# This fixes OSA-2017-07, also known as CVE-2017-16664: An attacker who is
# logged into OTRS as an agent can request special URLs from OTRS which can
# lead to the execution of shell commands with the permissions of the web
# server user.
# Closes: #882370
# URL: https://www.otrs.com/security-advisory-2017-07-security-update-otrs-framework/

diff --git a/Kernel/System/Spelling.pm b/Kernel/System/Spelling.pm
index 800aa33e14..c62f8b5144 100644
--- a/Kernel/System/Spelling.pm
+++ b/Kernel/System/Spelling.pm
@@ -141,6 +141,8 @@ sub Check {
 
     # set dict
     if ( $Param{SpellLanguage} ) {
+        # Sanitize to avoid tampering - whitelist allowed characters.
+        $Param{SpellLanguage} =~ s{[^a-zA-Z0-9_-]}{}smxg;
         $SpellChecker .= " -d $Param{SpellLanguage}";
     }