From bbc0d9abbf6a0d8f2ace8275c992aade35534d4a Mon Sep 17 00:00:00 2001
From: moodler <moodler>
Date: Fri, 9 May 2003 02:32:43 +0000
Subject: [PATCH] IMPORTANT SECURITY FIX: prevents external PHP code from being
 run

---
 theme/index.php | 25 +++++++++++++------------
 1 file changed, 13 insertions(+), 12 deletions(-)

diff --git a/theme/index.php b/theme/index.php
index ae9be68ec6..32207efd62 100644
--- a/theme/index.php
+++ b/theme/index.php
@@ -5,7 +5,20 @@
     optional_variable($preview);   // which theme to show
     optional_variable($choose);    // set this theme as default
 
+    if (! $site = get_site()) {
+        error("Site doesn't exist!");
+    }
+
+    require_login();
+
+    if (!isadmin()) {
+        error("You must be an administrator to change themes.");
+    }
+
     if ($choose) {
+        if (!is_dir($choose)) {
+            error("This theme is not installed!");
+        }
         $preview = $choose;
     }
 
@@ -17,18 +30,6 @@
         include ("$CFG->theme/config.php");
     }
 
-
-    if (! $site = get_site()) {
-        error("Site doesn't exist!");
-    }
-
-    require_login();
-
-    if (!isadmin()) {
-        error("You must be an administrator to change themes.");
-    }
-
-
     $stradministration = get_string("administration");
     $strchoosetheme = get_string("choosetheme");
     $strpreview = get_string("preview");
-- 
2.39.5