proxy: limit theme value in length and disallow '/'

while with rust strings we cannot inject \0, it feels a bit safer to
enforce some basic restrictions, with length and not containing any
slash seems sensible enough.

Admins should not put sensible data as theme-XYZ.css files in
/usr/share (which is normally readable by all system users anyway)

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>

diff --git a/src/bin/proxmox-backup-proxy.rs b/src/bin/proxmox-backup-proxy.rs
index d93840c5809ed0216fabf67b205b3ce614947e3a..85c34ea2c06ec3df98c1729e68302a9c3a46b010 100644 (file)
--- a/src/bin/proxmox-backup-proxy.rs
+++ b/src/bin/proxmox-backup-proxy.rs
@@ -96,10 +96,12 @@ fn get_language(headers: &http::HeaderMap) -> String {
 
 fn get_theme(headers: &http::HeaderMap) -> String {
     let exists = |t: &str| {
-        Path::new(&format!(
-            "/usr/share/javascript/proxmox-widget-toolkit/themes/theme-{t}.css"
-        ))
-        .exists()
+        t.len() < 32
+            && !t.contains('/')
+            && Path::new(&format!(
+                "/usr/share/javascript/proxmox-widget-toolkit/themes/theme-{t}.css"
+            ))
+            .exists()
     };
 
     match cookie_from_header(headers, "PBSThemeCookie") {