xss: Fix possible vuln setting client lang pref

osTicket · Jan 12, 2015 · b38b3ca · b38b3ca
1 parent b7e75b1
commit b38b3ca
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/client.inc.php b/client.inc.php
@@ -48,7 +48,8 @@
 $thisclient = UserAuthenticationBackend::getUser();
 
 if (isset($_GET['lang']) && $_GET['lang']) {
-    $_SESSION['client:lang'] = $_GET['lang'];
+    if (Internationalization::getLanguageInfo($_GET['lang']))
+        $_SESSION['client:lang'] = $_GET['lang'];
 }
 
 // Bootstrap gettext translations as early as possible, but after attempting