r25299 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r25298‎ \| r25299 \| r25300 >
Date:	01:32, 30 August 2007
Author:	brion
Status:	old
Tags:
Comment:	Validate language input, for goodness' sake. :P http://www.0x000000.com/index.php?i=405
Modified paths:	/trunk/wap/hawpedia.php (modified) (history) /trunk/wap/settings.php (modified) (history)

Diff [purge]

Index: trunk/wap/settings.php
—	—	@@ -13,8 +13,8 @@
14	14	require('lang/' . $_SESSION['language'] . '/phonenumbers.php');
15	15
16	16	if (isset($_GET['save'])) {
17		~~- // store submitted data in session~~
18		~~- if (isset($_GET['lang'])) {~~
	17	+ // store validated submitted data in session
	18	+ if (isset($_GET['lang']) && validate_language($_GET['lang'])) {
19	19	$_SESSION['language'] = $_GET['lang'];
20	20
21	21	// unset language-specific session variables
Index: trunk/wap/hawpedia.php
—	—	@@ -51,13 +51,23 @@
52	52	exit();
53	53	}
54	54
	55	+function validate_language($lang) {
	56	+ global $supportedLanguages;
	57	+ return is_string($lang) &&
	58	+ preg_match('/^[a-z][a-z_]*[a-z]$/', $lang) &&
	59	+ isset($supportedLanguages[$lang]) &&
	60	+ $supportedLanguages[$lang] == 1;
	61	+}
	62	+
55	63	function determine_settings()
56	64	{
57		~~- global $supportedLanguages;~~
	65	+ // Validate previously set session data
	66	+ if (isset($_SESSION['lang']) && !validate_language($_SESSION['lang'])) {
	67	+ unset($_SESSION['lang']);
	68	+ }
58	69
59	70	if (isset($_GET['lang']) &&
60		~~- isset($supportedLanguages[$_GET['lang']]) &&~~
61		~~- ($supportedLanguages[$_GET['lang']] == 1)) {~~
	71	+ validate_language($_GET['lang'])) {
62	72	// language explicitely requested in url parameter
63	73	$_SESSION['language'] = $_GET['lang']; // overwrite session info
64	74	}
—	—	@@ -65,18 +75,19 @@
66	76	{
67	77	// no language info stored in session
68	78	if(isset($_SERVER['HTTP_ACCEPT_LANGUAGE']) &&
69		~~- isset($supportedLanguages[$_SERVER['HTTP_ACCEPT_LANGUAGE']]) &&~~
70		~~- ($supportedLanguages[$_SERVER['HTTP_ACCEPT_LANGUAGE']] == 1) &&~~
	79	+ validate_language($_SERVER['HTTP_ACCEPT_LANGUAGE']) &&
71	80	(!defined('FORCE_DEFAULT_LANGUAGE') \|\| !FORCE_DEFAULT_LANGUAGE))
72	81	{
73	82	// store browser's preference in session
	83	+ // @fixme -- Won't actually work, since Accept-Language
	84	+ // isn't just a language code, but a list of codes with
	85	+ // priority values :)
74	86	$_SESSION['language'] = $_SERVER['HTTP_ACCEPT_LANGUAGE'];
75	87	}
76	88	elseif(isset($_SERVER['HTTP_HOST']) &&
77	89	($dot = strpos($_SERVER['HTTP_HOST'], '.')) &&
78	90	($domlang = substr($_SERVER['HTTP_HOST'], 0, $dot)) &&
79		~~- isset($supportedLanguages[$domlang]) &&~~
80		~~- ($supportedLanguages[$domlang] == 1) &&~~
	91	+ validate_language($domlang) &&
81	92	(defined('FORCE_DEFAULT_LANGUAGE') && ('subdomain'==FORCE_DEFAULT_LANGUAGE)))
82	93	{
83	94	// store language subdomain in session
—	—	@@ -89,6 +100,10 @@
90	101	}
91	102	}
92	103
	104	+ if (!validate_language($_SESSION['language'])) {
	105	+ $_SESSION['language'] = DEFAULT_LANGUAGE;
	106	+ }
	107	+
93	108	require('lang/' . $_SESSION['language'] . '/phonenumbers.php');
94	109
95	110	if (isset($_GET['tel']) &&

Status & tagging log

15:20, 12 September 2011 Meno25 (talk | contribs) changed the status of r25299 [removed: ok added: old]