Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Fixed #21458 -- Made check_for_language more resistant to malformed i…

…nput.

Thanks to Sergey Sorokin for the report and to Bouke Haarsma for the review.
  • Loading branch information...
commit 8f5a688d00f2f73a0913acb04247322f13e2c971 1 parent 331d79a
@bmispelon bmispelon authored
Showing with 8 additions and 2 deletions.
  1. +6 −2 django/utils/translation/trans_real.py
  2. +2 −0  tests/i18n/tests.py
View
8 django/utils/translation/trans_real.py
@@ -44,6 +44,8 @@
(?:\s*,\s*|$) # Multiple accepts per header.
''', re.VERBOSE)
+language_code_re = re.compile(r'^[a-z]{1,8}(?:-[a-z0-9]{1,8})*$', re.IGNORECASE)
+
language_code_prefix_re = re.compile(r'^/([\w-]+)(/|$)')
# some browsers use deprecated locales. refs #18419
@@ -393,9 +395,11 @@ def check_for_language(lang_code):
"""
Checks whether there is a global language file for the given language
code. This is used to decide whether a user-provided language is
- available. This is only used for language codes from either the cookies
- or session and during format localization.
+ available.
"""
+ # First, a quick check to make sure lang_code is well-formed (#21458)
+ if not language_code_re.search(lang_code):
+ return False
for path in all_locale_paths():
if gettext_module.find('django', path, [to_locale(lang_code)]) is not None:
return True
View
2  tests/i18n/tests.py
@@ -1318,6 +1318,8 @@ def test_check_for_language(self):
self.assertTrue(check_for_language('en'))
self.assertTrue(check_for_language('en-us'))
self.assertTrue(check_for_language('en-US'))
+ self.assertFalse(check_for_language('en-ü'))
+ self.assertFalse(check_for_language('en\x00'))
def test_get_language_from_request(self):
# issue 19919
Please sign in to comment.
Something went wrong with that request. Please try again.