Fix #18913: Add filename validation for `MessageSource::getMessageFil…

…ePath()` Co-authored-by: Alexander Makarov <sam@rmcreative.ru>
yiisoft · Sep 30, 2021 · 01b6b2a · 01b6b2a
1 parent 435b6dc
commit 01b6b2a
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 0 deletions.
diff --git a/framework/CHANGELOG.md b/framework/CHANGELOG.md
@@ -22,6 +22,7 @@ Yii Framework 2 Change Log
 - Enh #18899: Replace usages of `strpos` with `strncmp` and remove redundant usage of `array_merge` and `array_values` (AlexGx)
 - Bug #18898: Fix `yii\helpers\Inflector::camel2words()` to work with words ending with 0 (michaelarnauts)
 - Enh #18904: Improve Captcha client-side validation (hexkir)
+- Bug #18913: Add filename validation for `MessageSource::getMessageFilePath()` (uaoleg)
 
 
 2.0.43 August 09, 2021

diff --git a/framework/i18n/GettextMessageSource.php b/framework/i18n/GettextMessageSource.php
@@ -8,6 +8,7 @@
 namespace yii\i18n;
 
 use Yii;
+use yii\base\InvalidArgumentException;
 
 /**
  * GettextMessageSource represents a message source that is based on GNU Gettext.
@@ -129,6 +130,10 @@ protected function loadFallbackMessages($category, $fallbackLanguage, $messages,
      */
     protected function getMessageFilePath($language)
     {
+        $language = (string) $language;
+        if ($language !== '' && !preg_match('/^[a-z_-]+$/i', $language)) {
+            throw new InvalidArgumentException(sprintf('Invalid language code: "%s".', $language));
+        }
         $messageFile = Yii::getAlias($this->basePath) . '/' . $language . '/' . $this->catalog;
         if ($this->useMoFile) {
             $messageFile .= self::MO_FILE_EXT;

diff --git a/framework/i18n/PhpMessageSource.php b/framework/i18n/PhpMessageSource.php
@@ -8,6 +8,7 @@
 namespace yii\i18n;
 
 use Yii;
+use yii\base\InvalidArgumentException;
 
 /**
  * PhpMessageSource represents a message source that stores translated messages in PHP scripts.
@@ -132,6 +133,10 @@ protected function loadFallbackMessages($category, $fallbackLanguage, $messages,
      */
     protected function getMessageFilePath($category, $language)
     {
+        $language = (string) $language;
+        if ($language !== '' && !preg_match('/^[a-z_-]+$/i', $language)) {
+            throw new InvalidArgumentException(sprintf('Invalid language code: "%s".', $language));
+        }
         $messageFile = Yii::getAlias($this->basePath) . "/$language/";
         if (isset($this->fileMap[$category])) {
             $messageFile .= $this->fileMap[$category];