open-dsi
/
nextcloud-server
mirror of https://github.com/nextcloud/server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

fix(l10n): Fix language selection

Browse Source 
Signed-off-by: Joas Schilling <coding@schilljs.com>
pull/57420/head
Joas Schilling 3 months ago committed by backportbot[bot]
parent ae4f4e3af2
commit eff3bb4c78
2 changed files with 47 additions and 10 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 41
      lib/private/L10N/Factory.php
  2. 16
      tests/lib/L10N/FactoryTest.php

41
lib/private/L10N/Factory.php
Unescape View File

@ -94,11 +94,8 @@ class Factory implements IFactory {
public function get($app, $lang = null, $locale = null) {
return new LazyL10N(function () use ($app, $lang, $locale) {
$app = $this->appManager->cleanAppId($app);
if ($lang !== null) {
$lang = str_replace(['\0', '/', '\\', '..'], '', $lang);
}
$forceLang = $this->request->getParam('forceLanguage') ?? $this->config->getSystemValue('force_language', false);
$lang = $this->cleanLanguage($lang);
$forceLang = $this->cleanLanguage($this->request->getParam('forceLanguage')) ?? $this->config->getSystemValue('force_language', false);
if (is_string($forceLang)) {
$lang = $forceLang;
}
@ -128,6 +125,29 @@ class Factory implements IFactory {
});
}
/**
* Remove some invalid characters before using a string as a language
*
* @psalm-taint-escape callable
* @psalm-taint-escape cookie
* @psalm-taint-escape file
* @psalm-taint-escape has_quotes
* @psalm-taint-escape header
* @psalm-taint-escape html
* @psalm-taint-escape include
* @psalm-taint-escape ldap
* @psalm-taint-escape shell
* @psalm-taint-escape sql
* @psalm-taint-escape unserialize
*/
private function cleanLanguage(?string $lang): ?string {
if ($lang === null) {
return null;
}
$lang = preg_replace('/[^a-zA-Z0-9.;,=-]/', '', $lang);
return str_replace('..', '', $lang);
}
/**
* Check that $lang is an existing language and not null, otherwise return the language to use instead
*
@ -160,7 +180,7 @@ class Factory implements IFactory {
*/
public function findLanguage(?string $appId = null): string {
// Step 1: Forced language always has precedence over anything else
$forceLang = $this->request->getParam('forceLanguage') ?? $this->config->getSystemValue('force_language', false);
$forceLang = $this->cleanLanguage($this->request->getParam('forceLanguage')) ?? $this->config->getSystemValue('force_language', false);
if (is_string($forceLang)) {
$this->requestLanguage = $forceLang;
}
@ -217,7 +237,7 @@ class Factory implements IFactory {
public function findGenericLanguage(?string $appId = null): string {
// Step 1: Forced language always has precedence over anything else
$forcedLanguage = $this->request->getParam('forceLanguage') ?? $this->config->getSystemValue('force_language', false);
$forcedLanguage = $this->cleanLanguage($this->request->getParam('forceLanguage')) ?? $this->config->getSystemValue('force_language', false);
if ($forcedLanguage !== false) {
return $forcedLanguage;
}
@ -412,7 +432,8 @@ class Factory implements IFactory {
return $language;
}
if (($forcedLanguage = $this->request->getParam('forceLanguage')) !== null) {
$forcedLanguage = $this->cleanLanguage($this->request->getParam('forceLanguage'));
if ($forcedLanguage !== null) {
return $forcedLanguage;
}
@ -426,7 +447,7 @@ class Factory implements IFactory {
}
}
return $this->request->getParam('forceLanguage') ?? $this->config->getSystemValueString('default_language', 'en');
return $this->cleanLanguage($this->request->getParam('forceLanguage')) ?? $this->config->getSystemValueString('default_language', 'en');
}
/**
@ -452,7 +473,7 @@ class Factory implements IFactory {
* @throws LanguageNotFoundException
*/
private function getLanguageFromRequest(?string $app = null): string {
$header = $this->request->getHeader('ACCEPT_LANGUAGE');
$header = $this->cleanLanguage($this->request->getHeader('ACCEPT_LANGUAGE'));
if ($header !== '') {
$available = $this->findAvailableLanguages($app);

16
tests/lib/L10N/FactoryTest.php
Unescape View File

@ -20,6 +20,7 @@ use OCP\IRequest;
use OCP\IUser;
use OCP\IUserSession;
use OCP\L10N\ILanguageIterator;
use PHPUnit\Framework\Attributes\DataProvider;
use PHPUnit\Framework\MockObject\MockObject;
use Test\TestCase;
@ -90,6 +91,21 @@ class FactoryTest extends TestCase {
return new Factory($this->config, $this->request, $this->userSession, $this->cacheFactory, $this->serverRoot, $this->appManager);
}
public static function dataCleanLanguage(): array {
return [
'null shortcut' => [null, null],
'default language' => ['de', 'de'],
'malicious language' => ['de/../fr', 'defr'],
'request language' => ['kab;q=0.8,ka;q=0.7,de;q=0.6', 'kab;q=0.8,ka;q=0.7,de;q=0.6'],
];
}
#[DataProvider('dataCleanLanguage')]
public function testCleanLanguage(?string $lang, ?string $expected): void {
$factory = $this->getFactory();
$this->assertSame($expected, self::invokePrivate($factory, 'cleanLanguage', [$lang]));
}
public static function dataFindAvailableLanguages(): array {
return [
[null],

Write Preview
Loading…
Cancel
Save