From 3b713afed3cbefab318cbe48ad3a46a620dc4a3e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <barisusakli@gmail.com>
Date: Tue, 10 Dec 2024 10:37:48 -0500
Subject: [PATCH] fix: make sure theme screenshot starts with themeDir

---
 src/controllers/admin/themes.js | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/src/controllers/admin/themes.js b/src/controllers/admin/themes.js
index db08d08f84..339884c95d 100644
--- a/src/controllers/admin/themes.js
+++ b/src/controllers/admin/themes.js
@@ -20,12 +20,18 @@ themesController.get = async function (req, res, next) {
 		themeConfig = JSON.parse(themeConfig);
 	} catch (err) {
 		if (err.code === 'ENOENT') {
-			return next(Error('invalid-data'));
+			return next(Error('[[error:invalid-data]]'));
 		}
 		return next(err);
 	}
 
-	const screenshotPath = themeConfig.screenshot ? path.join(themeDir, themeConfig.screenshot) : defaultScreenshotPath;
-	const exists = await file.exists(screenshotPath);
+	const screenshotPath = themeConfig.screenshot ?
+		path.join(themeDir, themeConfig.screenshot) :
+		'';
+
+	if (screenshotPath && !screenshotPath.startsWith(themeDir)) {
+		throw new Error('[[error:invalid-path]]');
+	}
+	const exists = screenshotPath ? await file.exists(screenshotPath) : false;
 	res.sendFile(exists ? screenshotPath : defaultScreenshotPath);
 };