From 70841e0f5076b04bc596f2a37c3714ed6cb9ac92 Mon Sep 17 00:00:00 2001 From: plegall Date: Tue, 31 May 2011 20:32:41 +0000 Subject: merge r11157 from branch 2.2 to trunk bug 2280 fixed: check language and theme values before updating database. The posted value must match an expected value, this is not a free texfield. git-svn-id: http://piwigo.org/svn/trunk@11159 68402e56-0260-453c-a942-63ccdbb3a9ee --- profile.php | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/profile.php b/profile.php index 2580b375c..402b03971 100644 --- a/profile.php +++ b/profile.php @@ -149,6 +149,16 @@ function save_profile_from_post($userdata, &$errors) { $errors[] = l10n('Recent period must be a positive integer value') ; } + + if (!in_array($_POST['language'], array_keys(get_languages()))) + { + die('Hacking attempt, incorrect language value'); + } + + if (!in_array($_POST['theme'], array_keys(get_pwg_themes()))) + { + die('Hacking attempt, incorrect theme value'); + } } if (isset($_POST['mail_address'])) -- cgit v1.2.3