FIX Filtering the HTTP Header "Accept-Language".

eldy · eldy · commit c53be23122fc · 2019-09-24T13:54:52.000+02:00
diff --git a/htdocs/core/class/translate.class.php b/htdocs/core/class/translate.class.php
@@ -88,11 +88,12 @@ public function setDefaultLang($srclang = 'en_US')
 
 		if (empty($srclang) || $srclang == 'auto')
 		{
+			// $_SERVER['HTTP_ACCEPT_LANGUAGE'] can be 'fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7,it;q=0.6' but can contains also malicious content
 			$langpref=empty($_SERVER['HTTP_ACCEPT_LANGUAGE'])?'':$_SERVER['HTTP_ACCEPT_LANGUAGE'];
-			$langpref=preg_replace("/;([^,]*)/i", "", $langpref);
+			$langpref=preg_replace("/;([^,]*)/i", "", $langpref);	// Remove the 'q=x.y,' part
 			$langpref=str_replace("-", "_", $langpref);
 			$langlist=preg_split("/[;,]/", $langpref);
-			$codetouse=$langlist[0];
+			$codetouse=preg_replace('/[^_a-zA-Z]/', '', $langlist[0]);
 		}
 		else $codetouse=$srclang;
 
diff --git a/test/phpunit/SecurityTest.php b/test/phpunit/SecurityTest.php
@@ -130,6 +130,24 @@ protected function tearDown()
     	print __METHOD__."\n";
     }
 
+    /**
+     * testSetLang
+     *
+     * @return string
+     */
+    public function testSetLang()
+    {
+    	global $conf;
+    	$conf=$this->savconf;
+
+    	$tmplangs = new Translate('', $conf);
+
+    	$_SERVER['HTTP_ACCEPT_LANGUAGE'] = "' malicious text with quote";
+    	$tmplangs->setDefaultLang('auto');
+    	print __METHOD__.' $tmplangs->defaultlang='.$tmplangs->defaultlang."\n";
+    	$this->assertEquals($tmplangs->defaultlang, 'malicioustextwithquote_MALICIOUSTEXTWITHQUOTE');
+    }
+
     /**
      * testGETPOST
      *

Original file line number	Diff line number	Diff line change
`@@ -88,11 +88,12 @@ public function setDefaultLang($srclang = 'en_US')`
`88`	`88`
`89`	`89`	`if (empty($srclang) \|\| $srclang == 'auto')`
`90`	`90`	`{`
	`91`	`+ // $_SERVER['HTTP_ACCEPT_LANGUAGE'] can be 'fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7,it;q=0.6' but can contains also malicious content`
`91`	`92`	`$langpref=empty($_SERVER['HTTP_ACCEPT_LANGUAGE'])?'':$_SERVER['HTTP_ACCEPT_LANGUAGE'];`
`92`		`- $langpref=preg_replace("/;([^,]*)/i", "", $langpref);`
	`93`	`+ $langpref=preg_replace("/;([^,]*)/i", "", $langpref); // Remove the 'q=x.y,' part`
`93`	`94`	`$langpref=str_replace("-", "_", $langpref);`
`94`	`95`	`$langlist=preg_split("/[;,]/", $langpref);`
`95`		`- $codetouse=$langlist[0];`
	`96`	`+ $codetouse=preg_replace('/[^_a-zA-Z]/', '', $langlist[0]);`
`96`	`97`	`}`
`97`	`98`	`else $codetouse=$srclang;`
`98`	`99`