Skip to content
Permalink
Browse files Browse the repository at this point in the history
[bugfix] Avoid loading path-looking locales from fs
  • Loading branch information
ichernev committed Mar 27, 2022
1 parent f2a813a commit 4211bfc
Showing 1 changed file with 7 additions and 1 deletion.
8 changes: 7 additions & 1 deletion src/lib/locale/locales.js
Expand Up @@ -62,6 +62,11 @@ function chooseLocale(names) {
return globalLocale;
}

function isLocaleNameSane(name) {
// Prevent names that look like filesystem paths, i.e contain '/' or '\'
return name.match('^[^/\\\\]*$') != null;

This comment has been minimized.

Copy link
@kuraga

kuraga May 11, 2022

@ichernev , why two \\?

This comment has been minimized.

Copy link
@omoustaouda

omoustaouda Jun 19, 2022

@ichernev, thank you for the patch!

a consideration that come at a first glance: I'd consider allowing only the expected valid characters,
like it-IT, es-ES, ...

instead of preventing the ones that look not sane,
the reason is that there are uncountable ways to escape chars like / and \ to look different and possibly not being caught by this regexp.

This comment has been minimized.

Copy link
@spazmodius

spazmodius Apr 24, 2023

@ichernev , why two \\?

Because it's a regex pattern wrapped in a string. The real question is "why not a RegExp literal?"

}

function loadLocale(name) {
var oldLocale = null,
aliasedRequire;
Expand All @@ -70,7 +75,8 @@ function loadLocale(name) {
locales[name] === undefined &&
typeof module !== 'undefined' &&
module &&
module.exports
module.exports &&
isLocaleNameSane(name)
) {
try {
oldLocale = globalLocale._abbr;
Expand Down

0 comments on commit 4211bfc

Please sign in to comment.