maketank/Froxlor
2
0
Fork 0
Code Pull Requests Releases Activity

forgot one escapeshellarg() and enhanced security on userdata.inc.php creation when installing

Browse Source 
Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
This commit is contained in:
Michael Kaufmann
2020-03-06 20:44:17 +01:00
parent 62ce21c9ec
commit 7e361274c5
1 changed files with 8 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
install/lib/class.FroxlorInstall.php
View File

@@ -333,18 +333,18 @@ class FroxlorInstall
// test if we can store the userdata.inc.php in ../lib // test if we can store the userdata.inc.php in ../lib
$userdata_file = dirname(dirname(dirname(__FILE__))) . '/lib/userdata.inc.php'; $userdata_file = dirname(dirname(dirname(__FILE__))) . '/lib/userdata.inc.php';
if ($fp = @fopen($userdata_file, 'w')) { if (@touch($userdata_file) && @chmod($userdata_file, 0400) && @is_writable($userdata_file)) {
$result = @fputs($fp, $userdata, strlen($userdata)); $fp = @fopen($userdata_file, 'w');
@fputs($fp, $userdata, strlen($userdata));
@fclose($fp); @fclose($fp);
$content .= $this->_status_message('green', 'OK'); $content .= $this->_status_message('green', 'OK');
chmod($userdata_file, 0440);
} else { } else {
// try creating it in a temporary file // try creating it in a temporary file
$temp_file = tempnam(sys_get_temp_dir(), 'fx'); $temp_file = @tempnam(sys_get_temp_dir(), 'fx');
if (touch($temp_file)) { if ($temp_file) {
chmod($temp_file, 0400); chmod($temp_file, 0400);
$fp = @fopen($temp_file, 'w'); $fp = @fopen($temp_file, 'w');
$result = @fputs($fp, $userdata, strlen($userdata)); @fputs($fp, $userdata, strlen($userdata));
@fclose($fp); @fclose($fp);
$content .= $this->_status_message('orange', sprintf($this->_lng['install']['creating_configfile_temp'], $temp_file)); $content .= $this->_status_message('orange', sprintf($this->_lng['install']['creating_configfile_temp'], $temp_file));
} else { } else {
@@ -568,7 +568,7 @@ class FroxlorInstall
for ($i = 0; $i < sizeof($sql_query); $i ++) { for ($i = 0; $i < sizeof($sql_query); $i ++) {
if (trim($sql_query[$i]) != '') { if (trim($sql_query[$i]) != '') {
try { try {
$result = $db->query($sql_query[$i]); $db->query($sql_query[$i]);
} catch (\PDOException $e) { } catch (\PDOException $e) {
$content .= $this->_status_message('red', $e->getMessage()); $content .= $this->_status_message('red', $e->getMessage());
$fatal_fail = true; $fatal_fail = true;
@@ -735,7 +735,7 @@ class FroxlorInstall
} }
if ($do_backup) { if ($do_backup) {
$command = $mysql_dump . " " . escapeshellarg($this->_data['mysql_database']) . " -u " . escapeshellarg($this->_data['mysql_root_user']) . " --password='" . $this->_data['mysql_root_pass'] . "' --result-file=" . $filename; $command = $mysql_dump . " " . escapeshellarg($this->_data['mysql_database']) . " -u " . escapeshellarg($this->_data['mysql_root_user']) . " --password='" . escapeshellarg($this->_data['mysql_root_pass']) . "' --result-file=" . $filename;
$output = exec($command); $output = exec($command);
if (stristr($output, "error")) { if (stristr($output, "error")) {
$content .= $this->_status_message('red', $this->_lng['install']['backup_failed']); $content .= $this->_status_message('red', $this->_lng['install']['backup_failed']);