From 55cc030cb71b78dc031a53b16fd5d12cb127e99e Mon Sep 17 00:00:00 2001
From: Reinier Balt <lrbalt@gmail.com>
Date: Tue, 7 May 2013 09:29:47 +0200
Subject: [PATCH]  Do not symbolize arbitray locale params

* Validate locale is valid before assigning it
* Don't convert invalid locales to symbols (creates DoS risk)

thanks @brynary
---
 app/controllers/application_controller.rb | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index f52092ee..2ad1d81c 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -33,8 +33,12 @@ class ApplicationController < ActionController::Base
     locale = params[:locale] # specifying a locale in the request takes precedence
     locale = locale || prefs.locale unless current_user.nil? # otherwise, the locale of the currently logged in user takes over
     locale = locale || request.env['HTTP_ACCEPT_LANGUAGE'].scan(/^[a-z]{2}/).first if request.env['HTTP_ACCEPT_LANGUAGE']
-    I18n.locale = locale.nil? ? I18n.default_locale : (I18n::available_locales.include?(locale.to_sym) ? locale : I18n.default_locale)
-    # logger.debug("Selected '#{I18n.locale}' as locale")
+
+    if locale && I18n::available_locales.map(&:to_s).include?(locale.to_s)
+      I18n.locale = locale
+    else
+      I18n.locale = I18n.default_locale
+    end
   end
 
   def set_session_expiration