From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 program/steps/settings/save_prefs.inc |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/program/steps/settings/save_prefs.inc b/program/steps/settings/save_prefs.inc
index 140f173..945005d 100644
--- a/program/steps/settings/save_prefs.inc
+++ b/program/steps/settings/save_prefs.inc
@@ -156,8 +156,8 @@
 
     $a_user_prefs['timezone'] = (string) $a_user_prefs['timezone'];
 
-    if (isset($a_user_prefs['refresh_interval']) && !empty($CONFIG['min_refresh_interval'])) {
-      if ($a_user_prefs['refresh_interval'] > $CONFIG['min_refresh_interval']) {
+    if (!empty($a_user_prefs['refresh_interval']) && !empty($CONFIG['min_refresh_interval'])) {
+      if ($a_user_prefs['refresh_interval'] < $CONFIG['min_refresh_interval']) {
         $a_user_prefs['refresh_interval'] = $CONFIG['min_refresh_interval'];
       }
     }

--
Gitblit v1.9.1