From 5b677c6ba327398d23f7aa08dd6464b01532bad8 Mon Sep 17 00:00:00 2001
From: Ingo Schommer <ingo@silverstripe.com>
Date: Wed, 16 May 2012 15:05:00 +0200
Subject: [PATCH] SECURITY Fixed remote code execution vuln in install.php due
 to inserting unescaped user data into mysite/_config.php. Not critical
 because install.php is required to be removed on a SilverStripe installation
 anyway (fixes #7205)

---
 install.php | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/install.php b/install.php
index 7728e5c..4026a2c 100644
--- a/install.php
+++ b/install.php
@@ -981,10 +981,13 @@ class Installer extends InstallRequirements {
 			$fh = fopen('mysite/_config.php', 'wb');
 			fclose($fh);
 		}
-		$theme = isset($_POST['template']) ? $_POST['template'] : 'blackcandy';
-		$locale = isset($_POST['locale']) ? $_POST['locale'] : 'en_US';
-		$type = $config['db']['type'];
+		
+		// Escape user input for safe insertion into PHP file
+		$theme = isset($_POST['template']) ? addcslashes($_POST['template'], "\'") : 'blackcandy';
+		$locale = isset($_POST['locale']) ? addcslashes($_POST['locale'], "\'") : 'en_US';
+		$type = addcslashes($config['db']['type'], "\'");
 		$dbConfig = $config['db'][$type];
+		$dbConfig = array_map(create_function('$v', 'return addcslashes($v, "\\\'");'), $dbConfig);
 		if(!$dbConfig) {
 			echo "<p style=\"color: red\">Bad config submitted</p><pre>";
 			print_r($config);