From 084e1ae5603f4204945d25afcfabaeb1198df20f Mon Sep 17 00:00:00 2001
From: Hari Sankar R <hsr@theinglorio.us>
Date: Tue, 3 Apr 2012 22:15:59 +0530
Subject: [PATCH] [ticket/10561] All users can choose deactivated styles
 (fixed).

A form exploit enabled the users to select a deactivated
style. Fixed with extra check on submit, with a new function
styles_verify to check if the selected style is activated or not.

PHPBB3-10561
---
 phpBB/includes/functions.php     | 18 ++++++++++++++++++
 phpBB/includes/ucp/ucp_prefs.php |  3 ++-
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php
index 0320230a7d..530638c56b 100644
--- a/phpBB/includes/functions.php
+++ b/phpBB/includes/functions.php
@@ -1238,6 +1238,24 @@ function style_select($default = '', $all = false)
 	return $style_options;
 }
 
+/**
+* Check if style is activated
+*/
+function style_verify($style_id = 0)
+{
+	global $db;
+
+	$sql = 'SELECT style_id, style_active
+		FROM ' . STYLES_TABLE . "
+		WHERE style_id = $style_id";
+	$result = $db->sql_query($sql);
+
+	$style_verified = $db->sql_fetchrow($result);
+	$db->sql_freeresult($result);
+
+	return $style_verified['style_active'];
+}
+
 /**
 * Pick a timezone
 */
diff --git a/phpBB/includes/ucp/ucp_prefs.php b/phpBB/includes/ucp/ucp_prefs.php
index 13167b2b3d..0df8acd5af 100644
--- a/phpBB/includes/ucp/ucp_prefs.php
+++ b/phpBB/includes/ucp/ucp_prefs.php
@@ -61,7 +61,8 @@ class ucp_prefs
 
 				if ($submit)
 				{
-					$data['style'] = ($config['override_user_style']) ? $config['default_style'] : $data['style'];
+					$data['style'] = ($config['override_user_style']) ? $config['default_style'] :
+						(style_verify($data['style']) ? $data['style'] : ((int) $user->data['user_style']));
 
 					$error = validate_data($data, array(
 						'dateformat'	=> array('string', false, 1, 30),