From a02edff65556b93d25d5dd29e6e8d5d27e41caf8 Mon Sep 17 00:00:00 2001
From: plegall <plg@piwigo.org>
Date: Mon, 8 Mar 2021 14:59:07 +0100
Subject: [PATCH] fixes #1352 check language name (user input)

---
 admin/languages_installed.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/admin/languages_installed.php b/admin/languages_installed.php
index d173ff6f7..d8573bfe8 100644
--- a/admin/languages_installed.php
+++ b/admin/languages_installed.php
@@ -21,6 +21,9 @@ $languages = new languages();
 $languages->get_db_languages();
 
 //--------------------------------------------------perform requested actions
+check_input_parameter('action', $_GET, false, '/^(activate|deactivate|set_default|delete)$/');
+check_input_parameter('language', $_GET, false, '/^('.join('|', array_keys($languages->fs_languages)).')$/');
+
 if (isset($_GET['action']) and isset($_GET['language']))
 {
   $page['errors'] = $languages->perform_action($_GET['action'], $_GET['language']);