Permalink
Browse files

SECURITY Fixed remote code execution vuln in install.php due to inser…

…ting unescaped user data into mysite/_config.php. Not critical because install.php is required to be removed on a SilverStripe installation anyway (fixes #7205)
  • Loading branch information...
1 parent 8f2ede8 commit eeef41e91fae6ab8421039e229602ba9723718e2 @chillu chillu committed May 16, 2012
Showing with 6 additions and 3 deletions.
  1. +6 −3 dev/install/install.php5
View
9 dev/install/install.php5
@@ -1046,10 +1046,13 @@ class Installer extends InstallRequirements {
$fh = fopen('mysite/_config.php', 'wb');
fclose($fh);
}
- $theme = isset($_POST['template']) ? $_POST['template'] : 'simple';
- $locale = isset($_POST['locale']) ? $_POST['locale'] : 'en_US';
- $type = $config['db']['type'];
+
+ // Escape user input for safe insertion into PHP file
+ $theme = isset($_POST['template']) ? addcslashes($_POST['template'], "\'") : 'simple';
+ $locale = isset($_POST['locale']) ? addcslashes($_POST['locale'], "\'") : 'en_US';
+ $type = addcslashes($config['db']['type'], "\'");
$dbConfig = $config['db'][$type];
+ $dbConfig = array_map(create_function('$v', 'return addcslashes($v, "\\\'");'), $dbConfig);
if(!isset($dbConfig['path'])) $dbConfig['path'] = '';
if(!$dbConfig) {
echo "<p style=\"color: red\">Bad config submitted</p><pre>";

0 comments on commit eeef41e

Please sign in to comment.