mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
SECURITY Fixed remote code execution vuln in install.php due to inserting unescaped user data into mysite/_config.php. Not critical because install.php is required to be removed on a SilverStripe installation anyway (fixes #7205)
This commit is contained in:
parent
8f2ede8fcf
commit
eeef41e91f
@ -1046,10 +1046,13 @@ class Installer extends InstallRequirements {
|
||||
$fh = fopen('mysite/_config.php', 'wb');
|
||||
fclose($fh);
|
||||
}
|
||||
$theme = isset($_POST['template']) ? $_POST['template'] : 'simple';
|
||||
$locale = isset($_POST['locale']) ? $_POST['locale'] : 'en_US';
|
||||
$type = $config['db']['type'];
|
||||
|
||||
// Escape user input for safe insertion into PHP file
|
||||
$theme = isset($_POST['template']) ? addcslashes($_POST['template'], "\'") : 'simple';
|
||||
$locale = isset($_POST['locale']) ? addcslashes($_POST['locale'], "\'") : 'en_US';
|
||||
$type = addcslashes($config['db']['type'], "\'");
|
||||
$dbConfig = $config['db'][$type];
|
||||
$dbConfig = array_map(create_function('$v', 'return addcslashes($v, "\\\'");'), $dbConfig);
|
||||
if(!isset($dbConfig['path'])) $dbConfig['path'] = '';
|
||||
if(!$dbConfig) {
|
||||
echo "<p style=\"color: red\">Bad config submitted</p><pre>";
|
||||
|
Loading…
Reference in New Issue
Block a user