$code = strtolower( $code );
# Validate $code
- if( empty( $code ) || !preg_match( '/^[a-z-]+$/', $code ) || ( $code === 'qqq' ) ) {
+ if( empty( $code ) || !Language::isValidCode( $code ) || ( $code === 'qqq' ) ) {
wfDebug( "Invalid user language code\n" );
$code = $wgLanguageCode;
}
protected static function newFromCode( $code ) {
global $IP;
static $recursionLevel = 0;
+
+ // Protect against path traversal below
+ if ( !Language::isValidCode( $code )
+ || strcspn( $code, "/\\\000" ) !== strlen( $code ) )
+ {
+ throw new MWException( "Invalid language code \"$code\"" );
+ }
+
if ( $code == 'en' ) {
$class = 'Language';
} else {
return $lang;
}
+ /**
+ * Returns true if a language code string is of a valid form, whether or
+ * not it exists.
+ */
+ public static function isValidCode( $code ) {
+ return (bool)preg_match( '/^[a-z-]+$/', $code );
+ }
+
/**
* Get the LocalisationCache instance
*/
* @return string $prefix . $mangledCode . $suffix
*/
static function getFileName( $prefix = 'Language', $code, $suffix = '.php' ) {
+ // Protect against path traversal
+ if ( !Language::isValidCode( $code )
+ || strcspn( $code, "/\\\000" ) !== strlen( $code ) )
+ {
+ throw new MWException( "Invalid language code \"$code\"" );
+ }
+
return $prefix . str_replace( '-', '_', ucfirst( $code ) ) . $suffix;
}