From 7121a02e92e7af86b15c6c01fb431d0a44be96c7 Mon Sep 17 00:00:00 2001
From: Carsten Schmitz <carsten.schmitz@limesurvey.org>
Date: Tue, 5 Jan 2021 21:40:20 +0100
Subject: [PATCH 1/2] Fixed issue: Database error when username or user full
 name too long

---
 application/models/User.php                 | 2 ++
 application/views/admin/user/editusers.php  | 4 ++--
 application/views/admin/user/modifyuser.php | 4 ++--
 3 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/application/models/User.php b/application/models/User.php
index f9105e8ef43..823678c838a 100644
--- a/application/models/User.php
+++ b/application/models/User.php
@@ -83,6 +83,8 @@ public function rules()
         return array(
             array('users_name, password, email', 'required'),
             array('users_name', 'unique'),
+            array('users_name', 'length','max'=>64),
+            array('full_name', 'length','max'=>50),
             array('email', 'email'),
             array('full_name', 'LSYii_Validators'), // XSS if non super-admin
             array('parent_id', 'default', 'value'=>0),
diff --git a/application/views/admin/user/editusers.php b/application/views/admin/user/editusers.php
index e7720f9f665..b76968bbef0 100644
--- a/application/views/admin/user/editusers.php
+++ b/application/views/admin/user/editusers.php
@@ -107,7 +107,7 @@
                     <div class="form-group">
                         <label for="new_user" class="control-label"><?php eT("Username:");?></label>
                         <div class="">
-                            <input type='text' class="text input-sm form-control" id='new_user' name='new_user' required />
+                            <input type='text' class="text input-sm form-control" maxlength='64' id='new_user' name='new_user' required />
                         </div>
                     </div>
                     <div class="form-group">
@@ -119,7 +119,7 @@
                     <div class="form-group">
                         <label for="new_full_name" class="control-label "><?php eT("Full name:");?></label>
                         <div class="">
-                            <input type='text' class="text input-sm form-control" id='new_full_name' name='new_full_name' required />
+                            <input type='text' class="text input-sm form-control" maxlength='50' id='new_full_name' name='new_full_name' required />
                         </div>
                     </div>
                     <div class="form-group">
diff --git a/application/views/admin/user/modifyuser.php b/application/views/admin/user/modifyuser.php
index 53c62353921..2e057dcae4e 100644
--- a/application/views/admin/user/modifyuser.php
+++ b/application/views/admin/user/modifyuser.php
@@ -43,8 +43,8 @@
                         <?php eT("Full name");?>
                     </label>
                     <div class="">
-                        <?php echo $form->textField($oUser, 'full_name');?>
-                    </div>
+                        <?php echo $form->textField($oUser, 'full_name', array('maxlength'=>50));?>
+                    </div> 
                 </div>
 
                 <?php if( !Permission::model()->hasGlobalPermission('superadmin','read', $oUser->uid) || (Permission::isForcedSuperAdmin(Permission::getUserId())) ): ?>

From 68ce18e22194171e1c56c27f36ad7ce5b34adc8a Mon Sep 17 00:00:00 2001
From: Carsten Schmitz <carsten.schmitz@limesurvey.org>
Date: Wed, 6 Jan 2021 17:59:30 +0100
Subject: [PATCH 2/2] Dev Refixed issue #15782: Remote Code Execution (RCE) in
 template options file uploader - this time properly

---
 application/config/config-defaults.php                    | 3 ++-
 application/controllers/admin/themes.php                  | 2 +-
 application/core/LSYii_ImageValidator.php                 | 8 +++++---
 application/helpers/admin/template_helper.php             | 2 +-
 application/views/admin/themes/templateeditorbar_view.php | 2 +-
 5 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/application/config/config-defaults.php b/application/config/config-defaults.php
index f620fa7a365..2b3574d1588 100644
--- a/application/config/config-defaults.php
+++ b/application/config/config-defaults.php
@@ -85,7 +85,8 @@
 $config['customassetversionnumber']  = 1;        // Used to generate the path of tmp assets (see: LSYii_AssetManager::generatePath()  )
 
 // Please be very careful if you want to allow SVG files - there are several XSS dangerous security issues
-$config['allowedthemeuploads'] = 'gif,ico,jpg,png,css,js,map,json,eot,ttf,woff,txt,md,xml,woff2,twig'; // File types allowed to be uploaded in the themes section.
+$config['allowedthemeimageformats'] = 'gif,ico,jpg,png'; // Image file types allowed to be uploaded in the themes section.
+$config['allowedthemeuploads'] = 'css,js,map,json,eot,ttf,woff,txt,md,xml,woff2,twig'; // Other file types allowed to be uploaded in the themes section.
 $config['allowedfileuploads'] = [
     //Documents
     'xls', 'doc', 'xlsx', 'docx', 'odt', 'ods', 'pdf',
diff --git a/application/controllers/admin/themes.php b/application/controllers/admin/themes.php
index bed27e31a63..37dc468cbb4 100755
--- a/application/controllers/admin/themes.php
+++ b/application/controllers/admin/themes.php
@@ -435,7 +435,7 @@ public function uploadfile()
             $templatename           = returnGlobal('templatename');
             $oEditedTemplate        = Template::getInstance($templatename);
             $screenname             = returnGlobal('screenname');
-            $allowedthemeuploads = Yii::app()->getConfig('allowedthemeuploads');
+            $allowedthemeuploads    = Yii::app()->getConfig('allowedthemeuploads').','.Yii::app()->getConfig('allowedthemeimageformats');
             $filename               = sanitize_filename($_FILES['upload_file']['name'], false, false, false); // Don't force lowercase or alphanumeric
             $dirfilepath            = $oEditedTemplate->filesPath;
 
diff --git a/application/core/LSYii_ImageValidator.php b/application/core/LSYii_ImageValidator.php
index e2faaf77bb1..7a3fa5cc5fd 100644
--- a/application/core/LSYii_ImageValidator.php
+++ b/application/core/LSYii_ImageValidator.php
@@ -27,11 +27,13 @@ public static function validateImage($file)
     {
         if (is_array($file)) {
             $path = $file['tmp_name'];
+            $extension = pathinfo($file['name'], PATHINFO_EXTENSION);
             $type = $file['type'];
         } elseif (is_string($file)) {
             $parts = explode('.', $file);
             $path = $file;
-            $type = 'image/' . $parts[count($parts) - 1];
+            $extension = pathinfo($file, PATHINFO_EXTENSION);
+            $type = 'image/' . $extension;
         } else {
             return [
                 // No translation ? send $file ?
@@ -61,13 +63,13 @@ public static function validateImage($file)
         );
 
         if (!empty($checkImage)
+            && in_array($extension,explode(",",Yii::app()->getConfig('allowedthemeimageformats')))
             && in_array($checkImage, $allowedImageFormats)
             && in_array(strtolower($type), $allowedImageFormats)) {
             $result['uploadresult'] = '';
             $result['check'] = true;
         } else {
-            $result['uploadresult'] =
-                gT("This file is not a supported image - please only upload JPG,PNG,GIF or SVG type images.");
+            $result['uploadresult'] = gT("This file is not a supported image - please only upload JPG,PNG,GIF or SVG type images.");
             $result['check'] = false;
         }
         return $result;
diff --git a/application/helpers/admin/template_helper.php b/application/helpers/admin/template_helper.php
index e76039ef100..6681656ed54 100644
--- a/application/helpers/admin/template_helper.php
+++ b/application/helpers/admin/template_helper.php
@@ -129,7 +129,7 @@ function is_template_editable($templatename)
 */
 function templateExtractFilter($p_event, &$p_header)
 {
-    $aAllowExtensions = explode(',', Yii::app()->getConfig('allowedthemeuploads'));
+    $aAllowExtensions = explode(',', Yii::app()->getConfig('allowedthemeuploads').','.Yii::app()->getConfig('allowedthemeimageformats'));
     $aAllowExtensions[] = 'twig';
     $info = pathinfo($p_header['filename']);
 
diff --git a/application/views/admin/themes/templateeditorbar_view.php b/application/views/admin/themes/templateeditorbar_view.php
index f39b1586e3a..6b50dd3ae5a 100644
--- a/application/views/admin/themes/templateeditorbar_view.php
+++ b/application/views/admin/themes/templateeditorbar_view.php
@@ -28,7 +28,7 @@ function copyprompt(text, defvalue, copydirectory, action)
             if(filename==""){
                 return false; // False click
             }
-            var allowedtypes=',<?php echo Yii::app()->getConfig('allowedthemeuploads'); ?>,';
+            var allowedtypes=',<?php echo Yii::app()->getConfig('allowedthemeuploads').','.Yii::app()->getConfig('allowedthemeimageformats'); ?>,';
             var lastdotpos=-1;
             var ext='';
             if ((lastdotpos=filename.lastIndexOf('.')) < 0)