diff options
| author | Lukas Reschke <lukas@statuscode.ch> | 2014-02-20 11:46:11 +0100 |
|---|---|---|
| committer | Lukas Reschke <lukas@statuscode.ch> | 2014-02-20 11:46:11 +0100 |
| commit | 8114843973d62b33bb9611634b28f220b5b59e2b (patch) | |
| tree | dccae47a0639a374d599f26e4a7a3966f3756467 | |
| parent | 65c0b73c8783e03418a861e62a7e2bba8515a9fe (diff) | |
| parent | 2d5b3899a68adb496d6e20e93352395ba7b5dd2e (diff) | |
| download | nextcloud-server-8114843973d62b33bb9611634b28f220b5b59e2b.tar.gz nextcloud-server-8114843973d62b33bb9611634b28f220b5b59e2b.zip | |
Merge pull request #7287 from owncloud/subdirectory-harden
Hardening: Remove dangerous characters + Subdirectory Check
| -rw-r--r-- | lib/private/l10n.php | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/lib/private/l10n.php b/lib/private/l10n.php index 1ade18ea427..ad979a92870 100644 --- a/lib/private/l10n.php +++ b/lib/private/l10n.php @@ -118,7 +118,7 @@ class OC_L10N implements \OCP\IL10N { return; } $app = OC_App::cleanAppId($this->app); - $lang = $this->lang; + $lang = str_replace(array('\0', '/', '\\', '..'), '', $this->lang); $this->app = true; // Find the right language if(is_null($lang) || $lang == '') { @@ -163,7 +163,7 @@ class OC_L10N implements \OCP\IL10N { } } - if(file_exists(OC::$SERVERROOT.'/core/l10n/l10n-'.$lang.'.php')) { + if(file_exists(OC::$SERVERROOT.'/core/l10n/l10n-'.$lang.'.php') && OC_Helper::issubdirectory(OC::$SERVERROOT.'/core/l10n/l10n-'.$lang.'.php', OC::$SERVERROOT.'/core/l10n/')) { // Include the file, save the data from $CONFIG include OC::$SERVERROOT.'/core/l10n/l10n-'.$lang.'.php'; if(isset($LOCALIZATIONS) && is_array($LOCALIZATIONS)) { |