From 379a387ddeabdab428c2c6257ff6521f69e5d974 Mon Sep 17 00:00:00 2001
From: Inverle <inverle@proton.me>
Date: Sat, 30 Aug 2025 16:26:24 +0200
Subject: Disallow setting non-existent language (#7878)

The set language is used inside paths and can lead to issues by including PHP files from other locations
---
 app/Controllers/configureController.php | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'app')

diff --git a/app/Controllers/configureController.php b/app/Controllers/configureController.php
index 6c1561d7c..e69b46323 100644
--- a/app/Controllers/configureController.php
+++ b/app/Controllers/configureController.php
@@ -45,7 +45,10 @@ class FreshRSS_configure_Controller extends FreshRSS_ActionController {
 	 */
 	public function displayAction(): void {
 		if (Minz_Request::isPost()) {
-			FreshRSS_Context::userConf()->language = Minz_Request::paramString('language') ?: 'en';
+			$language = Minz_Request::paramString('language') ?: 'en';
+			if (Minz_Translate::exists($language)) {
+				FreshRSS_Context::userConf()->language = $language;
+			}
 			FreshRSS_Context::userConf()->timezone = Minz_Request::paramString('timezone');
 			$theme = Minz_Request::paramString('theme') ?: FreshRSS_Themes::$defaultTheme;
 			if (FreshRSS_Themes::exists($theme)) {
-- 
cgit v1.2.3