From 6b815bc0229a660ee8be6b2d3b20b67f73b245be Mon Sep 17 00:00:00 2001
From: Thomas Lamprecht <t.lamprecht@proxmox.com>
Date: Tue, 14 Mar 2023 17:54:14 +0100
Subject: [PATCH] proxy: limit theme value in length and disallow '/'

while with rust strings we cannot inject \0, it feels a bit safer to
enforce some basic restrictions, with length and not containing any
slash seems sensible enough.

Admins should not put sensible data as theme-XYZ.css files in
/usr/share (which is normally readable by all system users anyway)

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
 src/bin/proxmox-backup-proxy.rs | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/bin/proxmox-backup-proxy.rs b/src/bin/proxmox-backup-proxy.rs
index d93840c5..85c34ea2 100644
--- a/src/bin/proxmox-backup-proxy.rs
+++ b/src/bin/proxmox-backup-proxy.rs
@@ -96,10 +96,12 @@ fn get_language(headers: &http::HeaderMap) -> String {
 
 fn get_theme(headers: &http::HeaderMap) -> String {
     let exists = |t: &str| {
-        Path::new(&format!(
-            "/usr/share/javascript/proxmox-widget-toolkit/themes/theme-{t}.css"
-        ))
-        .exists()
+        t.len() < 32
+            && !t.contains('/')
+            && Path::new(&format!(
+                "/usr/share/javascript/proxmox-widget-toolkit/themes/theme-{t}.css"
+            ))
+            .exists()
     };
 
     match cookie_from_header(headers, "PBSThemeCookie") {