From b97024f00ec6a2bf3c5441d6ab66d44bf63cea28 Mon Sep 17 00:00:00 2001
From: Ralf Becker <ralfbecker@outdoor-training.de>
Date: Thu, 3 Sep 2015 16:21:12 +0000
Subject: [PATCH] fix issue pointed out by Andrew McNicol

---
 setup/inc/class.setup.inc.php | 2 +-
 setup/index.php               | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/setup/inc/class.setup.inc.php b/setup/inc/class.setup.inc.php
index 8204245b53..e5d1dc2b46 100644
--- a/setup/inc/class.setup.inc.php
+++ b/setup/inc/class.setup.inc.php
@@ -88,7 +88,7 @@ class setup
 		$this->detection = new setup_detection();
 		$this->process   = new setup_process();
 
-		if ($_REQUEST['system_charset']) $this->system_charset = $_REQUEST['system_charset'];
+		if (preg_match('/^[a-z0-9-]+$/i', $_REQUEST['system_charset'])) $this->system_charset = $_REQUEST['system_charset'];
 
 		/* The setup application needs these */
 		if ($html) $this->html = new setup_html();
diff --git a/setup/index.php b/setup/index.php
index 095da7ec5e..f40a4b7075 100644
--- a/setup/index.php
+++ b/setup/index.php
@@ -336,7 +336,7 @@ switch($GLOBALS['egw_info']['setup']['stage']['db'])
 					{
 						$setup_info = $GLOBALS['egw_setup']->detection->upgrade_exclude($setup_info);
 						// Set the DB's client charset if a system-charset is set
-						if ($_REQUEST['system_charset'])
+						if (preg_match('/^[a-z0-9-]+$/i', $_REQUEST['system_charset']))
 						{
 							$GLOBALS['egw_setup']->system_charset = $_REQUEST['system_charset'];
 							$GLOBALS['egw_setup']->db->Link_ID->SetCharSet($_REQUEST['system_charset']);