Commit 8f13bef5 authored by mcramer's avatar mcramer
Browse files

- Implemented strict parsing of language files on import

parent 6b671944
......@@ -30,6 +30,86 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
require_once('../../lib/config.inc.php');
require_once('../../lib/app.inc.php');
function normalize_string($string, $quote, $allow_special = false) {
$escaped = false;
$in_string = true;
$new_string = '';
for($c = 0; $c < mb_strlen($string); $c++) {
$char = $string{$c};
if($in_string === true && $escaped === false && $char === $quote) {
// this marks a string end (e.g. for concatenation)
$in_string = false;
continue;
} elseif($in_string === false) {
if($escaped === false && $char === $quote) {
$in_string = true;
continue;
} else {
continue; // we strip everything from outside the string!
}
}
if($char === '"' && $escaped === true && $quote === '"') {
// unescape this
$new_string .= $char;
$escaped = false;
continue;
} elseif($char === "'" && $escaped === false && $quote === '"') {
// escape this
$new_string .= '\\' . $char;
continue;
}
if($escaped === true) {
// the next character is the escaped one.
if($allow_special === true && ($char === 'n' || $char === 'r' || $char === 't')) {
$new_string .= '\' . "\\' . $char . '" . \'';
} else {
$new_string .= '\\' . $char;
}
$escaped = false;
} else {
if($char === '\\') {
$escaped = true;
} else {
$new_string .= $char;
}
}
}
return $new_string;
}
function validate_line($line) {
$line = trim($line);
if($line === '' || $line === '<?php' || $line === '?>') return $line; // don't treat empty lines as malicious
$ok = preg_match('/^\s*\$wb\[(["\'])(.*?)\\1\]\s*=\s*(["\'])(.*?)\\3\s*;\s*$/', $line, $matches);
if(!$ok) return false; // this line has invalid form and could lead to malfunction
$keyquote = $matches[1]; // ' or "
$key = $matches[2];
if(strpos($key, '"') !== false || strpos($key, "'") !== false) return false;
$textquote = $matches[3]; // ' or "
$text = $matches[4];
$new_line = '$wb[\'';
// validate the language key
$key = normalize_string($key, $keyquote);
$new_line .= $key . '\'] = \'';
// validate this text to avoid code injection
$text = normalize_string($text, $textquote, true);
$new_line .= $text . '\';';
return $new_line;
}
//* Check permissions for module
$app->auth->check_module_permissions('admin');
......@@ -58,7 +138,9 @@ if(isset($_FILES['file']['name']) && is_uploaded_file($_FILES['file']['tmp_name'
$buffer = '';
$langfile_path = '';
// all other lines
$ln = 1;
foreach($lines as $line) {
$ln++;
$parts = explode('|',$line);
if(is_array($parts) && count($parts) > 0 && $parts[0] == '--') {
// Write language file, if its not the first file
......@@ -84,7 +166,9 @@ if(isset($_FILES['file']['name']) && is_uploaded_file($_FILES['file']['tmp_name'
$langfile_path = trim(ISPC_WEB_PATH.'/'.$module_name.'/lib/lang/'.$file_name);
}
} else {
$buffer .= trim($line)."\n";
$line = validate_line($line);
if($line === false) $error .= "Language file contains invalid language entry on line $ln.<br />";
else $buffer .= $line."\n";
}
}
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment