fix(l10n): Fix language selection

Signed-off-by: Joas Schilling <coding@schilljs.com>

Author: nickvergessen

lib/private/L10N/Factory.php

@@ -133,10 +133,7 @@ public function __construct(
 	public function get($app, $lang = null, $locale = null) {
 		return new LazyL10N(function () use ($app, $lang, $locale) {
 			$app = \OC_App::cleanAppId($app);
-			if ($lang !== null) {
-				$lang = str_replace(['\0', '/', '\\', '..'], '', $lang);
-			}
-
+			$lang = $this->cleanLanguage($lang);
 			$forceLang = $this->config->getSystemValue('force_language', false);
 			if (is_string($forceLang)) {
 				$lang = $forceLang;
@@ -169,6 +166,29 @@ public function get($app, $lang = null, $locale = null) {
 		});
 	}
 
+	/**
+	 * Remove some invalid characters before using a string as a language
+	 *
+	 * @psalm-taint-escape callable
+	 * @psalm-taint-escape cookie
+	 * @psalm-taint-escape file
+	 * @psalm-taint-escape has_quotes
+	 * @psalm-taint-escape header
+	 * @psalm-taint-escape html
+	 * @psalm-taint-escape include
+	 * @psalm-taint-escape ldap
+	 * @psalm-taint-escape shell
+	 * @psalm-taint-escape sql
+	 * @psalm-taint-escape unserialize
+	 */
+	private function cleanLanguage(?string $lang): ?string {
+		if ($lang === null) {
+			return null;
+		}
+		$lang = preg_replace('/[^a-zA-Z0-9.;,=-]/', '', $lang);
+		return str_replace('..', '', $lang);
+	}
+
 	/**
 	 * Find the best language
 	 *
@@ -478,7 +498,7 @@ public function localeExists($locale) {
 	 * @throws LanguageNotFoundException
 	 */
 	private function getLanguageFromRequest(?string $app = null): string {
-		$header = $this->request->getHeader('ACCEPT_LANGUAGE');
+		$header = $this->cleanLanguage($this->request->getHeader('ACCEPT_LANGUAGE'));
 		if ($header !== '') {
 			$available = $this->findAvailableLanguages($app);
 

tests/lib/L10N/FactoryTest.php

@@ -84,6 +84,23 @@ protected function getFactory(array $methods = [], $mockRequestGetHeaderMethod =
 		return new Factory($this->config, $this->request, $this->userSession, $this->cacheFactory, $this->serverRoot);
 	}
 
+	public static function dataCleanLanguage(): array {
+		return [
+			'null shortcut' => [null, null],
+			'default language' => ['de', 'de'],
+			'malicious language' => ['de/../fr', 'defr'],
+			'request language' => ['kab;q=0.8,ka;q=0.7,de;q=0.6', 'kab;q=0.8,ka;q=0.7,de;q=0.6'],
+		];
+	}
+
+	/**
+	 * @dataProvider dataCleanLanguage
+	 */
+	public function testCleanLanguage(?string $lang, ?string $expected): void {
+		$factory = $this->getFactory();
+		$this->assertSame($expected, self::invokePrivate($factory, 'cleanLanguage', [$lang]));
+	}
+
 	public function dataFindAvailableLanguages(): array {
 		return [
 			[null],