IMPORTANT SECURITY FIX: prevents external PHP code from being run

diff --git a/theme/index.php b/theme/index.php
index ae9be68ec6e455d6eaa97b2ca8076b2e4c0585cf..32207efd621b66ae4be0ef1c5c220ad8fa69ccfc 100644 (file)
--- a/theme/index.php
+++ b/theme/index.php
@@ -5,7 +5,20 @@
     optional_variable($preview);   // which theme to show
     optional_variable($choose);    // set this theme as default
 
+    if (! $site = get_site()) {
+        error("Site doesn't exist!");
+    }
+
+    require_login();
+
+    if (!isadmin()) {
+        error("You must be an administrator to change themes.");
+    }
+
     if ($choose) {
+        if (!is_dir($choose)) {
+            error("This theme is not installed!");
+        }
         $preview = $choose;
     }
 
@@ -17,18 +30,6 @@
         include ("$CFG->theme/config.php");
     }
 
-
-    if (! $site = get_site()) {
-        error("Site doesn't exist!");
-    }
-
-    require_login();
-
-    if (!isadmin()) {
-        error("You must be an administrator to change themes.");
-    }
-
-
     $stradministration = get_string("administration");
     $strchoosetheme = get_string("choosetheme");
     $strpreview = get_string("preview");