From 06fada7445707e6b0352b51f0612d6d18ebb5035 Mon Sep 17 00:00:00 2001
From: Fabian Homborg <FHomborg@gmail.com>
Date: Mon, 13 Dec 2021 21:59:08 +0100
Subject: [PATCH] webconfig: Check variable name and value

Theoretically if this only includes simple characters, it won't cause
any issues. We already validate in other places but it doesn't hurt to
do this twice.
---
 share/tools/web_config/webconfig.py | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/share/tools/web_config/webconfig.py b/share/tools/web_config/webconfig.py
index e5b7010d0..f2e245355 100755
--- a/share/tools/web_config/webconfig.py
+++ b/share/tools/web_config/webconfig.py
@@ -1150,7 +1150,15 @@ class FishConfigHTTPRequestHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
         # This is needed for 'fish_pager_color' vars.
         if name.startswith("fish_"):
             varname = name
-        # TODO: Check if the varname is allowable.
+        # Check if the varname is allowable.
+        varname = varname.strip()
+        if not re.match("^[a-zA-Z0-9_]+$", varname):
+            print("Refusing to use variable name: '", varname, "'")
+            return
+        color = color.strip()
+        if not re.match("^[a-zA-Z0-9_= -]*$", color):
+            print("Refusing to use color value: ", color)
+            return
         command = "set -U " + varname
         command += " " + color