Skip to content
This repository
Browse code

Fixed security issue with request parameter "__locale" containing code.

  • Loading branch information...
commit 72b9ccb3ea25c17133153187f0a26f6efc00d8c7 1 parent cec461a
aZahner authored May 22, 2012 tHerrmann committed May 23, 2012
8  src/org/opencms/i18n/CmsLocaleManager.java
@@ -877,7 +877,13 @@ public CmsI18nInfo getI18nInfo(HttpServletRequest req, CmsUser user, CmsProject
877 877
             // check request for parameters
878 878
             if (localeParam != null) {
879 879
                 // "__locale" parameter found in request
880  
-                locale = CmsLocaleManager.getLocale(localeParam);
  880
+                Locale checkLocale = CmsLocaleManager.getLocale(localeParam);
  881
+                if (getAvailableLocales().contains(checkLocale)) {
  882
+                    // parameter generated locale is available
  883
+                    locale = checkLocale;
  884
+                } else {
  885
+                    LOG.warn(Messages.get().getBundle().key(Messages.LOG_CREATE_LOCALE_FAILED_1, checkLocale));
  886
+                }
881 887
             }
882 888
             // check for "__encoding" parameter in request
883 889
             encoding = req.getParameter(CmsLocaleManager.PARAMETER_ENCODING);

0 notes on commit 72b9ccb

Please sign in to comment.
Something went wrong with that request. Please try again.