From 72404aaf99e52667686e0b622a177943fb2c6e67 Mon Sep 17 00:00:00 2001
From: Luc Didry <luc@didry.org>
Date: Fri, 26 Oct 2018 17:26:14 +0200
Subject: [PATCH] Fix header injection from lang code

---
 cpanfile                           | 2 +-
 lib/Lufi/Controller/Misc.pm        | 4 +++-
 themes/default/lib/Lufi/I18N/ca.po | 8 ++++++--
 themes/default/lib/Lufi/I18N/en.po | 8 ++++++--
 themes/default/lib/Lufi/I18N/fr.po | 8 ++++++--
 themes/default/lib/Lufi/I18N/it.po | 8 ++++++--
 themes/default/lib/Lufi/I18N/nl.po | 8 ++++++--
 themes/default/lib/Lufi/I18N/oc.po | 8 ++++++--
 themes/default/lib/Lufi/I18N/pt.po | 8 ++++++--
 9 files changed, 46 insertions(+), 16 deletions(-)

diff --git a/cpanfile b/cpanfile
index 993459b..fe52888 100644
--- a/cpanfile
+++ b/cpanfile
@@ -6,7 +6,7 @@ requires 'Mojolicious::Plugin::Mail';
 requires 'Mojolicious::Plugin::GzipStatic';
 requires 'Mojolicious::Plugin::StaticCache';
 requires 'Mojolicious::Plugin::CSPHeader';
-requires 'Mojolicious::Plugin::FiatTux::Helpers', '== 0.07', url => 'https://framagit.org/fiat-tux/mojolicious/mojolicious-plugin-fiattux-helpers/-/archive/0.07/mojolicious-plugin-fiattux-helpers-0.07.tar.gz';
+requires 'Mojolicious::Plugin::FiatTux::Helpers', '== 0.08', url => 'https://framagit.org/fiat-tux/mojolicious/mojolicious-plugin-fiattux-helpers/-/archive/0.08/mojolicious-plugin-fiattux-helpers-0.08.tar.gz';
 requires 'Mojolicious::Plugin::FiatTux::GrantAccess', '== 0.05', url => 'https://framagit.org/fiat-tux/mojolicious/mojolicious-plugin-fiattux-grantaccess/-/archive/0.05/mojolicious-plugin-fiattux-grantaccess-0.05.tar.gz';
 requires 'Mojolicious::Plugin::FiatTux::Themes', '== 0.02', url => 'https://framagit.org/fiat-tux/mojolicious/mojolicious-plugin-fiattux-themes/-/archive/0.02/mojolicious-plugin-fiattux-themes-0.02.tar.gz';
 requires 'Filesys::DiskUsage';
diff --git a/lib/Lufi/Controller/Misc.pm b/lib/Lufi/Controller/Misc.pm
index 488c75a..146dbd8 100644
--- a/lib/Lufi/Controller/Misc.pm
+++ b/lib/Lufi/Controller/Misc.pm
@@ -17,7 +17,9 @@ sub change_lang {
     my $c = shift;
     my $l = $c->param('l');
 
-    $c->cookie($c->app->moniker.'_lang' => $l, { path => $c->config('prefix') });
+    if ($c->iso639_native_name($l)) {
+        $c->cookie($c->app->moniker.'_lang' => $l, { path => $c->config('prefix') });
+    }
 
     if ($c->req->headers->referrer) {
         return $c->redirect_to($c->req->headers->referrer);
diff --git a/themes/default/lib/Lufi/I18N/ca.po b/themes/default/lib/Lufi/I18N/ca.po
index 3da48d3..4480115 100644
--- a/themes/default/lib/Lufi/I18N/ca.po
+++ b/themes/default/lib/Lufi/I18N/ca.po
@@ -205,6 +205,10 @@ msgstr "Nom de fitxer"
 msgid "Files deleted at first download"
 msgstr ""
 
+#: themes/default/templates/mail.html.ep:46
+msgid "Free field"
+msgstr ""
+
 #: themes/default/templates/partial/render.js.ep:8
 msgid "Get the file"
 msgstr "Obté el fitxer"
@@ -344,11 +348,11 @@ msgstr "Les files en vermell indiquen que els fitxers han expirat i ja no són d
 msgid "Send all links by email"
 msgstr "Envia tots els enllaços per correu electrònic"
 
-#: themes/default/templates/mail.html.ep:45
+#: themes/default/templates/mail.html.ep:53
 msgid "Send with this server"
 msgstr "Envia amb aquest servidor"
 
-#: themes/default/templates/mail.html.ep:46
+#: themes/default/templates/mail.html.ep:54
 msgid "Send with your own mail software"
 msgstr "Envia amb el vostre propi programa de correu"
 
diff --git a/themes/default/lib/Lufi/I18N/en.po b/themes/default/lib/Lufi/I18N/en.po
index 94c5344..57169d0 100644
--- a/themes/default/lib/Lufi/I18N/en.po
+++ b/themes/default/lib/Lufi/I18N/en.po
@@ -202,6 +202,10 @@ msgstr ""
 msgid "Files deleted at first download"
 msgstr ""
 
+#: themes/default/templates/mail.html.ep:46
+msgid "Free field"
+msgstr ""
+
 #: themes/default/templates/partial/render.js.ep:8
 msgid "Get the file"
 msgstr ""
@@ -340,11 +344,11 @@ msgstr ""
 msgid "Send all links by email"
 msgstr ""
 
-#: themes/default/templates/mail.html.ep:45
+#: themes/default/templates/mail.html.ep:53
 msgid "Send with this server"
 msgstr ""
 
-#: themes/default/templates/mail.html.ep:46
+#: themes/default/templates/mail.html.ep:54
 msgid "Send with your own mail software"
 msgstr ""
 
diff --git a/themes/default/lib/Lufi/I18N/fr.po b/themes/default/lib/Lufi/I18N/fr.po
index 5dd8b0e..3c8e0cb 100644
--- a/themes/default/lib/Lufi/I18N/fr.po
+++ b/themes/default/lib/Lufi/I18N/fr.po
@@ -204,6 +204,10 @@ msgstr "Nom du fichier"
 msgid "Files deleted at first download"
 msgstr "Fichiers supprimés au premier téléchargement"
 
+#: themes/default/templates/mail.html.ep:46
+msgid "Free field"
+msgstr ""
+
 #: themes/default/templates/partial/render.js.ep:8
 msgid "Get the file"
 msgstr "Récupérer le fichier"
@@ -342,11 +346,11 @@ msgstr "Les lignes en rouge indiquent que le fichier a expiré et n’est plus d
 msgid "Send all links by email"
 msgstr "Envoyer tous les liens par mail"
 
-#: themes/default/templates/mail.html.ep:45
+#: themes/default/templates/mail.html.ep:53
 msgid "Send with this server"
 msgstr "Envoyer avec ce serveur"
 
-#: themes/default/templates/mail.html.ep:46
+#: themes/default/templates/mail.html.ep:54
 msgid "Send with your own mail software"
 msgstr "Envoyer avec votre propre logiciel de mail"
 
diff --git a/themes/default/lib/Lufi/I18N/it.po b/themes/default/lib/Lufi/I18N/it.po
index 36ef7cc..f2e8ded 100644
--- a/themes/default/lib/Lufi/I18N/it.po
+++ b/themes/default/lib/Lufi/I18N/it.po
@@ -204,6 +204,10 @@ msgstr "Nome del file"
 msgid "Files deleted at first download"
 msgstr ""
 
+#: themes/default/templates/mail.html.ep:46
+msgid "Free field"
+msgstr ""
+
 #: themes/default/templates/partial/render.js.ep:8
 msgid "Get the file"
 msgstr "Ottenere il file"
@@ -346,11 +350,11 @@ msgstr ""
 msgid "Send all links by email"
 msgstr "Inviare tutti i link tramite email"
 
-#: themes/default/templates/mail.html.ep:45
+#: themes/default/templates/mail.html.ep:53
 msgid "Send with this server"
 msgstr "Inviare tramite questo server"
 
-#: themes/default/templates/mail.html.ep:46
+#: themes/default/templates/mail.html.ep:54
 msgid "Send with your own mail software"
 msgstr "Inviare tramite il vostro programma di posta"
 
diff --git a/themes/default/lib/Lufi/I18N/nl.po b/themes/default/lib/Lufi/I18N/nl.po
index 61f6c5e..3440f65 100644
--- a/themes/default/lib/Lufi/I18N/nl.po
+++ b/themes/default/lib/Lufi/I18N/nl.po
@@ -191,6 +191,10 @@ msgstr "Bestandsnaam"
 msgid "Files deleted at first download"
 msgstr ""
 
+#: themes/default/templates/mail.html.ep:46
+msgid "Free field"
+msgstr ""
+
 #: themes/default/templates/partial/render.js.ep:8
 msgid "Get the file"
 msgstr "Download bestand"
@@ -333,11 +337,11 @@ msgstr "Rode rijen betekenen dat deze bestanden verlopen en verwijderd zijn."
 msgid "Send all links by email"
 msgstr "Verstuur alle links via mail"
 
-#: themes/default/templates/mail.html.ep:45
+#: themes/default/templates/mail.html.ep:53
 msgid "Send with this server"
 msgstr "Verstuur via deze server"
 
-#: themes/default/templates/mail.html.ep:46
+#: themes/default/templates/mail.html.ep:54
 msgid "Send with your own mail software"
 msgstr "Verstuur via eigen mail software"
 
diff --git a/themes/default/lib/Lufi/I18N/oc.po b/themes/default/lib/Lufi/I18N/oc.po
index cba0af8..6a2e71e 100644
--- a/themes/default/lib/Lufi/I18N/oc.po
+++ b/themes/default/lib/Lufi/I18N/oc.po
@@ -204,6 +204,10 @@ msgstr "Nom del fichièr"
 msgid "Files deleted at first download"
 msgstr "Fichièr suprimit al primièr telecargament"
 
+#: themes/default/templates/mail.html.ep:46
+msgid "Free field"
+msgstr ""
+
 #: themes/default/templates/partial/render.js.ep:8
 msgid "Get the file"
 msgstr "Recuperar lo fichièr"
@@ -346,11 +350,11 @@ msgstr "Las linhas en roge indican que lo fichièr a expirat e es pas mai dispon
 msgid "Send all links by email"
 msgstr "Mandar totes los ligams per corrièl"
 
-#: themes/default/templates/mail.html.ep:45
+#: themes/default/templates/mail.html.ep:53
 msgid "Send with this server"
 msgstr "Mandar amb aqueste servidor"
 
-#: themes/default/templates/mail.html.ep:46
+#: themes/default/templates/mail.html.ep:54
 msgid "Send with your own mail software"
 msgstr "Mandar amb vòstre pròpri logicial de corrièl"
 
diff --git a/themes/default/lib/Lufi/I18N/pt.po b/themes/default/lib/Lufi/I18N/pt.po
index 165f918..650b8eb 100644
--- a/themes/default/lib/Lufi/I18N/pt.po
+++ b/themes/default/lib/Lufi/I18N/pt.po
@@ -209,6 +209,10 @@ msgstr "Nome do ficheiro"
 msgid "Files deleted at first download"
 msgstr ""
 
+#: themes/default/templates/mail.html.ep:46
+msgid "Free field"
+msgstr ""
+
 #: themes/default/templates/partial/render.js.ep:8
 msgid "Get the file"
 msgstr "Recuperar o ficheiro"
@@ -351,11 +355,11 @@ msgstr "As linhas a vermelho indicam que o ficheiro expirou e já não está dis
 msgid "Send all links by email"
 msgstr "Enviar todos os links por e-mail"
 
-#: themes/default/templates/mail.html.ep:45
+#: themes/default/templates/mail.html.ep:53
 msgid "Send with this server"
 msgstr "Enviar com este servidor"
 
-#: themes/default/templates/mail.html.ep:46
+#: themes/default/templates/mail.html.ep:54
 msgid "Send with your own mail software"
 msgstr "Enviar com o seu e-mail pessoal"