diff --git a/application/controllers/ThemeOptionsController.php b/application/controllers/ThemeOptionsController.php
index 091f73909ac..10cec54da7f 100644
--- a/application/controllers/ThemeOptionsController.php
+++ b/application/controllers/ThemeOptionsController.php
@@ -560,9 +560,15 @@ public function actionImportManifest()
if (Permission::model()->hasGlobalPermission('templates', 'update')) {
if ($theme === 'questiontheme') {
$templateFolder = App()->request->getPost('templatefolder');
+ if (strpos($templateFolder, "../") !== false) {
+ throw new CHttpException(eT("Unsafe path"));
+ }
+ //$themeType is being sanitized inside getAbsolutePathForType
+ $themeType = App()->request->getPost('theme_type');
+ $fullTemplateFolder = QuestionTheme::getAbsolutePathForType($templateFolder, $themeType);
$questionTheme = new QuestionTheme();
//skip convertion LS3ToLS4 (this should have been happen BEFORE theme was moved to the uninstalled themes
- $themeName = $questionTheme->importManifest($templateFolder, true);
+ $themeName = $questionTheme->importManifest($fullTemplateFolder, true);
if (isset($themeName)) {
App()->setFlashMessage(sprintf(gT('The Question theme "%s" has been successfully installed'), "$themeName"), 'success');
} else {
diff --git a/application/models/QuestionTheme.php b/application/models/QuestionTheme.php
index dc9beae2347..bd0d9d86b51 100644
--- a/application/models/QuestionTheme.php
+++ b/application/models/QuestionTheme.php
@@ -33,6 +33,10 @@
*/
class QuestionTheme extends LSActiveRecord
{
+ const THEME_TYPE_CORE = 'coreQuestion';
+ const THEME_TYPE_CUSTOM = 'customCoreTheme';
+ const THEME_TYPE_USER = 'customUserTheme';
+
/**
* @return string the associated database table name
*/
@@ -229,7 +233,8 @@ public function getVisibilityButton()
public function getManifestButtons()
{
$sLoadLink = CHtml::form(array("themeOptions/importManifest/"), 'post', array('id' => 'forminstallquestiontheme', 'name' => 'forminstallquestiontheme')) .
- "
+ "
+