FIX Filtering the HTTP Header "Accept-Language".

Dolibarr · Sep 24, 2019 · c53be23 · c53be23
1 parent 9cfe126
commit c53be23
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 2 deletions.
diff --git a/htdocs/core/class/translate.class.php b/htdocs/core/class/translate.class.php
@@ -88,11 +88,12 @@ public function setDefaultLang($srclang = 'en_US')
 
 		if (empty($srclang) || $srclang == 'auto')
 		{
+			// $_SERVER['HTTP_ACCEPT_LANGUAGE'] can be 'fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7,it;q=0.6' but can contains also malicious content
 			$langpref=empty($_SERVER['HTTP_ACCEPT_LANGUAGE'])?'':$_SERVER['HTTP_ACCEPT_LANGUAGE'];
-			$langpref=preg_replace("/;([^,]*)/i", "", $langpref);
+			$langpref=preg_replace("/;([^,]*)/i", "", $langpref);	// Remove the 'q=x.y,' part
 			$langpref=str_replace("-", "_", $langpref);
 			$langlist=preg_split("/[;,]/", $langpref);
-			$codetouse=$langlist[0];
+			$codetouse=preg_replace('/[^_a-zA-Z]/', '', $langlist[0]);
 		}
 		else $codetouse=$srclang;
 

diff --git a/test/phpunit/SecurityTest.php b/test/phpunit/SecurityTest.php
@@ -130,6 +130,24 @@ protected function tearDown()
     	print __METHOD__."\n";
     }
 
+    /**
+     * testSetLang
+     *
+     * @return string
+     */
+    public function testSetLang()
+    {
+    	global $conf;
+    	$conf=$this->savconf;
+
+    	$tmplangs = new Translate('', $conf);
+
+    	$_SERVER['HTTP_ACCEPT_LANGUAGE'] = "' malicious text with quote";
+    	$tmplangs->setDefaultLang('auto');
+    	print __METHOD__.' $tmplangs->defaultlang='.$tmplangs->defaultlang."\n";
+    	$this->assertEquals($tmplangs->defaultlang, 'malicioustextwithquote_MALICIOUSTEXTWITHQUOTE');
+    }
+
     /**
      * testGETPOST
      *