Permalink
Browse files

Fixed security issue with request parameter "__locale" containing code.

  • Loading branch information...
1 parent cec461a commit 72b9ccb3ea25c17133153187f0a26f6efc00d8c7 @aZahner aZahner committed with tHerrmann May 22, 2012
Showing with 7 additions and 1 deletion.
  1. +7 −1 src/org/opencms/i18n/CmsLocaleManager.java
@@ -877,7 +877,13 @@ public CmsI18nInfo getI18nInfo(HttpServletRequest req, CmsUser user, CmsProject
// check request for parameters
if (localeParam != null) {
// "__locale" parameter found in request
- locale = CmsLocaleManager.getLocale(localeParam);
+ Locale checkLocale = CmsLocaleManager.getLocale(localeParam);
+ if (getAvailableLocales().contains(checkLocale)) {
+ // parameter generated locale is available
+ locale = checkLocale;
+ } else {
+ LOG.warn(Messages.get().getBundle().key(Messages.LOG_CREATE_LOCALE_FAILED_1, checkLocale));
+ }
}
// check for "__encoding" parameter in request
encoding = req.getParameter(CmsLocaleManager.PARAMETER_ENCODING);

0 comments on commit 72b9ccb

Please sign in to comment.