From 2d5b3899a68adb496d6e20e93352395ba7b5dd2e Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Wed, 19 Feb 2014 15:38:00 +0100
Subject: [PATCH] Hardening: Remove dangerous characters + Subdirectory Check

If an user is able to create folders in /core/l10n/ he is able to execute arbitrary code. Therefore I've added an `issubdirectory` check and removed all potential dangerous characters from `$lang`.
---
 lib/private/l10n.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/private/l10n.php b/lib/private/l10n.php
index 1ade18ea42..ad979a9287 100644
--- a/lib/private/l10n.php
+++ b/lib/private/l10n.php
@@ -118,7 +118,7 @@ class OC_L10N implements \OCP\IL10N {
 			return;
 		}
 		$app = OC_App::cleanAppId($this->app);
-		$lang = $this->lang;
+		$lang = str_replace(array('\0', '/', '\\', '..'), '', $this->lang);
 		$this->app = true;
 		// Find the right language
 		if(is_null($lang) || $lang == '') {
@@ -163,7 +163,7 @@ class OC_L10N implements \OCP\IL10N {
 				}
 			}
 
-			if(file_exists(OC::$SERVERROOT.'/core/l10n/l10n-'.$lang.'.php')) {
+			if(file_exists(OC::$SERVERROOT.'/core/l10n/l10n-'.$lang.'.php') && OC_Helper::issubdirectory(OC::$SERVERROOT.'/core/l10n/l10n-'.$lang.'.php', OC::$SERVERROOT.'/core/l10n/')) {
 				// Include the file, save the data from $CONFIG
 				include OC::$SERVERROOT.'/core/l10n/l10n-'.$lang.'.php';
 				if(isset($LOCALIZATIONS) && is_array($LOCALIZATIONS)) {