Changeset 782 for trunk/admin/common.php


Ignore:
Timestamp:
2011-04-22T16:45:00+02:00 (4 years ago)
Author:
moo
Message:

avoid possible file name injection

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/admin/common.php

    r605 r782  
    3939        $file = get_language_file_ex($name, $l, $s); 
    4040        if (!isset($file)) { 
    41             $l = strtok($l, '-'); 
     41            $l = strtok($l, ':-'); 
    4242            $file = get_language_file_ex($name, $l, $s); 
    4343        } 
     
    4545    else if (!empty($_SERVER['HTTP_ACCEPT_LANGUAGE'])) { 
    4646        foreach (explode(',', str_replace(' ', '', $_SERVER['HTTP_ACCEPT_LANGUAGE'])) as $l) { 
    47             $l = strtok($l, ';'); 
     47            $l = strtok($l, ':;'); 
    4848            $file = get_language_file_ex($name, $l, $s); 
    4949            if (isset($file)) { 
     
    5252            } 
    5353            if (strpos($l, '-') !== false) { 
    54                 $ll = strtok($l, '-'); 
     54                $ll = strtok($l, ':-'); 
    5555                $file = get_language_file_ex($name, $ll, $s); 
    5656                if (isset($file)) { 
Note: See TracChangeset for help on using the changeset viewer.