Andreas/tracks
1
0
Fork 0
mirror of https://github.com/TracksApp/tracks.git synced 2025-12-16 15:20:13 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Do not symbolize arbitray locale params

Browse source 
* Validate locale is valid before assigning it
* Don't convert invalid locales to symbols (creates DoS risk)

thanks @brynary
This commit is contained in:
Reinier Balt 2013-05-07 09:29:47 +02:00
parent c6e526127c
commit 78f81ed29f
1 changed files with 6 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

8
app/controllers/application_controller.rb
View file

@ -33,8 +33,12 @@ class ApplicationController < ActionController::Base
locale = params[:locale] # specifying a locale in the request takes precedence
locale = locale || prefs.locale unless current_user.nil? # otherwise, the locale of the currently logged in user takes over
locale = locale || request.env['HTTP_ACCEPT_LANGUAGE'].scan(/^[a-z]{2}/).first if request.env['HTTP_ACCEPT_LANGUAGE']
I18n.locale = locale.nil? ? I18n.default_locale : (I18n::available_locales.include?(locale.to_sym) ? locale : I18n.default_locale)
# logger.debug("Selected '#{I18n.locale}' as locale")
if locale && I18n::available_locales.map(&:to_s).include?(locale.to_s)
I18n.locale = locale
else
I18n.locale = I18n.default_locale
end
end
def set_session_expiration