tonyair/silverstripe-installer
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-installer synced 2024-10-22 17:05:33 +02:00
Code Issues Projects Releases Wiki Activity

SECURITY Fixed remote code execution vuln in install.php due to inserting unescaped user data into mysite/_config.php. Not critical because install.php is required to be removed on a SilverStripe installation anyway (fixes #7205)

Browse Source
This commit is contained in:
Ingo Schommer 2012-05-16 15:05:00 +02:00
parent 1b90766e8b
commit b7c8737de6
1 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
install.php
View File

@ -981,10 +981,13 @@ class Installer extends InstallRequirements {
$fh = fopen('mysite/_config.php', 'wb');
fclose($fh);
}
$theme = isset($_POST['template']) ? $_POST['template'] : 'blackcandy';
$locale = isset($_POST['locale']) ? $_POST['locale'] : 'en_US';
$type = $config['db']['type'];
// Escape user input for safe insertion into PHP file
$theme = isset($_POST['template']) ? addcslashes($_POST['template'], "\'") : 'blackcandy';
$locale = isset($_POST['locale']) ? addcslashes($_POST['locale'], "\'") : 'en_US';
$type = addcslashes($config['db']['type'], "\'");
$dbConfig = $config['db'][$type];
$dbConfig = array_map(create_function('$v', 'return addcslashes($v, "\\\'");'), $dbConfig);
if(!$dbConfig) {
echo "<p style=\"color: red\">Bad config submitted</p><pre>";
print_r($config);