SECURITY Fixed remote code execution vuln in install.php due to inserting unescaped user data into mysite/_config.php. Not critical because install.php is required to be removed on a SilverStripe installation anyway (fixes #7205)

This commit is contained in:
Ingo Schommer 2012-05-16 14:34:42 +02:00
parent 8f2ede8fcf
commit eeef41e91f

View File

@ -1046,10 +1046,13 @@ class Installer extends InstallRequirements {
$fh = fopen('mysite/_config.php', 'wb');
fclose($fh);
}
$theme = isset($_POST['template']) ? $_POST['template'] : 'simple';
$locale = isset($_POST['locale']) ? $_POST['locale'] : 'en_US';
$type = $config['db']['type'];
// Escape user input for safe insertion into PHP file
$theme = isset($_POST['template']) ? addcslashes($_POST['template'], "\'") : 'simple';
$locale = isset($_POST['locale']) ? addcslashes($_POST['locale'], "\'") : 'en_US';
$type = addcslashes($config['db']['type'], "\'");
$dbConfig = $config['db'][$type];
$dbConfig = array_map(create_function('$v', 'return addcslashes($v, "\\\'");'), $dbConfig);
if(!isset($dbConfig['path'])) $dbConfig['path'] = '';
if(!$dbConfig) {
echo "<p style=\"color: red\">Bad config submitted</p><pre>";