fix(vulnerability): prevent sogo to execute scripts pass in theme query

2026-02-17 07:33:57 +00:00 · 2025-11-26 13:22:38 +01:00
parent bd0547fb73
commit 16ab99e7cf
1 changed files with 6 additions and 2 deletions
--- a/UI/SOGoUI/UIxComponent.m
+++ b/UI/SOGoUI/UIxComponent.m
@@ -395,14 +395,18 @@ static SoProduct      *commonProduct      = nil;

 - (NSString *) relativePathToUserFolderSubPath: (NSString *) _sub
 {
-  NSString *dst, *rel, *theme;
+  NSString *dst, *rel, *theme, *safeTheme;

  dst = [[self userFolderPath] stringByAppendingPathComponent: _sub];
  rel = [dst urlPathRelativeToPath:[self ownPath]];

  theme = [[context request] formValueForKey: @"theme"];
  if ([theme length])
-    rel = [NSString stringWithFormat: @"%@?theme=%@", rel, theme];
+  {
+    safeTheme = [theme stringWithoutHTMLInjection: YES];
+    if([safeTheme isEqualToString: theme])
+      rel = [NSString stringWithFormat: @"%@?theme=%@", rel, theme];
+  }

  return rel;
 }