme != '---')) {
if (file_exists('view/theme/frio/scheme/' . $scheme . '.php')) { if (file_exists('view/theme/frio/scheme/' . $scheme . '.php')) {

View file

@ -26,6 +26,8 @@ if ($quattro_align === false) {
$quattro_align = $site_quattro_align; $quattro_align = $site_quattro_align;
} }
$color = \Friendica\Util\Strings::sanitizeFilePathItem($color);
if (file_exists("$THEMEPATH/$color/style.css")) { if (file_exists("$THEMEPATH/$color/style.css")) {
echo file_get_contents("$THEMEPATH/$color/style.css"); echo file_get_contents("$THEMEPATH/$color/style.css");
} }

View file

@ -22,6 +22,8 @@ if (empty($style)) {
$stylecss = ''; $stylecss = '';
$modified = ''; $modified = '';
$style = \Friendica\Util\Strings::sanitizeFilePathItem($style);
foreach (['style', $style] as $file) { foreach (['style', $style] as $file) {
$stylecssfile = $THEMEPATH . DIRECTORY_SEPARATOR . $file .'.css'; $stylecssfile = $THEMEPATH . DIRECTORY_SEPARATOR . $file .'.css';
if (file_exists($stylecssfile)) { if (file_exists($stylecssfile)) {