From 9a4e9e54f26b0c1bf69c5be1f5b0fea93134c06a Mon Sep 17 00:00:00 2001
From: Chris Cormack <chrisc@catalyst.net.nz>
Date: Fri, 25 Nov 2011 19:07:28 +1300
Subject: [PATCH] Bug 6629 : Sanitizing input from language cookie

I dont think we can use only 2 digits, some languages is much longer
zh-hans-TW for example

But the regex should stop it bening able handle nasty chars,
whitelisting safe ones instead

Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
I checked the patch doesn't break language switching and language selection.

Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
I confirm the bug security issue was not here for master, but this fix improve the behaviour, so pushing it
---
 C4/Templates.pm | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/C4/Templates.pm b/C4/Templates.pm
index c2a5911e4c..73d94c2399 100644
--- a/C4/Templates.pm
+++ b/C4/Templates.pm
@@ -277,8 +277,7 @@ sub themelanguage {
     my @languages = split(",", C4::Context->preference(
         $is_intranet ? 'language' : 'opaclanguages'));
     my $lang;
-    $lang = $query->cookie('KohaOpacLanguage')
-        if defined $query and $query->cookie('KohaOpacLanguage');
+    $lang = getlanguagecookie($query);
     unless ($lang) {
         my $http_accept_language = $ENV{ HTTP_ACCEPT_LANGUAGE };
         $lang = accept_language( $http_accept_language, 
@@ -327,8 +326,7 @@ sub getlanguagecookie {
         $lang = $ENV{HTTP_ACCEPT_LANGUAGE};
         
     }
-    $lang = substr($lang, 0, 2);
-
+    $lang =~ s/[^a-zA-Z_-]*//; #sanitzie
     return $lang;
 }
 
-- 
2.20.1