From 8f5a688d00f2f73a0913acb04247322f13e2c971 Mon Sep 17 00:00:00 2001
From: Baptiste Mispelon <bmispelon@gmail.com>
Date: Wed, 20 Nov 2013 16:31:53 +0100
Subject: [PATCH] Fixed #21458 -- Made check_for_language more resistant to
 malformed input.

Thanks to Sergey Sorokin for the report and to Bouke Haarsma for the review.
---
 django/utils/translation/trans_real.py | 8 ++++++--
 tests/i18n/tests.py                    | 2 ++
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/django/utils/translation/trans_real.py b/django/utils/translation/trans_real.py
index 7c545dbd3d..9dfac47381 100644
--- a/django/utils/translation/trans_real.py
+++ b/django/utils/translation/trans_real.py
@@ -44,6 +44,8 @@ accept_language_re = re.compile(r'''
         (?:\s*,\s*|$)                                 # Multiple accepts per header.
         ''', re.VERBOSE)
 
+language_code_re = re.compile(r'^[a-z]{1,8}(?:-[a-z0-9]{1,8})*$', re.IGNORECASE)
+
 language_code_prefix_re = re.compile(r'^/([\w-]+)(/|$)')
 
 # some browsers use deprecated locales. refs #18419
@@ -393,9 +395,11 @@ def check_for_language(lang_code):
     """
     Checks whether there is a global language file for the given language
     code. This is used to decide whether a user-provided language is
-    available. This is only used for language codes from either the cookies
-    or session and during format localization.
+    available.
     """
+    # First, a quick check to make sure lang_code is well-formed (#21458)
+    if not language_code_re.search(lang_code):
+        return False
     for path in all_locale_paths():
         if gettext_module.find('django', path, [to_locale(lang_code)]) is not None:
             return True
diff --git a/tests/i18n/tests.py b/tests/i18n/tests.py
index 30e30407e4..471f434467 100644
--- a/tests/i18n/tests.py
+++ b/tests/i18n/tests.py
@@ -1318,6 +1318,8 @@ class CountrySpecificLanguageTests(TransRealMixin, TestCase):
         self.assertTrue(check_for_language('en'))
         self.assertTrue(check_for_language('en-us'))
         self.assertTrue(check_for_language('en-US'))
+        self.assertFalse(check_for_language('en-ü'))
+        self.assertFalse(check_for_language('en\x00'))
 
     def test_get_language_from_request(self):
         # issue 19919