Fix allowed file test strict

3130144#r73666384
webmin · May 14, 2022 · f382eff · f382eff
1 parent 3f3f2d4
commit f382eff
Show file tree

Hide file tree

Showing 5 changed files with 43 additions and 32 deletions.
diff --git a/settings-backgrounds.cgi b/settings-backgrounds.cgi
@@ -13,12 +13,8 @@ do("$ENV{'THEME_ROOT'}/authentic-lib.pl");
 
 &webmin_user_is_admin() ||
   &error($theme_text{'theme_error_access_not_root_user'});
-if ($in{'file'}) {
-  &is_under_directory("$config_directory/$current_theme", $in{'file'}) ||
-    &error($theme_text{'theme_error_access_dir_not_allowed'});
-}
 
-&ui_print_header(html_escape($in{'file'}), $theme_text{'theme_xhred_settings_right_theme_bgs_title'}, undef, undef, undef, 1);
+&ui_print_header(undef, $theme_text{'theme_xhred_settings_right_theme_bgs_title'}, undef, undef, undef, 1);
 
 my $bg_content = $config_directory . "/$current_theme/background_content.png";
 

diff --git a/settings-editor_read.cgi b/settings-editor_read.cgi
@@ -10,22 +10,21 @@ use strict;
 our (%in, $current_theme, $config_directory, $get_user_level, $remote_user, %theme_text);
 
 do("$ENV{'THEME_ROOT'}/authentic-lib.pl");
+do("$ENV{'THEME_ROOT'}/settings-lib.pl");
 
-&webmin_user_is_admin() ||
-  &error($theme_text{'theme_error_access_not_root_user'});
+my @files = get_settings_editor_files();
+
+webmin_user_is_admin() ||
+  error($theme_text{'theme_error_access_not_root_user'});
 if ($in{'file'}) {
-  &is_under_directory("$config_directory/$current_theme", $in{'file'}) ||
-    &error($theme_text{'theme_error_access_dir_not_allowed'});
+  array_contains(\@files, $in{'file'}) ||
+    error($theme_text{'theme_error_access_dir_not_allowed'});
 }
-my @files = ($config_directory . "/$current_theme/styles.css",
-             $config_directory . "/$current_theme/scripts.js",
-             $config_directory . "/$current_theme/scripts.pl",
-             $config_directory . "/$current_theme/favorites-$remote_user.json",
-             $config_directory . "/$current_theme/custom-lang");
+
 my $file = html_escape($in{'file'});
 $file = $files[0] if (!$file);
-&ui_print_header(undef, $theme_text{'settings_right_theme_extensions_title'}, undef, undef, undef, 1);
-print '' . &theme_text('settings_right_extensions_title') . '
+ui_print_header(undef, $theme_text{'settings_right_theme_extensions_title'}, undef, undef, undef, 1);
+print '' . theme_text('settings_right_extensions_title') . '
             <p></p>';
 print "<form action=\"settings-editor_read.cgi\" method=\"get\" class=\"margined-bottom-3\">\n";
 print '<div class="pull-right" style="margin-top: 15px; margin-right: 24px;"><span class="badge label-default">'
@@ -45,11 +44,11 @@ foreach my $f (@files) {
 }
 print "</select></form>\n";
 
-my $data = &read_file_contents($file);
+my $data = read_file_contents($file);
 
-print &ui_form_start("settings-editor_write.cgi", "form-data");
-print &ui_hidden("file", $file), "\n";
-print &ui_textarea("data",
+print ui_form_start("settings-editor_write.cgi", "form-data");
+print ui_hidden("file", $file), "\n";
+print ui_textarea("data",
                    ($file =~ '.json' ? ($data =~ /\{(?:\{.*\}|[^{])*\}/sg) :
                       $data
                    ),
@@ -60,5 +59,5 @@ print &ui_textarea("data",
                          ''
                      ) .
                      "");
-print &ui_form_end([["save", $theme_text{'theme_xhred_global_save'}]]);
-&ui_print_footer("tconfig.cgi", $theme_text{'right_return_theme_options'});
+print ui_form_end([["save", $theme_text{'theme_xhred_global_save'}]]);
+ui_print_footer("tconfig.cgi", $theme_text{'right_return_theme_options'});
diff --git a/settings-editor_write.cgi b/settings-editor_write.cgi
@@ -10,16 +10,19 @@ use strict;
 our (%in, $current_theme, $config_directory, $get_user_level, %theme_text, $has_usermin);
 
 do("$ENV{'THEME_ROOT'}/authentic-lib.pl");
+do("$ENV{'THEME_ROOT'}/settings-lib.pl");
 
-&webmin_user_is_admin() ||
-  &error($theme_text{'theme_error_access_not_root_user'});
+my @files = get_settings_editor_files();
+
+webmin_user_is_admin() ||
+  error($theme_text{'theme_error_access_not_root_user'});
 if ($in{'file'}) {
-  &is_under_directory("$config_directory/$current_theme", $in{'file'}) ||
-    &error($theme_text{'theme_error_access_dir_not_allowed'});
+  array_contains(\@files, $in{'file'}) ||
+    error($theme_text{'theme_error_access_dir_not_allowed'});
 }
 
 theme_make_config_dir();
-my $file = html_escape($in{'file'});
+my $file = &html_escape($in{'file'});
 unlink_file($file);
 write_file_contents($file, $in{'data'});
 

diff --git a/settings-lib.pl b/settings-lib.pl
@@ -0,0 +1,17 @@
+#
+# Authentic Theme (https://github.com/authentic-theme/authentic-theme)
+# Copyright Ilia Rostovtsev <[email protected]>
+# Licensed under MIT (https://github.com/authentic-theme/authentic-theme/blob/master/LICENSE)
+#
+use strict;
+
+our ($config_directory, $current_theme, $remote_user);
+
+sub get_settings_editor_files
+{
+    return ($config_directory . "/$current_theme/styles.css",
+            $config_directory . "/$current_theme/scripts.js",
+            $config_directory . "/$current_theme/scripts.pl",
+            $config_directory . "/$current_theme/favorites-$remote_user.json",
+            $config_directory . "/$current_theme/custom-lang");
+}
diff --git a/settings-logos.cgi b/settings-logos.cgi
@@ -13,12 +13,8 @@ do("$ENV{'THEME_ROOT'}/authentic-lib.pl");
 
 &webmin_user_is_admin() ||
   &error($theme_text{'theme_error_access_not_root_user'});
-if ($in{'file'}) {
-  &is_under_directory("$config_directory/$current_theme", $in{'file'}) ||
-    &error($theme_text{'theme_error_access_dir_not_allowed'});
-}
 
-&ui_print_header(html_escape($in{'file'}), $theme_text{'theme_xhred_settings_right_theme_logos_title'}, undef, undef, undef, 1);
+&ui_print_header(undef, $theme_text{'theme_xhred_settings_right_theme_logos_title'}, undef, undef, undef, 1);
 
 my $lga = $config_directory . "/$current_theme/logo.png";
 my $lgg = $config_directory . "/$current_theme/logo_welcome.png";