From 2ef400aefd9d1f1eedfe85616354b8cd94fe31b6 Mon Sep 17 00:00:00 2001
From: "Ahron Greenberg (agree)" <37550360+greenbea@users.noreply.github.com>
Date: Tue, 11 Feb 2025 10:39:47 -0500
Subject: [PATCH] validate domain before change (#7244)

---
 core/domains/domains.php | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/core/domains/domains.php b/core/domains/domains.php
index 03940e5432..c059ebc34b 100644
--- a/core/domains/domains.php
+++ b/core/domains/domains.php
@@ -44,8 +44,6 @@
 
 			//update the domain session variables
 				$domain_uuid = $_GET["domain_uuid"];
-				$_SESSION["previous_domain_uuid"] = $_SESSION['domain_uuid'];
-				$_SESSION['domain_uuid'] = $domain_uuid;
 
 			//get the domain details
 				$sql = "select * from v_domains ";
@@ -58,7 +56,14 @@
 				}
 				unset($sql, $domains);
 
+			//validate the domain change
+				if (empty($_SESSION['domains'][$domain_uuid])) {
+					die("invalid domain");
+				}
+			
 			//update the domain session variables
+				$_SESSION["previous_domain_uuid"] = $_SESSION['domain_uuid'];
+				$_SESSION['domain_uuid'] = $domain_uuid;
 				$_SESSION["domain_name"] = $_SESSION['domains'][$domain_uuid]['domain_name'];
 				$_SESSION['domain']['template']['name'] = $_SESSION['domains'][$domain_uuid]['template_name'] ?? null;
 				$_SESSION["context"] = $_SESSION["domain_name"];