From bc562b74ba9c1e15deaba7380bbf49b39896640a Mon Sep 17 00:00:00 2001
From: Kijin Sung <kijin@kijinsung.com>
Date: Tue, 28 Jun 2022 20:07:40 +0900
Subject: [PATCH] RVE-2022-3 filter skin parameter in
 ModuleModel::loadSkinInfo()

---
 modules/module/module.model.php | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/modules/module/module.model.php b/modules/module/module.model.php
index a6c91bed9..5e0543e72 100644
--- a/modules/module/module.model.php
+++ b/modules/module/module.model.php
@@ -957,8 +957,16 @@ class moduleModel extends module
 	{
 		// Read xml file having skin information
 		if(substr($path,-1)!='/') $path .= '/';
+		if(!preg_match('/^[a-zA-Z0-9_-]+$/', $skin))
+		{
+			return;
+		}
 		$skin_xml_file = sprintf("%s%s/%s/skin.xml", $path, $dir, $skin);
-		if(!file_exists($skin_xml_file)) return;
+		if(!file_exists($skin_xml_file))
+		{
+			return;
+		}
+		
 		// Create XmlParser object
 		$oXmlParser = new XeXmlParser();
 		$_xml_obj = $oXmlParser->loadXmlFile($skin_xml_file);