From 770a6f3905e9f2ee4d18b954a46b50eda58c73da Mon Sep 17 00:00:00 2001
From: Serhii Korneliuk <seiger@meta.ua>
Date: Wed, 6 Dec 2023 19:05:08 +0200
Subject: [PATCH] [FIX]
 CVE-2023-43341-Evolution-Reflected-XSS---Installation-Connection-
 (https://github.com/advisories/GHSA-5h47-9rm5-fx3f).

---
 .../src/controllers/connection/collation.php  | 17 +++-----
 .../controllers/connection/databasetest.php   | 41 ++++++++-----------
 .../src/controllers/connection/servertest.php |  8 ++--
 3 files changed, 28 insertions(+), 38 deletions(-)

diff --git a/install/src/controllers/connection/collation.php b/install/src/controllers/connection/collation.php
index 02438d184a..49d1274a5f 100644
--- a/install/src/controllers/connection/collation.php
+++ b/install/src/controllers/connection/collation.php
@@ -1,26 +1,22 @@
 <?php
-
-$host = $_POST['host'];
-$uid = $_POST['uid'];
-$pwd = $_POST['pwd'];
-
+$method = strip_tags($_POST['method']);
+$host = strip_tags($_POST['host']);
+$uid = strip_tags($_POST['uid']);
+$pwd = strip_tags($_POST['pwd']);
 
 try {
-    $dbh = new PDO($_POST['method'] . ':host=' . $_POST['host'] , $_POST['uid'], $_POST['pwd']);
+    $dbh = new PDO($method . ':host=' . $host, $uid, $pwd);
     $output = '<select id="database_collation" name="database_collation">';
 
-    switch ($_POST['method']) {
+    switch ($method) {
         case 'pgsql':
             $output = '<select id="database_collation" name="database_collation">';
             $output .= '<option value="utf8mb4_general_ci" selected>utf8mb4_general_ci</option>';
             $output .= '</optgroup></select>';
-
             break;
         case 'mysql':
             $output = '<select id="database_collation" name="database_collation">';
-
             $sql = 'SHOW COLLATION';
-
             $_ = array();
             foreach ($dbh->query($sql) as $row) {
                 $_[$row[0]] = '';
@@ -42,7 +38,6 @@
 
             foreach ($_ as $collation => $selected) {
                 $collation = htmlentities($collation);
-                // if(substr($collation,0,4)!=='utf8') continue;
                 if (strpos($collation, 'sjis') === 0) {
                     continue;
                 }
diff --git a/install/src/controllers/connection/databasetest.php b/install/src/controllers/connection/databasetest.php
index 6f7d2b1044..ba957c8ddb 100644
--- a/install/src/controllers/connection/databasetest.php
+++ b/install/src/controllers/connection/databasetest.php
@@ -1,8 +1,10 @@
 <?php
-
-$host = $_POST['host'];
-$uid = $_POST['uid'];
-$pwd = $_POST['pwd'];
+$method = strip_tags($_POST['method']);
+$host = strip_tags($_POST['host']);
+$uid = strip_tags($_POST['uid']);
+$pwd = strip_tags($_POST['pwd']);
+$tableprefix = strip_tags($_POST['tableprefix']);
+$database_name = strip_tags($_POST['database_name']);
 $installMode = $_POST['installMode'];
 
 $output = $_lang['status_checking_database'];
@@ -10,16 +12,15 @@
 $database_collation = $_POST['database_collation'];
 $database_connection_method = $_POST['database_connection_method'];
 $database_charset = substr($database_collation, 0, strpos($database_collation, '_'));
-$tableprefix = $_POST['tableprefix'];
-if ($_POST['method'] == 'pgsql') {
+
+if ($method == 'pgsql') {
     if ($database_charset == 'utf8mb4') $database_charset = 'utf8';
     $database_charset = mb_strtoupper($database_charset);
 }
 try {
-    $dbh = new PDO($_POST['method'] . ':host=' . $_POST['host'] . ';dbname=' . $_POST['database_name'], $_POST['uid'], $_POST['pwd']);
-    switch ($_POST['method']) {
+    $dbh = new PDO($method . ':host=' . $host . ';dbname=' . $database_name, $uid, $pwd);
+    switch ($method) {
         case 'pgsql':
-
             $result = $dbh->query("SELECT * FROM pg_settings WHERE name='client_encoding'");
             if ($result->errorCode() == 0) {
                 $data = $result->fetch();
@@ -42,9 +43,7 @@
             $result = $dbh->query("show variables like 'collation_database'");
             if ($result->errorCode() == 0) {
                 $data = $result->fetch();
-
                 if ($data['Value'] != $database_collation) {
-
                     echo $output . '<span id="database_fail" style="color:#FF0000;">' . sprintf($_lang['status_failed_database_collation_does_not_match'], $data['1']) . '</span>';
                     exit();
                 }
@@ -57,10 +56,10 @@
                 }
                 $result = $dbh->query("SELECT SCHEMA_NAME
                       FROM INFORMATION_SCHEMA.SCHEMATA
-                     WHERE SCHEMA_NAME = '" . $_POST['database_name'] . "'");
+                     WHERE SCHEMA_NAME = '" . $pwd . "'");
                 if ($dbh->errorCode() == 0) {
                     $data = $result->fetch();
-                    if (isset($data['SCHEMA_NAME']) && $data['SCHEMA_NAME'] == $_POST['database_name']) {
+                    if (isset($data['SCHEMA_NAME']) && $data['SCHEMA_NAME'] == $pwd) {
                         echo $output . '<span id="database_pass" style="color:#80c000;"> ' . $_lang['status_passed'] . '</span>';
                         exit();
                     }
@@ -73,34 +72,30 @@
     }
 
 } catch (PDOException $e) {
-    if (!stristr($e->getMessage(), 'database "' . $_POST['database_name'] . '" does not exist') && !stristr($e->getMessage(), 'Unknown database \'' . $_POST['database_name'] . '\'') && !stristr($e->getMessage(), 'Base table or view not found')) {
+    if (!stristr($e->getMessage(), 'database "' . $pwd . '" does not exist') && !stristr($e->getMessage(), 'Unknown database \'' . $database_name . '\'') && !stristr($e->getMessage(), 'Base table or view not found')) {
         echo $output . '<span id="database_fail" style="color:#FF0000;">' . $_lang['status_failed'] . ' ' . $e->getMessage() . '</span>';
         exit();
     }
 }
 
 try {
-    $dbh = new PDO($_POST['method'] . ':host=' . $_POST['host'] . ';', $_POST['uid'], $_POST['pwd']);
-
-
-    switch ($_POST['method']) {
+    $dbh = new PDO($method . ':host=' . $host . ';', $uid, $pwd);
+    switch ($method) {
         case 'pgsql':
-
             try {
-                $dbh->query('CREATE DATABASE "' . $_POST['database_name'] . '" ENCODING \'' . $database_charset . '\';');
+                $dbh->query('CREATE DATABASE "' . $database_name . '" ENCODING \'' . $database_charset . '\';');
                 if ($dbh->errorCode() > 0) {
                     if (stristr($dbh->errorInfo()[2], 'already exists') === false) {
                         $output .= '<span id="database_fail" style="color:#FF0000;">' . $_lang['status_failed_could_not_create_database'] . ' ' . print_r($dbh->errorInfo(), true) . '</span>';
                     }
                 }
-
             } catch (Exception $exception) {
                 echo $exception->getMessage();
             }
 
             break;
         case 'mysql':
-            $query = 'CREATE DATABASE IF NOT EXISTS `' . $_POST['database_name'] . '` CHARACTER SET ' . $database_charset . ' COLLATE ' . $database_collation . ";";
+            $query = 'CREATE DATABASE IF NOT EXISTS `' . $database_name . '` CHARACTER SET ' . $database_charset . ' COLLATE ' . $database_collation . ";";
             if (!$dbh->query($query)) {
                 $output .= '<span id="database_fail" style="color:#FF0000;">' . $_lang['status_failed_could_not_create_database'] . '</span>';
                 echo $output;
@@ -116,9 +111,7 @@
     echo $output . '<span id="database_pass" style="color:#80c000;"> ' . $_lang['status_passed'] . '</span>';
     exit();
 } catch (PDOException $e) {
-
     echo $output . '<span id="database_fail" style="color:#FF0000;">' . $_lang['status_failed'] . ' ' . $e->getMessage() . '</span>';
-
 }
 
 echo $output;
diff --git a/install/src/controllers/connection/servertest.php b/install/src/controllers/connection/servertest.php
index 31a78b54d0..0be44e295f 100644
--- a/install/src/controllers/connection/servertest.php
+++ b/install/src/controllers/connection/servertest.php
@@ -1,12 +1,14 @@
 <?php
-
+$method = strip_tags($_POST['method']);
+$host = strip_tags($_POST['host']);
+$uid = strip_tags($_POST['uid']);
+$pwd = strip_tags($_POST['pwd']);
 
 $output = $_lang['status_connecting'];
 try {
-    $dbh = new PDO($_POST['method'] . ':host=' . $_POST['host'] . ';', $_POST['uid'], $_POST['pwd']);
+    $dbh = new PDO($method . ':host=' . $host . ';', $uid, $pwd);
     $output .= '<span id="server_pass" style="color:#80c000;"> ' . $_lang['status_passed_server'] . '</span>';
 } catch (PDOException $e) {
     $output .= '<span id="server_fail" style="color:#FF0000;"> ' . $_lang['status_failed'] . ' ' . $e->getMessage() . '</span>';
-
 }
 echo $output;