Fix potential code injection via locale parameter

willdurand · willdurand · commit 7accee93569c · 2014-07-29T11:17:06.000+02:00
Depending on the server configuration, it seems to be possible to inject
actual JavaScript code:

    http://localhost/translations?locales=foo%0Auncommented%20code;

=&gt;

    (function (Translator) {
        Translator.fallback      = 'en';
        Translator.defaultDomain = 'messages';
        // foo
    uncommented code;
    })(Translator);

This issue has been reported by Andreas Forsblom.

This fix filters given locales and remove all locales that are not known
by the Locale (intl extension) class.

Signed-off-by: William DURAND &lt;william.durand1@gmail.com&gt;
diff --git a/Controller/Controller.php b/Controller/Controller.php
@@ -173,6 +173,10 @@ private function getLocales(Request $request)
             $locales = array($request->getLocale());
         }
 
+        $locales = array_filter($locales, function ($locale) {
+            return strcasecmp(\Locale::getDisplayLanguage($locale), $locale) !== 0;
+        });
+
         return array_unique(array_map(function ($locale) {
             return trim($locale);
         }, $locales));
diff --git a/Tests/Controller/ControllerTest.php b/Tests/Controller/ControllerTest.php
@@ -197,4 +197,22 @@ public function testGetTranslationsWithPathTraversalAttack()
 
         $this->assertEquals(200, $response->getStatusCode());
     }
+
+    public function testGetTranslationsWithLocaleInjection()
+    {
+        $client  = static::createClient();
+
+        $crawler  = $client->request('GET', '/translations/messages.json?locales=foo%0Auncommented%20code;');
+        $response = $client->getResponse();
+
+        $this->assertEquals(<<<JSON
+{
+    "fallback": "en",
+    "defaultDomain": "messages",
+    "translations": []
+}
+
+JSON
+        , $response->getContent());
+    }
 }
diff --git a/composer.json b/composer.json
@@ -13,7 +13,8 @@
     "require": {
         "symfony/framework-bundle": "~2.3",
         "symfony/finder": "~2.3",
-        "symfony/console": "~2.3"
+        "symfony/console": "~2.3",
+        "symfony/intl": "~2.3"
     },
     "require-dev": {
         "symfony/yaml": "~2.3",
