From 379a387ddeabdab428c2c6257ff6521f69e5d974 Mon Sep 17 00:00:00 2001 From: Inverle Date: Sat, 30 Aug 2025 16:26:24 +0200 Subject: Disallow setting non-existent language (#7878) The set language is used inside paths and can lead to issues by including PHP files from other locations --- app/Controllers/configureController.php | 5 ++++- lib/Minz/Translate.php | 5 +++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/app/Controllers/configureController.php b/app/Controllers/configureController.php index 6c1561d7c..e69b46323 100644 --- a/app/Controllers/configureController.php +++ b/app/Controllers/configureController.php @@ -45,7 +45,10 @@ class FreshRSS_configure_Controller extends FreshRSS_ActionController { */ public function displayAction(): void { if (Minz_Request::isPost()) { - FreshRSS_Context::userConf()->language = Minz_Request::paramString('language') ?: 'en'; + $language = Minz_Request::paramString('language') ?: 'en'; + if (Minz_Translate::exists($language)) { + FreshRSS_Context::userConf()->language = $language; + } FreshRSS_Context::userConf()->timezone = Minz_Request::paramString('timezone'); $theme = Minz_Request::paramString('theme') ?: FreshRSS_Themes::$defaultTheme; if (FreshRSS_Themes::exists($theme)) { diff --git a/lib/Minz/Translate.php b/lib/Minz/Translate.php index 58bf3f424..b57e90bcf 100644 --- a/lib/Minz/Translate.php +++ b/lib/Minz/Translate.php @@ -84,6 +84,10 @@ class Minz_Translate { return array_values(array_unique($list_langs)); } + public static function exists(string $lang): bool { + return in_array($lang, Minz_Translate::availableLanguages(), true); + } + /** * Return the language to use in the application. * It returns the connected language if it exists then returns the first match from the @@ -95,6 +99,7 @@ class Minz_Translate { */ public static function getLanguage(?string $user, array $preferred, ?string $default): string { if (null !== $user) { + if (!self::exists($user)) return 'en'; return $user; } -- cgit v1.2.3