mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Hardening: Remove dangerous characters + Subdirectory Check 

If an user is able to create folders in /core/l10n/ he is able to execute arbitrary code. Therefore I've added an `issubdirectory` check and removed all potential dangerous characters from `$lang`.
This commit is contained in:
Lukas Reschke 2014-02-19 15:38:00 +01:00
parent 952584e9c7
commit 2d5b3899a6
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
lib/private/l10n.php
View File

@ -118,7 +118,7 @@ class OC_L10N implements \OCP\IL10N {
return;
}
$app = OC_App::cleanAppId($this->app);
$lang = $this->lang;
$lang = str_replace(array('\0', '/', '\\', '..'), '', $this->lang);
$this->app = true;
// Find the right language
if(is_null($lang) || $lang == '') {
@ -163,7 +163,7 @@ class OC_L10N implements \OCP\IL10N {
}
}
if(file_exists(OC::$SERVERROOT.'/core/l10n/l10n-'.$lang.'.php')) {
if(file_exists(OC::$SERVERROOT.'/core/l10n/l10n-'.$lang.'.php') && OC_Helper::issubdirectory(OC::$SERVERROOT.'/core/l10n/l10n-'.$lang.'.php', OC::$SERVERROOT.'/core/l10n/')) {
// Include the file, save the data from $CONFIG
include OC::$SERVERROOT.'/core/l10n/l10n-'.$lang.'.php';
if(isset($LOCALIZATIONS) && is_array($LOCALIZATIONS)) {