Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

SECURITY Fixed remote code execution vuln in install.php due to inser…

…ting unescaped user data into mysite/_config.php. Not critical because install.php is required to be removed on a SilverStripe installation anyway (fixes #7205)
  • Loading branch information...
commit eeef41e91fae6ab8421039e229602ba9723718e2 1 parent 8f2ede8
Ingo Schommer chillu authored
Showing with 6 additions and 3 deletions.
  1. +6 −3 dev/install/install.php5
9 dev/install/install.php5
View
@@ -1046,10 +1046,13 @@ class Installer extends InstallRequirements {
$fh = fopen('mysite/_config.php', 'wb');
fclose($fh);
}
- $theme = isset($_POST['template']) ? $_POST['template'] : 'simple';
- $locale = isset($_POST['locale']) ? $_POST['locale'] : 'en_US';
- $type = $config['db']['type'];
+
+ // Escape user input for safe insertion into PHP file
+ $theme = isset($_POST['template']) ? addcslashes($_POST['template'], "\'") : 'simple';
+ $locale = isset($_POST['locale']) ? addcslashes($_POST['locale'], "\'") : 'en_US';
+ $type = addcslashes($config['db']['type'], "\'");
$dbConfig = $config['db'][$type];
+ $dbConfig = array_map(create_function('$v', 'return addcslashes($v, "\\\'");'), $dbConfig);
if(!isset($dbConfig['path'])) $dbConfig['path'] = '';
if(!$dbConfig) {
echo "<p style=\"color: red\">Bad config submitted</p><pre>";
Please sign in to comment.
Something went wrong with that request. Please try again.