Fixed a security hole with regard to themes.

ChangeLog

@@ -1,5 +1,6 @@
 Version 1.0pre2 -- DEVELOPMENT
 ------------------------------
+- A number of security fixes
 - Replaced error messages with better, formatted, and meaningful messages.
 - Fixed "reply all" so that it works intelligently now
 - Made deleted (but not expunged) messages easier to detect (only if $auto_expunge = false)

UPGRADE

@@ -1,9 +1,10 @@
-Upgrading from 0.3 or 0.4
-=========================
-If you are upgrading from versions 0.3 or 0.4 of SquirrelMail, you can use
-this guide to make the transition a bit smoother.  If you have been using a
-previous version (0.1 or 0.2), it is suggested that you just start from
-scratch and configure your settings as if it was your first install.
+Upgrading from 0.3 or higher 
+============================
+
+If you are upgrading from versions 0.3 or higher of SquirrelMail, you can
+use this guide to make the transition a bit smoother.  If you have been
+using a previous version (0.1 or 0.2), it is suggested that you just start
+from scratch and configure your settings as if it was your first install.
 
 NOTE: The new plugin architecture required the use of some functions which
 are not in all versions of PHP4. You will need at least PHP4 beta2. If you

src/load_prefs.php

@@ -21,9 +21,15 @@
    checkForPrefs($data_dir, $username);
 
    $chosen_theme = getPref($data_dir, $username, "chosen_theme");
-   if ((substr($chosen_theme, 0, 10) == "../config/")) {
-      $chosen_theme = substr($chosen_theme, 10);
-      $chosen_theme = "../themes/$chosen_theme";
+   $in_ary = false;
+   for ($i=0; $i < count($theme); $i++){
+   	  if ($theme[$i]["PATH"] == $chosen_theme) {
+	  	 $in_ary = true;
+		 break;
+	  }
+   }
+   if (!$in_ary) {
+   		$chosen_theme = "";
    }
 
    if ((isset($chosen_theme)) && (file_exists($chosen_theme))) {