From: Janusz Dobrowolski <janusz@frontaccounting.eu>
Date: Mon, 13 Jul 2020 10:59:24 +0000 (+0200)
Subject: Install/Update Languages: fixed directory traversal issue.
X-Git-Url: https://delta.frontaccounting.com/gitweb/?p=fa-stable.git;a=commitdiff_plain;h=e330ef6dc0633b6858d7b1f0016299d0f65e04b0

Install/Update Languages: fixed directory traversal issue.
---

diff --git a/admin/inst_lang.php b/admin/inst_lang.php
index b2264c1d..3ed51a68 100644
--- a/admin/inst_lang.php
+++ b/admin/inst_lang.php
@@ -151,16 +151,16 @@ function handle_submit($id)
 			$dflt_lang = $_POST['code'];
 	}
 	
-	$installed_languages[$id]['code'] = $_POST['code'];
+	$installed_languages[$id]['code'] = clean_file_name($_POST['code']);
 	$installed_languages[$id]['name'] = $_POST['name'];
-	$installed_languages[$id]['path'] = 'lang/' . $_POST['code'];
+	$installed_languages[$id]['path'] = 'lang/' . clean_file_name(get_post('code'));
 	$installed_languages[$id]['encoding'] = $_POST['encoding'];
 	$installed_languages[$id]['rtl'] = (bool)$_POST['rtl'];
 	$installed_languages[$id]['package'] = '';
 	$installed_languages[$id]['version'] = '';
 	if (!write_lang())
 		return false;
-	$directory = $path_to_root . "/lang/" . $_POST['code'];
+	$directory = $path_to_root . "/lang/" . clean_file_name(get_post('code'));
 	if (!file_exists($directory))
 	{
 		mkdir($directory);