fix for script execution vulnerability

diff --git a/includes/Setup.php b/includes/Setup.php
index e31aceb..0b4f01a 100644 (file)
--- a/includes/Setup.php
+++ b/includes/Setup.php
@@ -257,7 +257,6 @@ function setupLangObj(&$langclass) {
                                }
 
                        }";
-
                eval($snip);
        }
 
@@ -281,9 +280,8 @@ if( !$wgUser->mDataLoaded ) {
 
 // wgLanguageCode now specifically means the UI language
 $wgLanguageCode = $wgUser->getOption('language');
-if( empty( $wgLanguageCode ) ) {
-       # Quick hack for upgrades where this will be blank,
-       # and it's not handled right. Set to default.
+# Validate $wgLanguageCode, which will soon be sent to an eval()
+if( empty( $wgLanguageCode ) || !preg_match( '/^[a-z\-]*$/', $wgLanguageCode ) ) {
        $wgLanguageCode = $wgContLanguageCode;
 }
 

diff --git a/includes/SpecialPreferences.php b/includes/SpecialPreferences.php
index d47ad5c..3666030 100644 (file)
--- a/includes/SpecialPreferences.php
+++ b/includes/SpecialPreferences.php
@@ -91,6 +91,11 @@ class PreferencesForm {
                                }
                        }
                }
+
+               # Validate language
+               if ( !preg_match( '/^[a-z\-]*$/', $this->mUserLanguage ) ) {
+                       $this->mUserLanguage = 'nolanguage';
+               }
        }
 
        function execute() {