From 829300bf0a1b5c0d09bb7d1b6b89c3dfd637ac18 Mon Sep 17 00:00:00 2001
From: Tim Starling <tstarling@users.mediawiki.org>
Date: Mon, 17 Jan 2005 08:40:08 +0000
Subject: [PATCH] fix for script execution vulnerability

---
 includes/Setup.php              | 6 ++----
 includes/SpecialPreferences.php | 5 +++++
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/includes/Setup.php b/includes/Setup.php
index e31aceb7fc..0b4f01a11d 100644
--- a/includes/Setup.php
+++ b/includes/Setup.php
@@ -257,7 +257,6 @@ function setupLangObj(&$langclass) {
 				}
 
 			}";
-
 		eval($snip);
 	}
 
@@ -281,9 +280,8 @@ if( !$wgUser->mDataLoaded ) {
 
 // wgLanguageCode now specifically means the UI language
 $wgLanguageCode = $wgUser->getOption('language');
-if( empty( $wgLanguageCode ) ) {
-	# Quick hack for upgrades where this will be blank,
-	# and it's not handled right. Set to default.
+# Validate $wgLanguageCode, which will soon be sent to an eval()
+if( empty( $wgLanguageCode ) || !preg_match( '/^[a-z\-]*$/', $wgLanguageCode ) ) {
 	$wgLanguageCode = $wgContLanguageCode;
 }
 
diff --git a/includes/SpecialPreferences.php b/includes/SpecialPreferences.php
index d47ad5c5d9..366603099d 100644
--- a/includes/SpecialPreferences.php
+++ b/includes/SpecialPreferences.php
@@ -91,6 +91,11 @@ class PreferencesForm {
 				}
 			}
 		}
+
+		# Validate language
+		if ( !preg_match( '/^[a-z\-]*$/', $this->mUserLanguage ) ) {
+			$this->mUserLanguage = 'nolanguage';
+		}
 	}
 
 	function execute() {
-- 
2.20.1