sascha
/
nextcloud-server
mirror of https://github.com/nextcloud/server.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix(l10n): Fix language selection 

Signed-off-by: Joas Schilling <coding@schilljs.com>
pull/57560/head
Joas Schilling 2025-12-17 07:56:39 +07:00
parent 62c2aa1188
commit c93d057233
No known key found for this signature in database
GPG Key ID: F72FA5B49FFA96B0
2 changed files with 42 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
lib/private/L10N/Factory.php
Unescape Escape View File

@ -133,10 +133,7 @@ class Factory implements IFactory {
public function get($app, $lang = null, $locale = null) {
return new LazyL10N(function () use ($app, $lang, $locale) {
$app = \OC_App::cleanAppId($app);
if ($lang !== null) {
$lang = str_replace(['\0', '/', '\\', '..'], '', $lang);
}
$lang = $this->cleanLanguage($lang);
$forceLang = $this->config->getSystemValue('force_language', false);
if (is_string($forceLang)) {
$lang = $forceLang;
@ -169,6 +166,29 @@ class Factory implements IFactory {
});
}
/**
* Remove some invalid characters before using a string as a language
*
* @psalm-taint-escape callable
* @psalm-taint-escape cookie
* @psalm-taint-escape file
* @psalm-taint-escape has_quotes
* @psalm-taint-escape header
* @psalm-taint-escape html
* @psalm-taint-escape include
* @psalm-taint-escape ldap
* @psalm-taint-escape shell
* @psalm-taint-escape sql
* @psalm-taint-escape unserialize
*/
private function cleanLanguage(?string $lang): ?string {
if ($lang === null) {
return null;
}
$lang = preg_replace('/[^a-zA-Z0-9.;,=-]/', '', $lang);
return str_replace('..', '', $lang);
}
/**
* Find the best language
*
@ -478,7 +498,7 @@ class Factory implements IFactory {
* @throws LanguageNotFoundException
*/
private function getLanguageFromRequest(?string $app = null): string {
$header = $this->request->getHeader('ACCEPT_LANGUAGE');
$header = $this->cleanLanguage($this->request->getHeader('ACCEPT_LANGUAGE'));
if ($header !== '') {
$available = $this->findAvailableLanguages($app);

17
tests/lib/L10N/FactoryTest.php
Unescape Escape View File

@ -84,6 +84,23 @@ class FactoryTest extends TestCase {
return new Factory($this->config, $this->request, $this->userSession, $this->cacheFactory, $this->serverRoot);
}
public static function dataCleanLanguage(): array {
return [
'null shortcut' => [null, null],
'default language' => ['de', 'de'],
'malicious language' => ['de/../fr', 'defr'],
'request language' => ['kab;q=0.8,ka;q=0.7,de;q=0.6', 'kab;q=0.8,ka;q=0.7,de;q=0.6'],
];
}
/**
* @dataProvider dataCleanLanguage
*/
public function testCleanLanguage(?string $lang, ?string $expected): void {
$factory = $this->getFactory();
$this->assertSame($expected, self::invokePrivate($factory, 'cleanLanguage', [$lang]));
}
public function dataFindAvailableLanguages(): array {
return [
[null],