From 3b829b4385eda5b986baf9fb41e740e563193a0c Mon Sep 17 00:00:00 2001 From: Timo Tijhof Date: Wed, 28 Oct 2015 23:55:39 +0000 Subject: [PATCH] resourceloader: Sanitize lang with isValidBuiltInCode(), not isValidCode() Follows-up r96280 (368dbc5f5b), and r82927 (1e67922842). Language::isValidCode() (used by index.php) allows a very wide range of values, which inflates the msg_resource cache quite a bit (T102058). This is a first step toward locking it down. This change affects both handling of incoming load.php requests, and the formatting of request urls by OutputPage. As such, OutputPage will no longer forward invalid uselang values that are valid for index.php to load.php. Change-Id: I27857ce5949bc616c7179f5f47b24aa2f6765f5f --- includes/resourceloader/ResourceLoaderContext.php | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/includes/resourceloader/ResourceLoaderContext.php b/includes/resourceloader/ResourceLoaderContext.php index c797fd6b94..6c4cdfee97 100644 --- a/includes/resourceloader/ResourceLoaderContext.php +++ b/includes/resourceloader/ResourceLoaderContext.php @@ -158,8 +158,16 @@ class ResourceLoaderContext { */ public function getLanguage() { if ( $this->language === null ) { - // Must be a valid language code after this point (bug 62849) - $this->language = RequestContext::sanitizeLangCode( $this->getRequest()->getVal( 'lang' ) ); + // Must be a valid language code after this point (T64849) + // Only support uselang values that follow built-in conventions (T102058) + $lang = $this->getRequest()->getVal( 'lang', '' ); + // Stricter version of RequestContext::sanitizeLangCode() + if ( !Language::isValidBuiltInCode( $lang ) ) { + wfDebug( "Invalid user language code\n" ); + global $wgLanguageCode; + $lang = $wgLanguageCode; + } + $this->language = $lang; } return $this->language; } -- 2.20.1