From 0fb5267d07af57243d08ecafad4b5bcbe6d34a11 Mon Sep 17 00:00:00 2001 From: JustAMacUser Date: Tue, 21 Apr 2020 20:52:19 -0400 Subject: [PATCH 1/2] During install, HTML encode POST data for forms. --- install/index.php | 60 +++++++++++++++++++++++------------------------ 1 file changed, 30 insertions(+), 30 deletions(-) mode change 100755 => 100644 install/index.php diff --git a/install/index.php b/install/index.php old mode 100755 new mode 100644 index b7aedf29d..ea88d1877 --- a/install/index.php +++ b/install/index.php @@ -234,28 +234,28 @@
- +
- +
- +
- + If needed
- + Usually 3306 for MySQL or 5432 for PostgreSQL
@@ -265,7 +265,7 @@
- +

@@ -336,7 +336,7 @@ $pdo = pdo_connect($DB_HOST, $DB_USER, $DB_PASS, $DB_NAME, $DB_TYPE, $DB_PORT); if (!$pdo) { - print_error("Unable to connect to database using specified parameters (driver: $DB_TYPE)."); + print_error("Unable to connect to database using specified parameters (driver: " . htmlspecialchars($DB_TYPE) . ")."); exit; } @@ -362,13 +362,13 @@
- - - - - - - + + + + + + +

@@ -382,13 +382,13 @@ - - - - - - - + + + + + + + @@ -440,16 +440,16 @@ - - - - - - - + + + + + + + "; - echo make_config($DB_TYPE, $DB_HOST, $DB_USER, $DB_NAME, $DB_PASS, - $DB_PORT, $SELF_URL_PATH); + echo htmlspecialchars(make_config($DB_TYPE, $DB_HOST, $DB_USER, $DB_NAME, $DB_PASS, + $DB_PORT, $SELF_URL_PATH)); print ""; ?>


From 9c3cf60592d99494903184c268581dd18cf5b353 Mon Sep 17 00:00:00 2001 From: JustAMacUser Date: Tue, 21 Apr 2020 21:10:32 -0400 Subject: [PATCH 2/2] More fixes when installer generates config file. * Use single quotes in config.php when when defining database values so PHP doesn't interpret `$` as a variable (mostly for the password constant). * Use `addcslashes` instead of `addslashes` and only escape backslash and single quotes. * Do not convert DB_PORT to integer if leaving it blank (the default). --- config.php-dist | 10 +++++----- install/index.php | 14 ++++++++------ 2 files changed, 13 insertions(+), 11 deletions(-) mode change 100755 => 100644 config.php-dist mode change 100755 => 100644 install/index.php diff --git a/config.php-dist b/config.php-dist old mode 100755 new mode 100644 index e83fdcfdc..824c378a7 --- a/config.php-dist +++ b/config.php-dist @@ -3,11 +3,11 @@ // *** Database configuration (important!) *** // ******************************************* - define('DB_TYPE', "%DB_TYPE"); // pgsql or mysql - define('DB_HOST', "%DB_HOST"); - define('DB_USER', "%DB_USER"); - define('DB_NAME', "%DB_NAME"); - define('DB_PASS', "%DB_PASS"); + define('DB_TYPE', '%DB_TYPE'); // pgsql or mysql + define('DB_HOST', '%DB_HOST'); + define('DB_USER', '%DB_USER'); + define('DB_NAME', '%DB_NAME'); + define('DB_PASS', '%DB_PASS'); define('DB_PORT', '%DB_PORT'); // usually 5432 for PostgreSQL, 3306 for MySQL define('MYSQL_CHARSET', 'UTF8'); diff --git a/install/index.php b/install/index.php old mode 100755 new mode 100644 index b7aedf29d..543a4a3f2 --- a/install/index.php +++ b/install/index.php @@ -153,14 +153,16 @@ $rv = file_get_contents("../config.php-dist"); + $escape_chars = "\\'"; + $settings = [ "%DB_TYPE" => $DB_TYPE == 'pgsql' ? 'pgsql' : 'mysql', - "%DB_HOST" => addslashes($DB_HOST), - "%DB_USER" => addslashes($DB_USER), - "%DB_NAME" => addslashes($DB_NAME), - "%DB_PASS" => addslashes($DB_PASS), - "%DB_PORT" => intval($DB_PORT), - "%SELF_URL_PATH" => addslashes($SELF_URL_PATH) + "%DB_HOST" => addcslashes($DB_HOST, $escape_chars), + "%DB_USER" => addcslashes($DB_USER, $escape_chars), + "%DB_NAME" => addcslashes($DB_NAME, $escape_chars), + "%DB_PASS" => addcslashes($DB_PASS, $escape_chars), + "%DB_PORT" => $DB_PORT ? intval($DB_PORT) : '', + "%SELF_URL_PATH" => addcslashes($SELF_URL_PATH, $escape_chars) ]; $rv = str_replace(array_keys($settings), array_values($settings), $rv);