From 8596c7de9015f543d2275641ea6c8dabd59a98aa Mon Sep 17 00:00:00 2001
From: plegall <plg@piwigo.org>
Date: Sun, 1 Jan 2017 19:04:18 +0100
Subject: [PATCH] fixes #573, check $_GET['tab'] against hacking attempt

git cherry-pick 4b33a0fd199fd445b15a49927ea6a9a153e3877d
---
 admin/languages.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/admin/languages.php b/admin/languages.php
index 0ea4c17df..936e5b253 100644
--- a/admin/languages.php
+++ b/admin/languages.php
@@ -31,9 +31,14 @@ include_once(PHPWG_ROOT_PATH.'admin/include/tabsheet.class.php');
 $my_base_url = get_root_url().'admin.php?page=languages';
 
 if (isset($_GET['tab']))
+{
+  check_input_parameter('tab', $_GET, false, '/^(installed|update|new)$/');
   $page['tab'] = $_GET['tab'];
+}
 else
+{
   $page['tab'] = 'installed';
+}
 
 $tabsheet = new tabsheet();
 $tabsheet->set_id('languages');