From: Petr Skoda <skodak@moodle.org>
Date: Sun, 20 Dec 2009 16:25:41 +0000 (+0000)
Subject: MDL-21155 improve themechangeonurl - sesskey not required, it may be a slight CSRF... 
X-Git-Url: http://git.mjollnir.org/gw?a=commitdiff_plain;h=998999e7251064b96580de6ed03d476138891d1c;p=moodle.git

MDL-21155 improve themechangeonurl - sesskey not required, it may be a slight CSRF problem, but on the other hand theme designers rely on this very often, fixed problems with theme in _POST
---

diff --git a/lib/setup.php b/lib/setup.php
index 80f9d53bd4..a78979b43b 100644
--- a/lib/setup.php
+++ b/lib/setup.php
@@ -533,10 +533,19 @@ $SESSION = &$_SESSION['SESSION'];
 $USER    = &$_SESSION['USER'];
 
 // Process theme change in the URL.
-if (!empty($CFG->allowthemechangeonurl) && ($urlthemename = optional_param('theme', '', PARAM_SAFEDIR)) && confirm_sesskey()) {
+if (!empty($CFG->allowthemechangeonurl) and !empty($_GET['theme'])) {
+    // we have to use _GET directly because we do not want this to interfere with _POST
+    $urlthemename = optional_param('theme', '', PARAM_SAFEDIR);
     try {
-        theme_config::load($urlthemename); // Makes sure the theme can be loaded without errors.
-        $SESSION->theme = $urlthemename;
+        $themeconfig = theme_config::load($urlthemename);
+        // Makes sure the theme can be loaded without errors.
+        if ($themeconfig->name === $urlthemename) {
+            $SESSION->theme = $urlthemename;
+        } else {
+            unset($SESSION->theme);
+        }
+        unset($themeconfig);
+        unset($urlthemename);
     } catch (Exception $e) {
         debugging('Failed to set the theme from the URL.', DEBUG_DEVELOPER, $e->getTrace());
     }