From 77f44797bb2c3bc5be8b7189b386e8a38f318127 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@users.sourceforge.net>
Date: Wed, 27 Apr 2011 17:05:05 +0000
Subject: [PATCH] Fix: A local file inclusion vulnerability can be exploited to
 include arbitrary files.

---
 htdocs/main.inc.php | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index 1ef7549889e..8765bcda4f4 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -673,7 +673,6 @@ if (! defined('NOLOGIN'))
     else $conf->use_javascript_ajax=0;
 }
 
-
 if (! defined('NOREQUIRETRAN'))
 {
 	if (! GETPOST('lang'))	// If language was not forced on URL
@@ -691,14 +690,14 @@ if (! defined('NOREQUIRETRAN'))
 	}
 	else	// If language was forced on URL
 	{
-		$langs->setDefaultLang(GETPOST('lang'));
+		$langs->setDefaultLang(GETPOST('lang','alpha',1));
 	}
 }
 
 // Case forcing style from url
 if (GETPOST('theme'))
 {
-	$conf->theme=GETPOST('theme');
+	$conf->theme=GETPOST('theme','alpha',1);
 	$conf->css  = "/theme/".$conf->theme."/style.css.php";
 }