FIX Filtering the HTTP Header "Accept-Language".

2019-09-24 13:54:52 +02:00 · 2019-09-24 13:54:52 +02:00 · c53be23122
commit c53be23122
parent 9cfe1262bd
2 changed files with 21 additions and 2 deletions
--- a/htdocs/core/class/translate.class.php
+++ b/htdocs/core/class/translate.class.php
@ -88,11 +88,12 @@ class Translate

 		if (empty($srclang) || $srclang == 'auto')
 		{
+			// $_SERVER['HTTP_ACCEPT_LANGUAGE'] can be 'fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7,it;q=0.6' but can contains also malicious content
 			$langpref=empty($_SERVER['HTTP_ACCEPT_LANGUAGE'])?'':$_SERVER['HTTP_ACCEPT_LANGUAGE'];
-			$langpref=preg_replace("/;([^,]*)/i", "", $langpref);
+			$langpref=preg_replace("/;([^,]*)/i", "", $langpref);	// Remove the 'q=x.y,' part
 			$langpref=str_replace("-", "_", $langpref);
 			$langlist=preg_split("/[;,]/", $langpref);
-			$codetouse=$langlist[0];
+			$codetouse=preg_replace('/[^_a-zA-Z]/', '', $langlist[0]);
 		}
 		else $codetouse=$srclang;

--- a/test/phpunit/SecurityTest.php
+++ b/test/phpunit/SecurityTest.php
@ -130,6 +130,24 @@ class SecurityTest extends PHPUnit\Framework\TestCase
    	print __METHOD__."\n";
    }

+    /**
+     * testSetLang
+     *
+     * @return string
+     */
+    public function testSetLang()
+    {
+    	global $conf;
+    	$conf=$this->savconf;
+
+    	$tmplangs = new Translate('', $conf);
+
+    	$_SERVER['HTTP_ACCEPT_LANGUAGE'] = "' malicious text with quote";
+    	$tmplangs->setDefaultLang('auto');
+    	print __METHOD__.' $tmplangs->defaultlang='.$tmplangs->defaultlang."\n";
+    	$this->assertEquals($tmplangs->defaultlang, 'malicioustextwithquote_MALICIOUSTEXTWITHQUOTE');
+    }
+
    /**
     * testGETPOST
     *