From 21b369a8a5a8f3a71bf06bd781dbff80362b52f3 Mon Sep 17 00:00:00 2001
From: plegall <plg@piwigo.org>
Date: Tue, 31 May 2011 20:32:16 +0000
Subject: bug 2280 fixed: check language and theme values before updating
 database. The posted value must match an expected value, this is not a free
 texfield.

git-svn-id: http://piwigo.org/svn/branches/2.2@11157 68402e56-0260-453c-a942-63ccdbb3a9ee
---
 profile.php | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/profile.php b/profile.php
index e0bb598e8..70f326b51 100644
--- a/profile.php
+++ b/profile.php
@@ -147,6 +147,16 @@ function save_profile_from_post($userdata, &$errors)
     {
       $errors[] = l10n('Recent period must be a positive integer value') ;
     }
+
+    if (!in_array($_POST['language'], array_keys(get_languages())))
+    {
+      die('Hacking attempt, incorrect language value');
+    }
+
+    if (!in_array($_POST['theme'], array_keys(get_pwg_themes())))
+    {
+      die('Hacking attempt, incorrect theme value');
+    }
   }
 
   if (isset($_POST['mail_address']))
-- 
cgit v1.2.3