From 8f5a688d00f2f73a0913acb04247322f13e2c971 Mon Sep 17 00:00:00 2001
From: Baptiste Mispelon <bmispelon@gmail.com>
Date: Wed, 20 Nov 2013 16:31:53 +0100
Subject: [PATCH] Fixed #21458 -- Made check_for_language more resistant to
malformed input.
Thanks to Sergey Sorokin for the report and to Bouke Haarsma for the review.
---
django/utils/translation/trans_real.py | 8 ++++++--
tests/i18n/tests.py | 2 ++
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/django/utils/translation/trans_real.py b/django/utils/translation/trans_real.py
index 7c545dbd3d..9dfac47381 100644
--- a/django/utils/translation/trans_real.py
+++ b/django/utils/translation/trans_real.py
@@ -44,6 +44,8 @@ accept_language_re = re.compile(r'''
(?:\s*,\s*|$) # Multiple accepts per header.
''', re.VERBOSE)
+language_code_re = re.compile(r'^[a-z]{1,8}(?:-[a-z0-9]{1,8})*$', re.IGNORECASE)
+
language_code_prefix_re = re.compile(r'^/([\w-]+)(/|$)')
# some browsers use deprecated locales. refs #18419
@@ -393,9 +395,11 @@ def check_for_language(lang_code):
"""
Checks whether there is a global language file for the given language
code. This is used to decide whether a user-provided language is
- available. This is only used for language codes from either the cookies
- or session and during format localization.
+ available.
"""
+ # First, a quick check to make sure lang_code is well-formed (#21458)
+ if not language_code_re.search(lang_code):
+ return False
for path in all_locale_paths():
if gettext_module.find('django', path, [to_locale(lang_code)]) is not None:
return True
diff --git a/tests/i18n/tests.py b/tests/i18n/tests.py
index 30e30407e4..471f434467 100644
--- a/tests/i18n/tests.py
+++ b/tests/i18n/tests.py
@@ -1318,6 +1318,8 @@ class CountrySpecificLanguageTests(TransRealMixin, TestCase):
self.assertTrue(check_for_language('en'))
self.assertTrue(check_for_language('en-us'))
self.assertTrue(check_for_language('en-US'))
+ self.assertFalse(check_for_language('en-ΓΌ'))
+ self.assertFalse(check_for_language('en\x00'))
def test_get_language_from_request(self):
# issue 19919