From 63394d63f55b1058c3c9e8fdb5979d8304f39685 Mon Sep 17 00:00:00 2001
From: Tim Starling <tstarling@users.mediawiki.org>
Date: Tue, 1 Feb 2011 22:43:58 +0000
Subject: [PATCH] (bug 27094) fix path traversal vulnerability

---
 includes/StubObject.php |  2 +-
 languages/Language.php  | 23 +++++++++++++++++++++++
 2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/includes/StubObject.php b/includes/StubObject.php
index 391a9f1f41..96551f36a5 100644
--- a/includes/StubObject.php
+++ b/includes/StubObject.php
@@ -152,7 +152,7 @@ class StubUserLang extends StubObject {
 		$code = strtolower( $code );
 
 		# Validate $code
-		if( empty( $code ) || !preg_match( '/^[a-z-]+$/', $code ) || ( $code === 'qqq' ) ) {
+		if( empty( $code ) || !Language::isValidCode( $code ) || ( $code === 'qqq' ) ) {
 			wfDebug( "Invalid user language code\n" );
 			$code = $wgLanguageCode;
 		}
diff --git a/languages/Language.php b/languages/Language.php
index 6cfee8f9c2..edd607b483 100644
--- a/languages/Language.php
+++ b/languages/Language.php
@@ -154,6 +154,14 @@ class Language {
 	protected static function newFromCode( $code ) {
 		global $IP;
 		static $recursionLevel = 0;
+
+		// Protect against path traversal below
+		if ( !Language::isValidCode( $code ) 
+			|| strcspn( $code, "/\\\000" ) !== strlen( $code ) ) 
+		{
+			throw new MWException( "Invalid language code \"$code\"" );
+		}
+
 		if ( $code == 'en' ) {
 			$class = 'Language';
 		} else {
@@ -183,6 +191,14 @@ class Language {
 		return $lang;
 	}
 
+	/**
+	 * Returns true if a language code string is of a valid form, whether or 
+	 * not it exists.
+	 */
+	public static function isValidCode( $code ) {
+		return (bool)preg_match( '/^[a-z-]+$/', $code );
+	}
+
 	/**
 	 * Get the LocalisationCache instance
 	 */
@@ -2812,6 +2828,13 @@ class Language {
 	 * @return string $prefix . $mangledCode . $suffix
 	 */
 	static function getFileName( $prefix = 'Language', $code, $suffix = '.php' ) {
+		// Protect against path traversal
+		if ( !Language::isValidCode( $code ) 
+			|| strcspn( $code, "/\\\000" ) !== strlen( $code ) ) 
+		{
+			throw new MWException( "Invalid language code \"$code\"" );
+		}
+		
 		return $prefix . str_replace( '-', '_', ucfirst( $code ) ) . $suffix;
 	}
 
-- 
2.20.1