Verify that theme names are well formed. Fixes #1856.

2 files changed, 12 insertions, 2 deletions

diff --git a/modules/gallery/libraries/Admin_View.php b/modules/gallery/libraries/Admin_View.php
index fcfe7aa2..66b8c20c 100644
--- a/modules/gallery/libraries/Admin_View.php
+++ b/modules/gallery/libraries/Admin_View.php
@@ -31,7 +31,12 @@ class Admin_View_Core extends Gallery_View {
 
     $this->theme_name = module::get_var("gallery", "active_admin_theme");
     if (identity::active_user()->admin) {
-      $this->theme_name = Input::instance()->get("theme", $this->theme_name);
+      $theme_name = Input::instance()->get("theme");
+      if ($theme_name &&
+          file_exists(THEMEPATH . $theme_name) &&
+          strpos(realpath(THEMEPATH . $theme_name), THEMEPATH) == 0) {
+        $this->theme_name = $theme_name;
+      }
     }
     $this->sidebar = "";
     $this->set_global(array("theme" => $this,
diff --git a/modules/gallery/libraries/Theme_View.php b/modules/gallery/libraries/Theme_View.php
index 031da6de..78b74cde 100644
--- a/modules/gallery/libraries/Theme_View.php
+++ b/modules/gallery/libraries/Theme_View.php
@@ -33,7 +33,12 @@ class Theme_View_Core extends Gallery_View {
 
     $this->theme_name = module::get_var("gallery", "active_site_theme");
     if (identity::active_user()->admin) {
-      $this->theme_name = Input::instance()->get("theme", $this->theme_name);
+      $theme_name = Input::instance()->get("theme");
+      if ($theme_name &&
+          file_exists(THEMEPATH . $theme_name) &&
+          strpos(realpath(THEMEPATH . $theme_name), THEMEPATH) == 0) {
+        $this->theme_name = $theme_name;
+      }
     }
     $this->item = null;
     $this->tag = null;