Fix path traversal vulnerability in setting a skin (#1490620)

Conflicts:

	CHANGELOG

CHANGELOG

@@ -17,6 +17,7 @@ CHANGELOG Roundcube Webmail
 - Fix regression in displaying contents of message/rfc822 parts (#1490606)
 - Fix handling of message/rfc822 attachments on replies and forwards (#1490607)
 - Fix PDF support detection in Firefox > 19 (#1490610)
+- Fix path traversal vulnerability in setting a skin (#1490620)
 
 RELEASE 1.1.3
 -------------

program/include/rcmail_output_html.php

@@ -225,6 +225,17 @@ EOF;
      */
     public function set_skin($skin)
     {
+        // Sanity check to prevent from path traversal vulnerability (#1490620)
+        if (strpos($skin, '/') !== false || strpos($skin, "\\") !== false) {
+            rcube::raise_error(array(
+                    'file'    => __FILE__,
+                    'line'    => __LINE__,
+                    'message' => 'Invalid skin name'
+                ), true, false);
+
+            return false;
+        }
+
         $valid = false;
         $path  = RCUBE_INSTALL_PATH . 'skins/';