From 9cad79388e7c9f97807563f5c5d7de6acfa566b9 Mon Sep 17 00:00:00 2001
From: harris wong <hwong@ocad.ca>
Date: Tue, 30 Aug 2011 20:35:00 +0000
Subject: [PATCH] 4781: Check if theme paths are relative, if so, silently set
 it back to default and bring the user back to default preference page.

---
 docs/include/vitals.inc.php | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/docs/include/vitals.inc.php b/docs/include/vitals.inc.php
index 8ee494887..f642bde10 100644
--- a/docs/include/vitals.inc.php
+++ b/docs/include/vitals.inc.php
@@ -302,6 +302,15 @@ $savant->addPath('template', AT_INCLUDE_PATH . '../themes/default/');
 
 //if user has requested theme change, make the change here
 if (($_POST['theme'] || $_POST['mobile_theme']) && $_POST['submit']) {
+    //http://atutor.ca/atutor/mantis/view.php?id=4781
+    //Themes should be in the same folder, disallow '../'
+    $newTheme = str_replace("../", "", $_POST['theme']);
+    $newMobileTheme = str_replace("../", "", $_POST['mobile_theme']);
+    if ($newTheme != $_POST['theme'] || $newMobileTheme != $_POST['mobile_theme']) {
+        header('Location:'.AT_BASE_HREF.'users/preferences.php');
+	    exit;
+    }
+    
     $_SESSION['prefs']['PREF_THEME'] = $addslashes($_POST['theme']);
     $_SESSION['prefs']['PREF_MOBILE_THEME'] = $addslashes($_POST['mobile_theme']);
 } else if ($_POST['set_default']) {
-- 
2.17.1