From 9a4e9e54f26b0c1bf69c5be1f5b0fea93134c06a Mon Sep 17 00:00:00 2001 From: Chris Cormack Date: Fri, 25 Nov 2011 19:07:28 +1300 Subject: [PATCH] Bug 6629 : Sanitizing input from language cookie I dont think we can use only 2 digits, some languages is much longer zh-hans-TW for example But the regex should stop it bening able handle nasty chars, whitelisting safe ones instead Signed-off-by: Katrin Fischer I checked the patch doesn't break language switching and language selection. Signed-off-by: Paul Poulain I confirm the bug security issue was not here for master, but this fix improve the behaviour, so pushing it --- C4/Templates.pm | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/C4/Templates.pm b/C4/Templates.pm index c2a5911e4c..73d94c2399 100644 --- a/C4/Templates.pm +++ b/C4/Templates.pm @@ -277,8 +277,7 @@ sub themelanguage { my @languages = split(",", C4::Context->preference( $is_intranet ? 'language' : 'opaclanguages')); my $lang; - $lang = $query->cookie('KohaOpacLanguage') - if defined $query and $query->cookie('KohaOpacLanguage'); + $lang = getlanguagecookie($query); unless ($lang) { my $http_accept_language = $ENV{ HTTP_ACCEPT_LANGUAGE }; $lang = accept_language( $http_accept_language, @@ -327,8 +326,7 @@ sub getlanguagecookie { $lang = $ENV{HTTP_ACCEPT_LANGUAGE}; } - $lang = substr($lang, 0, 2); - + $lang =~ s/[^a-zA-Z_-]*//; #sanitzie return $lang; } -- 2.39.5