[bugfix] Avoid loading path-looking locales from fs

diff --git a/src/lib/locale/locales.js b/src/lib/locale/locales.js
index 0d082327545c67c3f872b348aab64d8397d896e1..b329b83b3a335a696a81b6a0c858cd81e31fc42e 100644 (file)
--- a/src/lib/locale/locales.js
+++ b/src/lib/locale/locales.js
@@ -62,6 +62,11 @@ function chooseLocale(names) {
     return globalLocale;
 }
 
+function isLocaleNameSane(name) {
+    // Prevent names that look like filesystem paths, i.e contain '/' or '\'
+    return name.match('^[^/\\\\]*$') != null;
+}
+
 function loadLocale(name) {
     var oldLocale = null,
         aliasedRequire;
@@ -70,7 +75,8 @@ function loadLocale(name) {
         locales[name] === undefined &&
         typeof module !== 'undefined' &&
         module &&
-        module.exports
+        module.exports &&
+        isLocaleNameSane(name)
     ) {
         try {
             oldLocale = globalLocale._abbr;