Move $theme reset (avoids theme cookie exploit) to top, before config.php is loaded...

Developers: Please review for security implications.

git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@4339 7612ce4b-ef26-0410-bec9-ea0150e637f0

diff --git a/include/validate.php b/include/validate.php
index a471ce530a0ec5dbfaa32c20bc03a3d6c57dccb6..b399d7c21a6ab56d3663320b83a813df7c10e6a5 100644 (file)
--- a/include/validate.php
+++ b/include/validate.php
@@ -29,6 +29,14 @@
 
 session_write_close();
 
+/**
+ * Reset the $theme() array in case a value was passed via a cookie.
+ * This is until theming is rewritten.
+ */
+global $theme;
+unset($theme);
+$theme=array();
+
 /* SquirrelMail required files. */
 require_once(SM_PATH . 'class/mime.class.php');
 require_once(SM_PATH . 'functions/strings.php');
@@ -71,24 +79,6 @@ if (isset($send)
     }
 }
 
-/**
-* Everyone needs stuff from config, and config needs stuff from
-* strings.php, so include them both here. Actually, strings is
-* included at the top now as the string array functions have
-* been moved into it.
-*
-* Include them down here instead of at the top so that all config
-* variables overwrite any passed in variables (for security).
-*/
-
-/**
- * Reset the $theme() array in case a value was passed via a cookie.
- * This is until theming is rewritten.
- */
-global $theme;
-unset($theme);
-$theme=array();
-
 require_once(SM_PATH . 'include/load_prefs.php');
 require_once(SM_PATH . 'functions/page_header.php');
 require_once(SM_PATH . 'functions/prefs.php');