Merge pull request #156 from soukicz/master

php injection - validate eval input from plural forms
php-gettext · Aug 24, 2017 · 372d40f · 372d40f
2 parents 4f57f00 + 5754451
commit 372d40f
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 0 deletions.
diff --git a/src/Translator.php b/src/Translator.php
@@ -238,6 +238,9 @@ protected function getPluralIndex($domain, $n, $fallback)
      */
     private static function fixTerseIfs($code, $inner = false)
     {
+        if (preg_match('~[^\s0-9n<>|&=\-+%?:();\$]~', str_replace('return ', '', $code))) {
+            throw new \InvalidArgumentException('Invalid Plural form: ' . $code);
+        }
         /*
          * (?P<expression>[^?]+)   Capture everything up to ? as 'expression'
          * \?                      ?

diff --git a/tests/TranslatorTest.php b/tests/TranslatorTest.php
@@ -97,6 +97,23 @@ public function testPluralFunction()
         $this->assertEquals('beaucoup de commentaires', n__('One comment', '%s comments', 3, ['%s' => 'beaucoup de']));
     }
 
+    public function testPluralInjection()
+    {
+        $translations = new Translations();
+        $translations->setPluralForms(2,'fuu_call()');
+        $translations[] =
+            (new Translation(null, 'One comment', '%s comments'))
+            ->setTranslation('Un commentaire')
+            ->setPluralTranslations(['%s commentaires']);
+        $t = new Translator();
+        $t->loadTranslations($translations);
+
+        $t->register();
+
+        $this->setExpectedException('InvalidArgumentException');
+        n__('One comment', '%s comments', 3);
+    }
+
     public function testContextFunction()
     {
         $translations = new Translations();