From 2396e98fb94d6f78fd5850c04080605efa094572 Mon Sep 17 00:00:00 2001 From: Isaac Connor Date: Tue, 8 Feb 2022 14:17:30 -0500 Subject: [PATCH] detaint language file. --- web/includes/lang.php | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/web/includes/lang.php b/web/includes/lang.php index 78a64a0e1..9fb4c8193 100644 --- a/web/includes/lang.php +++ b/web/includes/lang.php @@ -30,20 +30,21 @@ function translate($name) { function loadLanguage($prefix='') { global $user; - if ( $prefix ) + if ($prefix) $prefix = $prefix.'/'; - if ( isset($user['Language']) and $user['Language'] ) { - $userLangFile = $prefix.'lang/'.$user['Language'].'.php'; + if (isset($user['Language']) and $user['Language']) { + # Languages can only have letters, numbers and underscore + $userLangFile = $prefix.'lang/'.preg_replace('/[^[:alnum:]_]+/', '', $user['Language']).'.php'; - if ( file_exists($userLangFile) ) { + if (file_exists($userLangFile)) { return $userLangFile; } else { ZM\Warning("User language file $userLangFile does not exist."); } } - $systemLangFile = $prefix.'lang/'.ZM_LANG_DEFAULT.'.php'; + $systemLangFile = $prefix.'lang/'.preg_replace('/[^[:alnum:]_]+/', '', ZM_LANG_DEFAULT).'.php'; if ( file_exists($systemLangFile) ) { return $systemLangFile; } else {