From ed5531ea88639edae7ae991b559befe93af178a4 Mon Sep 17 00:00:00 2001
From: Alexander Ebert <ebert@woltlab.com>
Date: Tue, 27 Dec 2016 13:28:46 +0100
Subject: [PATCH] Enforce sane values for integer input

---
 wcfsetup/install/files/lib/acp/form/StyleAddForm.class.php | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/wcfsetup/install/files/lib/acp/form/StyleAddForm.class.php b/wcfsetup/install/files/lib/acp/form/StyleAddForm.class.php
index a4574e3f71..2f963d40d1 100644
--- a/wcfsetup/install/files/lib/acp/form/StyleAddForm.class.php
+++ b/wcfsetup/install/files/lib/acp/form/StyleAddForm.class.php
@@ -229,7 +229,7 @@ class StyleAddForm extends AbstractForm {
 		foreach ($this->globals as $variableName) {
 			if (isset($_POST[$variableName]) && is_numeric($_POST[$variableName])) {
 				if (isset($_POST[$variableName.'_unit']) && in_array($_POST[$variableName.'_unit'], $this->availableUnits)) {
-					$this->variables[$variableName] = $_POST[$variableName].$_POST[$variableName.'_unit'];
+					$this->variables[$variableName] = abs($_POST[$variableName]).$_POST[$variableName.'_unit'];
 				}
 			}
 			else {
@@ -239,8 +239,11 @@ class StyleAddForm extends AbstractForm {
 		}
 		
 		// read specialized variables
+		$integerValues = ['pageLogoHeight', 'pageLogoWidth'];
 		foreach ($this->specialVariables as $variableName) {
-			if (isset($_POST[$variableName])) $this->variables[$variableName] = StringUtil::trim($_POST[$variableName]);
+			if (isset($_POST[$variableName])) {
+				$this->variables[$variableName] = (in_array($variableName, $integerValues)) ? abs(intval($_POST[$variableName])) : StringUtil::trim($_POST[$variableName]);
+			}
 		}
 		$this->variables['useFluidLayout'] = isset($_POST['useFluidLayout']) ? 1 : 0;
 		$this->variables['useGoogleFont'] = isset($_POST['useGoogleFont']) ? 1 : 0;
-- 
2.20.1