Skip to content
Permalink
Browse files Browse the repository at this point in the history
security fix to prevent possible hacking by moving security checks ea…
…rlier in the install code
  • Loading branch information
dleffler committed Sep 22, 2016
1 parent 3f06b07 commit 4ae457f
Showing 1 changed file with 26 additions and 25 deletions.
51 changes: 26 additions & 25 deletions install/index.php
Expand Up @@ -29,7 +29,6 @@

ob_start();


// Jumpstart to Initialize the installer language before it's set to default
if (isset($_REQUEST['lang'])) {
$_REQUEST['sc']['LANGUAGE'] = trim($_REQUEST['lang'], "'");
Expand All @@ -43,6 +42,27 @@
include_once('../exponent.php');
expString::sanitize($_REQUEST);

// Make sure our 'page' is set correctly and prevent running under most circumstances
if (file_exists("../framework/conf/config.php") && !isset($_REQUEST['page'])) {
$_REQUEST['page'] = 'upgrade-1';
}
if (!file_exists("../framework/conf/config.php") && !isset($_REQUEST['page'])) {
$_REQUEST['page'] = 'welcome';
}
$page = $_REQUEST['page'];

// Superadmin must be logged in to do an upgrade
if (strpos($page, 'upgrade-') !== false && empty($user->isSuperAdmin())) {
header('Location: ../index.php');
exit();
}

// Only run installation if not already installed
if (strpos($page, 'upgrade-') === false && !file_exists(BASE . 'install/not_configured')) {
header('Location: ../index.php');
exit();
}

// Switch to a saved profile as requested
if (isset($_REQUEST['profile'])) {
expSettings::activateProfile($_REQUEST['profile']);
Expand All @@ -57,13 +77,11 @@
if (file_exists("../framework/conf/config.php")) {
// Update the config
foreach ($_REQUEST['sc'] as $key => $value) {
// $value = expString::sanitize($value);
expSettings::change($key, $value);
}
} else {
// Initialize /framework/conf/config
$values = array(
// 'c' => expString::sanitize($_REQUEST['sc']),
'c' => $_REQUEST['sc'],
'opts' => array(),
'configname' => 'Default',
Expand All @@ -75,6 +93,10 @@

// Install a sample database as requested
if (isset($_REQUEST['install_sample'])) {
if (!empty($_REQUEST['install_sample']) && (strpos($_REQUEST['install_sample'], '..') !== false || strpos($_REQUEST['install_sample'], '/') !== false)) {
header('Location: ../index.php');
exit(); // attempt to hack the site
}
$eql = BASE . "themes/" . DISPLAY_THEME_REAL . "/" . $_REQUEST['install_sample'] . ".eql";
if (!file_exists($eql)) {
$eql = BASE . "install/samples/" . $_REQUEST['install_sample'] . ".eql";
Expand Down Expand Up @@ -104,27 +126,6 @@
}
}

// Make sure our 'page' is set correctly
if (file_exists("../framework/conf/config.php") && !isset($_REQUEST['page'])) {
$_REQUEST['page'] = 'upgrade-1';
}
if (!file_exists("../framework/conf/config.php") && !isset($_REQUEST['page'])) {
$_REQUEST['page'] = 'welcome';
}
$page = $_REQUEST['page'];

// Superadmin must be logged in to do an upgrade
if (strpos($page, 'upgrade-') !== false && empty($user->is_admin)) {
header('Location: ../index.php');
exit();
}

// Only run installation if not already installed
if (strpos($page, 'upgrade-') === false && !file_exists(BASE . 'install/not_configured')) {
header('Location: ../index.php');
exit();
}

switch ($page) {
case 'upgrade-1':
$masthead = gt("Upgrade");
Expand Down Expand Up @@ -271,4 +272,4 @@ function pop(page) {
</html>
<?php
ob_end_flush();
?>
?>

0 comments on commit 4ae457f

Please sign in to comment.