* Removed potential security loophole that I inadvertantly added.

  Config vars used to be able to be overwritten by global data if
  gpc_magic_quotes() was enabled.

git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@1311 7612ce4b-ef26-0410-bec9-ea0150e637f0

diff --git a/src/validate.php b/src/validate.php
index 7added477318dfd7f4b3b0e4c6460615c3bb7b42..b2c333530061f1eabc93a9e99e1f91f059b987d5 100644 (file)
--- a/src/validate.php
+++ b/src/validate.php
@@ -17,11 +17,6 @@
    session_start();
    include ('../functions/auth.php');
    
-   // Everyone needs stuff from config, and config needs stuff from
-   // strings.php, so include them both here.
-   include ('../functions/strings.php');
-   include ('../config/config.php');
-   
    is_logged_in();
 
 
@@ -105,4 +100,11 @@
        }
    }
 
+   // Everyone needs stuff from config, and config needs stuff from
+   // strings.php, so include them both here.
+   // Include them down here instead of at the top so that all config
+   // variables overwrite any passed in variables (for security)
+   include ('../functions/strings.php');
+   include ('../config/config.php');
+   
 ?>