Skip to content
Permalink
Browse files Browse the repository at this point in the history
forgot one escapeshellarg() and enhanced security on userdata.inc.php…
… creation when installing

Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
  • Loading branch information
d00p committed Mar 6, 2020
1 parent 62ce21c commit 7e36127
Showing 1 changed file with 8 additions and 8 deletions.
16 changes: 8 additions & 8 deletions install/lib/class.FroxlorInstall.php
Expand Up @@ -333,18 +333,18 @@ private function _createUserdataConf()

// test if we can store the userdata.inc.php in ../lib
$userdata_file = dirname(dirname(dirname(__FILE__))) . '/lib/userdata.inc.php';
if ($fp = @fopen($userdata_file, 'w')) {
$result = @fputs($fp, $userdata, strlen($userdata));
if (@touch($userdata_file) && @chmod($userdata_file, 0400) && @is_writable($userdata_file)) {
$fp = @fopen($userdata_file, 'w');
@fputs($fp, $userdata, strlen($userdata));
@fclose($fp);
$content .= $this->_status_message('green', 'OK');
chmod($userdata_file, 0440);
} else {
// try creating it in a temporary file
$temp_file = tempnam(sys_get_temp_dir(), 'fx');
if (touch($temp_file)) {
$temp_file = @tempnam(sys_get_temp_dir(), 'fx');
if ($temp_file) {
chmod($temp_file, 0400);
$fp = @fopen($temp_file, 'w');
$result = @fputs($fp, $userdata, strlen($userdata));
@fputs($fp, $userdata, strlen($userdata));
@fclose($fp);
$content .= $this->_status_message('orange', sprintf($this->_lng['install']['creating_configfile_temp'], $temp_file));
} else {
Expand Down Expand Up @@ -568,7 +568,7 @@ private function _importDatabaseData()
for ($i = 0; $i < sizeof($sql_query); $i ++) {
if (trim($sql_query[$i]) != '') {
try {
$result = $db->query($sql_query[$i]);
$db->query($sql_query[$i]);
} catch (\PDOException $e) {
$content .= $this->_status_message('red', $e->getMessage());
$fatal_fail = true;
Expand Down Expand Up @@ -735,7 +735,7 @@ private function _backupExistingDatabase(&$db_root)
}

if ($do_backup) {
$command = $mysql_dump . " " . escapeshellarg($this->_data['mysql_database']) . " -u " . escapeshellarg($this->_data['mysql_root_user']) . " --password='" . $this->_data['mysql_root_pass'] . "' --result-file=" . $filename;
$command = $mysql_dump . " " . escapeshellarg($this->_data['mysql_database']) . " -u " . escapeshellarg($this->_data['mysql_root_user']) . " --password='" . escapeshellarg($this->_data['mysql_root_pass']) . "' --result-file=" . $filename;
$output = exec($command);
if (stristr($output, "error")) {
$content .= $this->_status_message('red', $this->_lng['install']['backup_failed']);
Expand Down

0 comments on commit 7e36127

Please sign in to comment.