1 files changed, 23 insertions, 0 deletions

diff --git a/languages/Language.php b/languages/Language.php
index 343ac8a7..3416fb27 100644
--- a/languages/Language.php
+++ b/languages/Language.php
@@ -144,6 +144,14 @@ class Language {
 	protected static function newFromCode( $code ) {
 		global $IP;
 		static $recursionLevel = 0;
+
+		// Protect against path traversal below
+		if ( !Language::isValidCode( $code ) 
+			|| strcspn( $code, "/\\\000" ) !== strlen( $code ) ) 
+		{
+			throw new MWException( "Invalid language code \"$code\"" );
+		}
+
 		if ( $code == 'en' ) {
 			$class = 'Language';
 		} else {
@@ -174,6 +182,14 @@ class Language {
 	}
 
 	/**
+	 * Returns true if a language code string is of a valid form, whether or 
+	 * not it exists.
+	 */
+	public static function isValidCode( $code ) {
+		return strcspn( $code, "/\\\000" ) === strlen( $code );
+	}
+
+	/**
 	 * Get the LocalisationCache instance
 	 */
 	public static function getLocalisationCache() {
@@ -2462,6 +2478,13 @@ class Language {
 	 * @return string $prefix . $mangledCode . $suffix
 	 */
 	static function getFileName( $prefix = 'Language', $code, $suffix = '.php' ) {
+		// Protect against path traversal
+		if ( !Language::isValidCode( $code ) 
+			|| strcspn( $code, "/\\\000" ) !== strlen( $code ) ) 
+		{
+			throw new MWException( "Invalid language code \"$code\"" );
+		}
+		
 		return $prefix . str_replace( '-', '_', ucfirst( $code ) ) . $suffix;
 	}