From 931188b15f19ac4742eb4d6588972366d7f20de5 Mon Sep 17 00:00:00 2001 From: Xavier Guimard Date: Wed, 20 Dec 2017 22:52:52 +0100 Subject: [PATCH] More secure skin param check (#1346) --- .../lib/Lemonldap/NG/Portal/Main/Display.pm | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm index c49dfe8b0..74e155013 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm @@ -421,14 +421,20 @@ sub getSkin { # Check skin GET/POST parameter my $skinParam = $req->param('skin'); - if ( defined $skinParam and !$self->checkXSSAttack( 'skin', $skinParam ) ) { - if ( -d $self->conf->{templateDir} . '/' . $skinParam ) { - $skin = $skinParam; - $self->logger->debug("Skin $skin selected from GET/POST parameter"); + if ( defined $skinParam ) { + if ( $skinParam =~ /^[\w\-]$/ ) { + if ( -d $self->conf->{templateDir} . '/' . $skinParam ) { + $skin = $skinParam; + $self->logger->debug( + "Skin $skin selected from GET/POST parameter"); + } + else { + $self->userLogger->error( + "User tries to access to unexistent skin dir $skinParam"); + } } else { - $self->userLogger->error( - "User tries to access to unexistent skin dir $skinParam"); + $self->userLogger->error("Strange skin parameter: $skinParam"); } }