More secure skin param check (#1346)

2017-12-20 22:52:52 +01:00 · 2017-12-20 22:52:52 +01:00 · 931188b15f
commit 931188b15f
parent 35d7e7e2f5
1 changed files with 12 additions and 6 deletions
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm
@ -421,14 +421,20 @@ sub getSkin {

    # Check skin GET/POST parameter
    my $skinParam = $req->param('skin');
-    if ( defined $skinParam and !$self->checkXSSAttack( 'skin', $skinParam ) ) {
-        if ( -d $self->conf->{templateDir} . '/' . $skinParam ) {
-            $skin = $skinParam;
-            $self->logger->debug("Skin $skin selected from GET/POST parameter");
+    if ( defined $skinParam ) {
+        if ( $skinParam =~ /^[\w\-]$/ ) {
+            if ( -d $self->conf->{templateDir} . '/' . $skinParam ) {
+                $skin = $skinParam;
+                $self->logger->debug(
+                    "Skin $skin selected from GET/POST parameter");
+            }
+            else {
+                $self->userLogger->error(
+                    "User tries to access to unexistent skin dir $skinParam");
+            }
        }
        else {
-            $self->userLogger->error(
-                "User tries to access to unexistent skin dir $skinParam");
+            $self->userLogger->error("Strange skin parameter: $skinParam");
        }
    }