Disallow dots being passed to lang (path disclosure)

diff --git a/lib/setup.php b/lib/setup.php
index 82866b56036696bb43d7ebb7d629e2cbe23d0593..86678ddc86e0279d0f4c9755bab230ba606225af 100644 (file)
--- a/lib/setup.php
+++ b/lib/setup.php
@@ -235,7 +235,7 @@
 /// majority of cases), use the stored locale specified by admin.
 
     if (isset($_GET['lang'])) {
-        if (!detect_munged_arguments($lang) and file_exists("$CFG->dirroot/lang/$lang")) {
+        if (!detect_munged_arguments($lang, 0) and file_exists("$CFG->dirroot/lang/$lang")) {
             $SESSION->lang = $lang;
             $SESSION->encoding = get_string('thischarset');
         }

diff --git a/lib/weblib.php b/lib/weblib.php
index ba9a31bfa9380b39fd61d5ff5ab5c3079e4ffe17..cb848263a33ea6373f9aea3ec1dbd5262ffc3f60 100644 (file)
--- a/lib/weblib.php
+++ b/lib/weblib.php
@@ -524,8 +524,8 @@ function validate_email ($address) {
                   $address));
 }
 
-function detect_munged_arguments($string) {
-    if (substr_count($string, '..') > 1) {   // We allow one '..' in a URL
+function detect_munged_arguments($string, $allowdots=1) {
+    if (substr_count($string, '..') > $allowdots) {   // Sometimes we allow dots in references
         return true;
     }
     if (ereg('[\|\`]', $string)) {  // check for other bad characters