extern/egroupware_official
1
0
Fork 0
mirror of https://github.com/EGroupware/egroupware.git synced 2024-11-22 07:53:39 +01:00
Code Issues Packages Projects Releases Wiki Activity

fixed problem pointed out by Nahuel Grisolia <ngrisolia@cybsec.com>

Browse Source
This commit is contained in:
Ralf Becker 2010-02-13 02:57:22 +00:00
parent 22630b849a
commit aca8b220df
8 changed files with 29 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
login.php
View File

@ -310,7 +310,7 @@ else
$remember_time,'/'); // make the cookie valid for the whole site (incl. sitemgr) and not only the eGW install-dir $remember_time,'/'); // make the cookie valid for the whole site (incl. sitemgr) and not only the eGW install-dir
} }
if ($_POST['lang'] && preg_match('/^[a-z]{2}(-[a-z]{2}){0,1}$/',$_POST['lang']) && if ($_POST['lang'] && preg_match('/^[a-z]{2}(-[a-z]{2})?$/',$_POST['lang']) &&
$_POST['lang'] != $GLOBALS['egw_info']['user']['preferences']['common']['lang']) $_POST['lang'] != $GLOBALS['egw_info']['user']['preferences']['common']['lang'])
{ {
$GLOBALS['egw']->preferences->add('common','lang',$_POST['lang'],'session'); $GLOBALS['egw']->preferences->add('common','lang',$_POST['lang'],'session');
@ -369,7 +369,7 @@ else
$GLOBALS['egw_info']['user']['preferences'] = $prefs->read_repository(); $GLOBALS['egw_info']['user']['preferences'] = $prefs->read_repository();
} }
} }
if ($_GET['lang']) if ($_GET['lang'] && preg_match('/^[a-z]{2}(-[a-z]{2})?$/',$_GET['lang']))
{ {
$GLOBALS['egw_info']['user']['preferences']['common']['lang'] = $_GET['lang']; $GLOBALS['egw_info']['user']['preferences']['common']['lang'] = $_GET['lang'];
} }

10
phpgwapi/inc/class.egw_framework.inc.php
View File

@ -215,9 +215,11 @@ abstract class egw_framework
*/ */
protected function _get_header() protected function _get_header()
{ {
// get used language code // get used language code (with a little xss check, if someone tries to sneak something in)
$lang_code = $GLOBALS['egw_info']['user']['preferences']['common']['lang']; if (preg_match('/^[a-z]{2}(-[a-z]{2})?$/',$GLOBALS['egw_info']['user']['preferences']['common']['lang']))
{
$lang_code = $GLOBALS['egw_info']['user']['preferences']['common']['lang'];
}
//pngfix defaults to yes //pngfix defaults to yes
if(!$GLOBALS['egw_info']['user']['preferences']['common']['disable_pngfix']) if(!$GLOBALS['egw_info']['user']['preferences']['common']['disable_pngfix'])
{ {
@ -269,9 +271,7 @@ abstract class egw_framework
$wz_tooltip.'?'.filemtime(EGW_SERVER_ROOT.$wz_tooltip).'" type="text/javascript"></script>'; $wz_tooltip.'?'.filemtime(EGW_SERVER_ROOT.$wz_tooltip).'" type="text/javascript"></script>';
} }
return $this->_get_css()+array( return $this->_get_css()+array(
#'img_icon' => EGW_IMAGES_DIR . '/favicon.ico',
'img_icon' => $var['favicon_file'], 'img_icon' => $var['favicon_file'],
#'img_shortcut' => EGW_IMAGES_DIR . '/favicon.ico',
'img_shortcut' => $var['favicon_file'], 'img_shortcut' => $var['favicon_file'],
'pngfix' => $pngfix, 'pngfix' => $pngfix,
'slider_effects' => $slider_effects, 'slider_effects' => $slider_effects,

2
setup/check_install.php
View File

@ -768,7 +768,7 @@ if ($run_by_webserver)
)); ));
$ConfigDomain = get_var('ConfigDomain',Array('POST','COOKIE')); $ConfigDomain = get_var('ConfigDomain',Array('POST','COOKIE'));
if (@$_GET['intro']) { if (@$_GET['intro']) {
if($ConfigLang = get_var('ConfigLang',array('POST','COOKIE'))) if(($ConfigLang = setup::get_lang()))
{ {
$GLOBALS['egw_setup']->set_cookie('ConfigLang',$ConfigLang,(int) (time()+(1200*9)),'/'); $GLOBALS['egw_setup']->set_cookie('ConfigLang',$ConfigLang,(int) (time()+(1200*9)),'/');
} }

18
setup/inc/class.setup.inc.php
View File

@ -197,6 +197,21 @@ class setup
} }
setcookie($cookiename,$cookievalue,$cookietime,'/',$this->cookie_domain); setcookie($cookiename,$cookievalue,$cookietime,'/',$this->cookie_domain);
} }
/**
* Get configuration language from $_POST or $_COOKIE and validate it
*
* @return string
*/
static function get_lang()
{
$ConfigLang = get_var('ConfigLang', array('POST','COOKIE'));
if (preg_match('/^[a-z]{2}(-[a-z]{2})?$',$ConfigLang))
{
return $ConfigLang;
}
return 'en';
}
/** /**
* authenticate the setup user * authenticate the setup user
@ -207,7 +222,8 @@ class setup
{ {
#phpinfo(); #phpinfo();
$FormLogout = get_var('FormLogout', array('GET','POST')); $FormLogout = get_var('FormLogout', array('GET','POST'));
$ConfigLang = get_var('ConfigLang', array('POST','COOKIE')); $ConfigLang = self::get_lang();
if (!preg_match('/^['))
if(!$FormLogout) if(!$FormLogout)
{ {
$ConfigLogin = get_var('ConfigLogin', array('POST')); $ConfigLogin = get_var('ConfigLogin', array('POST'));

2
setup/inc/class.setup_html.inc.php
View File

@ -169,7 +169,7 @@
$manual_remote_egw_url = 'http://manual.egroupware.org/egroupware'; $manual_remote_egw_url = 'http://manual.egroupware.org/egroupware';
$url_parts = explode('/',$_SERVER['PHP_SELF']); $url_parts = explode('/',$_SERVER['PHP_SELF']);
$script = array_pop($url_parts); $script = array_pop($url_parts);
$lang = get_var('ConfigLang',Array('POST','COOKIE')); $lang = setup::get_lang();
$url = $manual_remote_egw_url.'/manual/index.php?referer='.urlencode($manual_remote_egw_url.'/setup/'.$script). $url = $manual_remote_egw_url.'/manual/index.php?referer='.urlencode($manual_remote_egw_url.'/setup/'.$script).
($lang ? '&lang='.urlencode($lang) : ''); ($lang ? '&lang='.urlencode($lang) : '');
$GLOBALS['setup_tpl']->set_var('manual','<a href="'.$url.'" target="manual" onclick="'. $GLOBALS['setup_tpl']->set_var('manual','<a href="'.$url.'" target="manual" onclick="'.

2
setup/inc/class.setup_process.inc.php
View File

@ -188,7 +188,7 @@ class setup_process
$langs = false; $langs = false;
if ($method == 'new') if ($method == 'new')
{ {
$langs[] = ($own_lang = get_var('ConfigLang',Array('POST','COOKIE'))); $langs[] = ($own_lang = setup::get_lang());
if ($own_lang != 'en') $langs[] = 'en'; if ($own_lang != 'en') $langs[] = 'en';
} }
$this->translation->drop_add_all_langs($langs); $this->translation->drop_add_all_langs($langs);

2
setup/inc/class.setup_translation.inc.php
View File

@ -32,7 +32,7 @@ class setup_translation
*/ */
function __construct() function __construct()
{ {
$ConfigLang = get_var('ConfigLang',Array('POST','COOKIE')); $ConfigLang = setup::get_lang();
if(!$ConfigLang) if(!$ConfigLang)
{ {

2
setup/inc/functions.inc.php
View File

@ -108,7 +108,7 @@ function lang_select($onChange=False,$ConfigLang='')
{ {
if (!$ConfigLang) if (!$ConfigLang)
{ {
$ConfigLang = get_var('ConfigLang',Array('POST','COOKIE')); $ConfigLang = setup::get_lang();
} }
$select = '<select name="ConfigLang"'.($onChange ? ' onchange="this.form.submit();"' : '').'>' . "\n"; $select = '<select name="ConfigLang"'.($onChange ? ' onchange="this.form.submit();"' : '').'>' . "\n";
$languages = get_langs(); $languages = get_langs();