From 5277a7dee4b8f1a174f1d69e1e2a4e1c82a3fc9e Mon Sep 17 00:00:00 2001
From: plegall <plg@piwigo.org>
Date: Fri, 1 May 2026 16:58:09 +0200
Subject: [PATCH] fixes GHSA-rr39-mf4j-6594 prevent displaying RAW cookie
 content

... and also factorize code checking the cookie.lang user input
---
 identification.php             | 12 +---------
 include/functions.inc.php      | 42 ++++++++++++++++++++++++++++++++++
 include/functions_user.inc.php | 20 +---------------
 password.php                   | 12 +---------
 profile.php                    | 22 +-----------------
 register.php                   | 12 +---------
 6 files changed, 47 insertions(+), 73 deletions(-)

diff --git a/identification.php b/identification.php
index 204a949e4..b2ab877df 100644
--- a/identification.php
+++ b/identification.php
@@ -125,17 +125,7 @@ if (!$conf['gallery_locked'] && (!isset($themeconf['hide_menu_on']) OR !in_array
   include( PHPWG_ROOT_PATH.'include/menubar.inc.php');
 }
 
-//Load language if cookie is set from login/register/password pages
-if (isset($_COOKIE['lang']) and $user['language'] != $_COOKIE['lang'])
-{
-  if (!array_key_exists($_COOKIE['lang'], get_languages()))
-  {
-    fatal_error('[Hacking attempt] the input parameter "'.$_COOKIE['lang'].'" is not valid');
-  }
-  
-  $user['language'] = $_COOKIE['lang'];
-  load_language('common.lang', '', array('language'=>$user['language']));
-}
+load_cookie_language();
 
 //Get list of languages
 foreach (get_languages() as $language_code => $language_name)
diff --git a/include/functions.inc.php b/include/functions.inc.php
index 1e643c562..762a629bd 100644
--- a/include/functions.inc.php
+++ b/include/functions.inc.php
@@ -1937,6 +1937,48 @@ function load_language($filename, $dirname = '', $options = array())
   return false;
 }
 
+function load_cookie_language($load_language=true, $update_user=false, $unset_cookie=false, $user_id=null)
+{
+  global $user;
+
+  // Load language if cookie is set from login/register/password pages
+  if (isset($_COOKIE['lang']) and $user['language'] != $_COOKIE['lang'])
+  {
+    if (!array_key_exists($_COOKIE['lang'], get_languages()))
+    {
+      fatal_error('[Hacking attempt] the input parameter "'.htmlspecialchars($_COOKIE['lang']).'" is not valid');
+    }
+  
+    $user['language'] = $_COOKIE['lang'];
+
+    if ($update_user)
+    {
+      single_update(
+        USER_INFOS_TABLE,
+        array(
+          'language' => $_COOKIE['lang']
+        ),
+        array(
+          'user_id' => $user_id ?? $user['id']
+        )
+      );
+    }
+
+    if ($load_language)
+    {
+      load_language('common.lang', '', array('language'=>$user['language']));
+    }
+
+    if ($unset_cookie)
+    {
+      // We unset the lang cookie, if user has changed their language using interface
+      // we don't want to keep setting it back to what was chosen using standard
+      // pages lang switch
+      setcookie("lang", "", time() - 3600);
+    }
+  }
+}
+
 /**
  * converts a string from a character set to another character set
  *
diff --git a/include/functions_user.inc.php b/include/functions_user.inc.php
index eae20fe68..94e0a28e3 100644
--- a/include/functions_user.inc.php
+++ b/include/functions_user.inc.php
@@ -1051,25 +1051,7 @@ function log_user($user_id, $remember_me)
   //New default login and register pages, if users changes languages and succesfully logs in
   //we want to update the userpref language stored in a cookie
 
-  //TODO check value of cookie
-
-  if (isset($_COOKIE['lang']) and $user['language'] != $_COOKIE['lang'])
-  {
-    if (!array_key_exists($_COOKIE['lang'], get_languages()))
-    {
-      fatal_error('[Hacking attempt] the input parameter "'.$_COOKIE['lang'].'" is not valid');
-    }
-
-    single_update(
-      USER_INFOS_TABLE,
-      array('language' => $_COOKIE['lang']),
-      array('user_id' => $user_id)
-    );
-
-    // We unset the lang cookie, if user has changed their language using interface we don't want to keep setting it back 
-    // to what was chosen using standard pages lang switch
-    setcookie("lang", "", time() - 3600);
-  }
+  load_cookie_language(false, true, true, $user_id);
 
   if ($remember_me and $conf['authorize_remembering'])
   {
diff --git a/password.php b/password.php
index 543e65c0f..7abdbda26 100644
--- a/password.php
+++ b/password.php
@@ -489,17 +489,7 @@ if (!isset($themeconf['hide_menu_on']) OR !in_array('thePasswordPage', $themecon
   include( PHPWG_ROOT_PATH.'include/menubar.inc.php');
 }
 
-//Load language if cookie is set from login/register/password pages
-if (isset($_COOKIE['lang']) and $user['language'] != $_COOKIE['lang'])
-{
-  if (!array_key_exists($_COOKIE['lang'], get_languages()))
-  {
-    fatal_error('[Hacking attempt] the input parameter "'.$_COOKIE['lang'].'" is not valid');
-  }
-  
-  $user['language'] = $_COOKIE['lang'];
-  load_language('common.lang', '', array('language'=>$user['language']));
-}
+load_cookie_language();
 
 //Get list of languages
 foreach (get_languages() as $language_code => $language_name)
diff --git a/profile.php b/profile.php
index 88a42cb9f..18cc6688f 100644
--- a/profile.php
+++ b/profile.php
@@ -78,27 +78,7 @@ SELECT '.implode(',', $fields).'
   
   include(PHPWG_ROOT_PATH.'include/page_header.php');
 
-  //Load language if cookie is set from login/register/password pages
-  if (isset($_COOKIE['lang']) and $user['language'] != $_COOKIE['lang'])
-  {
-    if (!array_key_exists($_COOKIE['lang'], get_languages()))
-    {
-      fatal_error('[Hacking attempt] the input parameter "'.$_COOKIE['lang'].'" is not valid');
-    }
-
-    $user['language'] = $_COOKIE['lang'];
-    single_update(
-      USER_INFOS_TABLE,
-      array(
-        'language' => $_COOKIE['lang']
-      ),
-      array(
-        'user_id' => $user['id']
-      )
-    );
-    
-    load_language('common.lang', '', array('language'=>$user['language']));
-  }
+  load_cookie_language(true, true);
 
   //Get list of languages
   foreach (get_languages() as $language_code => $language_name)
diff --git a/register.php b/register.php
index 25cac78ec..e0cb47f84 100644
--- a/register.php
+++ b/register.php
@@ -101,17 +101,7 @@ if (!isset($themeconf['hide_menu_on']) OR !in_array('theRegisterPage', $themecon
   include( PHPWG_ROOT_PATH.'include/menubar.inc.php');
 }
 
-//Load language if cookie is set from login/register/password pages
-if (isset($_COOKIE['lang']) and $user['language'] != $_COOKIE['lang'])
-{
-  if (!array_key_exists($_COOKIE['lang'], get_languages()))
-  {
-    fatal_error('[Hacking attempt] the input parameter "'.$_COOKIE['lang'].'" is not valid');
-  }
-  
-  $user['language'] = $_COOKIE['lang'];
-  load_language('common.lang', '', array('language'=>$user['language']));
-}
+load_cookie_language();
 
 //Get list of languages
 foreach (get_languages() as $language_code => $language_name)