Commit 6e094613 authored by Till Brehm's avatar Till Brehm
Browse files

Fixed #5102

parent e41a487d
......@@ -477,6 +477,28 @@ class functions {
return $out;
}
// Function to check paths before we use it as include. Use with absolute paths only.
public function check_include_path($path) {
if(strpos($path,'//')) die('Include path seems to be an URL: '.$this->htmlentities($path));
if(strpos($path,'..')) die('Two dots are not allowed in include path: '.$this->htmlentities($path));
if(!preg_match("/^[a-zA-Z0-9_\/\.\-]{1,}$/", $path)) die('Wrong chars in include path: '.$this->htmlentities($path));
$path = realpath($path);
if($path == '') die('Include path does not exist.');
if(substr($path,0,strlen(ISPC_ROOT_PATH)) != ISPC_ROOT_PATH) die('Path '.$this->htmlentities($path).' is outside of ISPConfig installation directory.');
return $path;
}
// Function to check language strings
public function check_language($language) {
global $app;
if(preg_match('/^[a-z]{2}$/',$language)) {
return $language;
} else {
die('Invalid language string: '.$this->htmlentities($language));
}
}
}
?>
......@@ -60,7 +60,7 @@ class listform {
}
//* Set local Language File
$lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_'.$this->listDef['name'].'_list.lng';
$lng_file = 'lib/lang/'.$app->functions->check_language($_SESSION['s']['language']).'_'.$this->listDef['name'].'_list.lng';
if(!file_exists($lng_file)) $lng_file = 'lib/lang/en_'.$this->listDef['name'].'_list.lng';
include $lng_file;
......
......@@ -249,7 +249,7 @@ class listform_actions {
global $app;
//* Set global Language File
$lng_file = ISPC_LIB_PATH.'/lang/'.$_SESSION['s']['language'].'.lng';
$lng_file = ISPC_LIB_PATH.'/lang/'.$app->functions->check_language($_SESSION['s']['language']).'.lng';
if(!file_exists($lng_file))
$lng_file = ISPC_LIB_PATH.'/lang/en.lng';
include $lng_file;
......
......@@ -153,10 +153,10 @@ class listform_tpl_generator {
}
function lng_add($lang, $listDef, $module = '') {
global $go_api, $go_info, $conf;
global $app, $conf;
if($module == '') {
$lng_file = "lib/lang/".$conf["language"]."_".$listDef['name']."_list.lng";
$lng_file = "lib/lang/".$app->functions->check_language($conf["language"])."_".$listDef['name']."_list.lng";
} else {
$lng_file = '../'.$module."/lib/lang/en_".$listDef['name']."_list.lng";
}
......
......@@ -45,7 +45,7 @@ class plugin_backuplist extends plugin_base {
$listTpl->newTemplate('templates/web_backup_list.htm');
//* Loading language file
$lng_file = "lib/lang/".$_SESSION["s"]["language"]."_web_backup_list.lng";
$lng_file = "lib/lang/".$app->functions->check_language($_SESSION["s"]["language"])."_web_backup_list.lng";
include $lng_file;
$listTpl->setVar($wb);
......
......@@ -46,7 +46,7 @@ class plugin_backuplist_mail extends plugin_base {
$listTpl->newTemplate('templates/mail_user_backup_list.htm');
//* Loading language file
$lng_file = "lib/lang/".$_SESSION["s"]["language"]."_mail_backup_list.lng";
$lng_file = "lib/lang/".$app->functions->check_language($_SESSION["s"]["language"])."_mail_backup_list.lng";
include($lng_file);
$listTpl->setVar($wb);
......
......@@ -18,7 +18,7 @@ class plugin_directive_snippets extends plugin_base
$listTpl->newTemplate('templates/web_directive_snippets.htm');
//* Loading language file
$lng_file = "lib/lang/".$_SESSION["s"]["language"]."_web_directive_snippets.lng";
$lng_file = "lib/lang/".$app->functions->check_language($_SESSION["s"]["language"])."_web_directive_snippets.lng";
include $lng_file;
$listTpl->setVar($wb);
......
......@@ -120,7 +120,7 @@ class plugin_listview extends plugin_base {
}
// Loading language field
$lng_file = "lib/lang/".$_SESSION["s"]["language"]."_".$app->listform->listDef['name']."_list.lng";
$lng_file = "lib/lang/".$app->functions->check_language($_SESSION["s"]["language"])."_".$app->listform->listDef['name']."_list.lng";
include $lng_file;
$listTpl->setVar($wb);
......
......@@ -151,10 +151,10 @@ class searchform_actions {
global $app;
// Language File setzen
$lng_file = ISPC_WEB_PATH.'/lang/lib/lang/'.$_SESSION['s']['language'].'_list.lng';
$lng_file = ISPC_WEB_PATH.'/lang/lib/lang/'.$app->functions->check_language($_SESSION['s']['language']).'_list.lng';
if(!file_exists($lng_file)) $lng_file = ISPC_WEB_PATH.'/lang/lib/lang/en_'.'_list.lng';
include $lng_file;
$lng_file = "lib/lang/".$_SESSION["s"]["language"]."_".$app->searchform->listDef['name']."_search.lng";
$lng_file = "lib/lang/".$app->functions->check_language($_SESSION["s"]["language"])."_".$app->searchform->listDef['name']."_search.lng";
if(!file_exists($lng_file)) $lng_file = 'lib/lang/en_'.$app->searchform->listDef['name']."_search.lng";
include $lng_file;
$app->tpl->setVar($wb);
......
......@@ -134,7 +134,7 @@ class tform_base {
$this->module = $module;
$wb = array();
include_once ISPC_ROOT_PATH.'/lib/lang/'.$_SESSION['s']['language'].'.lng';
include_once ISPC_ROOT_PATH.'/lib/lang/'.$app->functions->check_language($_SESSION['s']['language']).'.lng';
if(is_array($wb)) $wb_global = $wb;
......@@ -143,7 +143,7 @@ class tform_base {
if(!file_exists($lng_file)) $lng_file = "lib/lang/en_".$this->formDef["name"].".lng";
include $lng_file;
} else {
$lng_file = "../$module/lib/lang/".$_SESSION["s"]["language"]."_".$this->formDef["name"].".lng";
$lng_file = "../$module/lib/lang/".$app->functions->check_language($_SESSION["s"]["language"])."_".$this->formDef["name"].".lng";
if(!file_exists($lng_file)) $lng_file = "../$module/lib/lang/en_".$this->formDef["name"].".lng";
include $lng_file;
}
......
......@@ -298,7 +298,7 @@ class tform_tpl_generator {
function lng_add($lang, $formDef) {
global $go_api, $go_info, $conf;
$lng_file = "lib/lang/".$conf["language"]."_".$formDef['name'].".lng";
$lng_file = "lib/lang/".$app->functions->check_language($conf["language"])."_".$formDef['name'].".lng";
if(is_file($lng_file)) {
include $lng_file;
} else {
......
......@@ -104,7 +104,7 @@ $app->tpl->setVar('_csrf_id',$csrf_token['csrf_id']);
$app->tpl->setVar('_csrf_key',$csrf_token['csrf_key']);
//* load language file
$lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_language_add.lng';
$lng_file = 'lib/lang/'.$app->functions->check_language($_SESSION['s']['language']).'_language_add.lng';
include $lng_file;
$app->tpl->setVar($wb);
......
......@@ -166,7 +166,7 @@ $app->tpl->setVar('_csrf_id',$csrf_token['csrf_id']);
$app->tpl->setVar('_csrf_key',$csrf_token['csrf_key']);
//* load language file
$lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_language_complete.lng';
$lng_file = 'lib/lang/'.$app->functions->check_language($_SESSION['s']['language']).'_language_complete.lng';
include $lng_file;
$app->tpl->setVar($wb);
......
......@@ -104,7 +104,7 @@ $app->tpl->setVar('_csrf_key',$csrf_token['csrf_key']);
//* load language file
$lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_language_edit.lng';
$lng_file = 'lib/lang/'.$app->functions->check_language($_SESSION['s']['language']).'_language_edit.lng';
include $lng_file;
$app->tpl->setVar($wb);
......
......@@ -111,7 +111,7 @@ if(isset($_POST['lng_select']) && $error == '') {
$app->tpl->setVar('msg', $msg);
//* load language file
$lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_language_export.lng';
$lng_file = 'lib/lang/'.$app->functions->check_language($_SESSION['s']['language']).'_language_export.lng';
include $lng_file;
$app->tpl->setVar($wb);
......
......@@ -194,7 +194,7 @@ $app->tpl->setVar('_csrf_id',$csrf_token['csrf_id']);
$app->tpl->setVar('_csrf_key',$csrf_token['csrf_key']);
//* load language file
$lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_language_import.lng';
$lng_file = 'lib/lang/'.$app->functions->check_language($_SESSION['s']['language']).'_language_import.lng';
include $lng_file;
$app->tpl->setVar($wb);
......
......@@ -97,7 +97,7 @@ $app->tpl->setLoop('records', $language_files_list);
//* load language file
$lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_language_list.lng';
$lng_file = 'lib/lang/'.$app->functions->check_language($_SESSION['s']['language']).'_language_list.lng';
include $lng_file;
$app->tpl->setVar($wb);
......
......@@ -44,7 +44,7 @@ $app->tpl->newTemplate('form.tpl.htm');
$app->tpl->setInclude('content_tpl', 'templates/remote_action_ispcupdate.htm');
//* load language file
$lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_remote_action.lng';
$lng_file = 'lib/lang/'.$app->functions->check_language($_SESSION['s']['language']).'_remote_action.lng';
include $lng_file;
/*
......
......@@ -43,7 +43,7 @@ $app->tpl->newTemplate('form.tpl.htm');
$app->tpl->setInclude('content_tpl', 'templates/remote_action_osupdate.htm');
//* load language file
$lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_remote_action.lng';
$lng_file = 'lib/lang/'.$app->functions->check_language($_SESSION['s']['language']).'_remote_action.lng';
include $lng_file;
/*
......
......@@ -184,7 +184,7 @@ if(is_array($packages) && count($packages) > 0) {
$app->tpl->setLoop('records', $packages);
$language = (isset($_SESSION['s']['language']))?$_SESSION['s']['language']:$conf['language'];
include_once 'lib/lang/'.$language.'_software_package_list.lng';
include_once 'lib/lang/'.$app->functions->check_language($language).'_software_package_list.lng';
$app->tpl->setVar($wb);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment