From a8803dbd9af89b834ef329c030d94546d6cd6408 Mon Sep 17 00:00:00 2001 From: Ralf Becker Date: Sat, 13 Feb 2010 03:43:42 +0000 Subject: [PATCH] fixed problem pointed out by Nahuel Grisolia --- login.php | 4 ++-- phpgwapi/inc/class.egw_framework.inc.php | 8 +++++--- setup/check_install.php | 2 +- setup/inc/class.setup.inc.php | 18 +++++++++++++++++- setup/inc/class.setup_html.inc.php | 2 +- setup/inc/class.setup_process.inc.php | 2 +- setup/inc/class.setup_translation.inc.php | 2 +- setup/inc/functions.inc.php | 2 +- 8 files changed, 29 insertions(+), 11 deletions(-) diff --git a/login.php b/login.php index a12893de51..b7870f6ce4 100755 --- a/login.php +++ b/login.php @@ -310,7 +310,7 @@ else $remember_time,'/'); // make the cookie valid for the whole site (incl. sitemgr) and not only the eGW install-dir } - if ($_POST['lang'] && preg_match('/^[a-z]{2}(-[a-z]{2}){0,1}$/',$_POST['lang']) && + if ($_POST['lang'] && preg_match('/^[a-z]{2}(-[a-z]{2})?$/',$_POST['lang']) && $_POST['lang'] != $GLOBALS['egw_info']['user']['preferences']['common']['lang']) { $GLOBALS['egw']->preferences->add('common','lang',$_POST['lang'],'session'); @@ -369,7 +369,7 @@ else $GLOBALS['egw_info']['user']['preferences'] = $prefs->read_repository(); } } - if ($_GET['lang']) + if ($_GET['lang'] && preg_match('/^[a-z]{2}(-[a-z]{2})?$/',$_GET['lang'])) { $GLOBALS['egw_info']['user']['preferences']['common']['lang'] = $_GET['lang']; } diff --git a/phpgwapi/inc/class.egw_framework.inc.php b/phpgwapi/inc/class.egw_framework.inc.php index 63c59dd7e8..25e27ff344 100644 --- a/phpgwapi/inc/class.egw_framework.inc.php +++ b/phpgwapi/inc/class.egw_framework.inc.php @@ -203,9 +203,11 @@ abstract class egw_framework */ protected function _get_header() { - // get used language code - $lang_code = $GLOBALS['egw_info']['user']['preferences']['common']['lang']; - + // get used language code (with a little xss check, if someone tries to sneak something in) + if (preg_match('/^[a-z]{2}(-[a-z]{2})?$/',$GLOBALS['egw_info']['user']['preferences']['common']['lang'])) + { + $lang_code = $GLOBALS['egw_info']['user']['preferences']['common']['lang']; + } //pngfix defaults to yes if(!$GLOBALS['egw_info']['user']['preferences']['common']['disable_pngfix']) { diff --git a/setup/check_install.php b/setup/check_install.php index 2e738af206..e0f9a22b74 100644 --- a/setup/check_install.php +++ b/setup/check_install.php @@ -774,7 +774,7 @@ if ($run_by_webserver) )); $ConfigDomain = get_var('ConfigDomain',Array('POST','COOKIE')); if (@$_GET['intro']) { - if($ConfigLang = get_var('ConfigLang',array('POST','COOKIE'))) + if(($ConfigLang = setup::get_lang())) { $GLOBALS['egw_setup']->set_cookie('ConfigLang',$ConfigLang,(int) (time()+(1200*9)),'/'); } diff --git a/setup/inc/class.setup.inc.php b/setup/inc/class.setup.inc.php index 1b2984ea67..149e63986f 100644 --- a/setup/inc/class.setup.inc.php +++ b/setup/inc/class.setup.inc.php @@ -197,6 +197,21 @@ class setup } setcookie($cookiename,$cookievalue,$cookietime,'/',$this->cookie_domain); } + + /** + * Get configuration language from $_POST or $_COOKIE and validate it + * + * @return string + */ + static function get_lang() + { + $ConfigLang = get_var('ConfigLang', array('POST','COOKIE')); + if (preg_match('/^[a-z]{2}(-[a-z]{2})?$',$ConfigLang)) + { + return $ConfigLang; + } + return 'en'; + } /** * authenticate the setup user @@ -207,7 +222,8 @@ class setup { #phpinfo(); $FormLogout = get_var('FormLogout', array('GET','POST')); - $ConfigLang = get_var('ConfigLang', array('POST','COOKIE')); + $ConfigLang = self::get_lang(); + if (!preg_match('/^[')) if(!$FormLogout) { $ConfigLogin = get_var('ConfigLogin', array('POST')); diff --git a/setup/inc/class.setup_html.inc.php b/setup/inc/class.setup_html.inc.php index 4bfa346aa8..fc714df20f 100644 --- a/setup/inc/class.setup_html.inc.php +++ b/setup/inc/class.setup_html.inc.php @@ -169,7 +169,7 @@ $manual_remote_egw_url = 'http://manual.egroupware.org/egroupware'; $url_parts = explode('/',$_SERVER['PHP_SELF']); $script = array_pop($url_parts); - $lang = get_var('ConfigLang',Array('POST','COOKIE')); + $lang = setup::get_lang(); $url = $manual_remote_egw_url.'/manual/index.php?referer='.urlencode($manual_remote_egw_url.'/setup/'.$script). ($lang ? '&lang='.urlencode($lang) : ''); $GLOBALS['setup_tpl']->set_var('manual','' . "\n"; $languages = get_langs();