fix: validate LESS feature usage in theme config settings

imorland · imorland · commit f0f8e8c652f9 · 2026-04-18T21:08:51.000+01:00
CVE-2023-27577 restricted @import and data-uri() in the custom_less setting, but the same restriction was never applied to other settings registered as LESS config variables (e.g. theme_primary_color). Those values are interpolated verbatim into the LESS source, allowing an admin-level attacker to read local files or trigger SSRF via the LESS @import directive. Apply the same check to every dirty setting whose key is registered via flarum.less.config (built-in theme colors and Extend\Settings::registerLessConfigVar()).
diff --git a/framework/core/src/Forum/ValidateCustomLess.php b/framework/core/src/Forum/ValidateCustomLess.php
@@ -62,13 +62,26 @@ public function whenSettingsSaving(Saving $event)
             return;
         }
 
-        // Restrict what features can be used in custom LESS
-        if (isset($event->settings['custom_less']) && preg_match('/@import|data-uri\s*\(/i', $event->settings['custom_less'])) {
-            $translator = $this->container->make(TranslatorInterface::class);
+        // Restrict what features can be used in custom LESS. This applies to
+        // the `custom_less` setting as well as any setting registered as a
+        // LESS config variable (e.g. `theme_primary_color`), since those
+        // values are interpolated directly into the LESS source.
+        $lessFeatureKeys = array_merge(
+            isset($event->settings['custom_less']) ? ['custom_less'] : [],
+            array_intersect(
+                array_keys($event->settings),
+                array_column($this->customLessSettings, 'key')
+            )
+        );
+
+        foreach ($lessFeatureKeys as $key) {
+            if (is_string($event->settings[$key]) && preg_match('/@import|data-uri\s*\(/i', $event->settings[$key])) {
+                $translator = $this->container->make(TranslatorInterface::class);
 
-            throw new ValidationException([
-                'custom_less' => $translator->trans('core.admin.appearance.custom_styles_cannot_use_less_features')
-            ]);
+                throw new ValidationException([
+                    $key => $translator->trans('core.admin.appearance.custom_styles_cannot_use_less_features')
+                ]);
+            }
         }
 
         // We haven't saved the settings yet, but we want to trial a full
diff --git a/framework/core/tests/integration/api/settings/SetTest.php b/framework/core/tests/integration/api/settings/SetTest.php
@@ -82,4 +82,63 @@ public function max_setting_length_validated()
 
         $this->assertEquals(422, $response->getStatusCode());
     }
+
+    /**
+     * @test
+     */
+    public function theme_primary_color_rejects_less_import()
+    {
+        $response = $this->send(
+            $this->request('POST', '/api/settings', [
+                'authenticatedAs' => 1,
+                'json' => [
+                    'theme_primary_color' => "#4D698E;@import (inline) '/etc/passwd';",
+                ],
+            ])
+        );
+
+        $this->assertEquals(422, $response->getStatusCode());
+        $this->assertNotEquals(
+            "#4D698E;@import (inline) '/etc/passwd';",
+            $this->app->getContainer()->make('flarum.settings')->get('theme_primary_color')
+        );
+    }
+
+    /**
+     * @test
+     */
+    public function theme_secondary_color_rejects_less_import()
+    {
+        $response = $this->send(
+            $this->request('POST', '/api/settings', [
+                'authenticatedAs' => 1,
+                'json' => [
+                    'theme_secondary_color' => "#4D698E;@import (inline) '/etc/passwd';",
+                ],
+            ])
+        );
+
+        $this->assertEquals(422, $response->getStatusCode());
+        $this->assertNotEquals(
+            "#4D698E;@import (inline) '/etc/passwd';",
+            $this->app->getContainer()->make('flarum.settings')->get('theme_secondary_color')
+        );
+    }
+
+    /**
+     * @test
+     */
+    public function theme_primary_color_rejects_data_uri()
+    {
+        $response = $this->send(
+            $this->request('POST', '/api/settings', [
+                'authenticatedAs' => 1,
+                'json' => [
+                    'theme_primary_color' => "#4D698E;background:data-uri('/etc/passwd');",
+                ],
+            ])
+        );
+
+        $this->assertEquals(422, $response->getStatusCode());
+    }
 }
