phpBB 3.0.5 Missing Language Validation:

The language validation in the phpBB 3 Installer is pretty good- just check if the specified sub dir exists in language/ by using is_file(). The problem is when some joker decides to put &language=index.htm in the query string.

Result is a bunch of PHP Warnings:

Warning: include(./../language/index.htm/common.php) [function.include]: failed to open stream: Not a directory in /Library/WebServer/Documents/phpBB3/install/index.php on line 227

Warning: include() [function.include]: Failed opening './../language/index.htm/common.php' for inclusion (include_path='.:/usr/local/php5/lib/php') in /Library/WebServer/Documents/phpBB3/install/index.php on line 227

Warning: include(./../language/index.htm/acp/common.php) [function.include]: failed to open stream: Not a directory in /Library/WebServer/Documents/phpBB3/install/index.php on line 228

(and so on...)

and finally, the template tokens such as

,

,

and so on are left exposed.

These errors will also occur after installation has been completed.

If the user some-how manages to complete installation, or at least make it to the 'create schema' step of the install phase, the admin user's user_lang will be set to index.htm in the phpbb_users, and so will default_lang in phpbb_config. Thus, all subsequent attempts by any user to access any non-installer phpBB pages will die with:
Language file ./language/index.htm/common.php couldn't be opened.

Suggested behavior: add an is_dir() check when validating the language argument. This is in the code block in the file install/index.php immediately following:
// Try and load an appropriate language if required
$language = basename(request_var('language', ''));

Date found: 01 June, 2009
by Dog Cow