From a1a4a6e427f8ea38aee30b44bbe4c9562007377e Mon Sep 17 00:00:00 2001 From: tassium Date: Tue, 31 Dec 2002 16:24:58 +0000 Subject: [PATCH] Move $theme reset (avoids theme cookie exploit) to top, before config.php is loaded. Otherwise we just load the themes from config.php and promptly clear the array. Developers: Please review for security implications. git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@4339 7612ce4b-ef26-0410-bec9-ea0150e637f0 --- include/validate.php | 26 ++++++++------------------ 1 file changed, 8 insertions(+), 18 deletions(-) diff --git a/include/validate.php b/include/validate.php index a471ce53..b399d7c2 100644 --- a/include/validate.php +++ b/include/validate.php @@ -29,6 +29,14 @@ session_write_close(); +/** + * Reset the $theme() array in case a value was passed via a cookie. + * This is until theming is rewritten. + */ +global $theme; +unset($theme); +$theme=array(); + /* SquirrelMail required files. */ require_once(SM_PATH . 'class/mime.class.php'); require_once(SM_PATH . 'functions/strings.php'); @@ -71,24 +79,6 @@ if (isset($send) } } -/** -* Everyone needs stuff from config, and config needs stuff from -* strings.php, so include them both here. Actually, strings is -* included at the top now as the string array functions have -* been moved into it. -* -* Include them down here instead of at the top so that all config -* variables overwrite any passed in variables (for security). -*/ - -/** - * Reset the $theme() array in case a value was passed via a cookie. - * This is until theming is rewritten. - */ -global $theme; -unset($theme); -$theme=array(); - require_once(SM_PATH . 'include/load_prefs.php'); require_once(SM_PATH . 'functions/page_header.php'); require_once(SM_PATH . 'functions/prefs.php'); -- 2.25.1