diff options
| author | Andrew Dolgov <[email protected]> | 2020-04-23 15:56:48 +0300 |
|---|---|---|
| committer | Andrew Dolgov <[email protected]> | 2020-04-23 15:56:48 +0300 |
| commit | 84bea5086c58e8516b88fe258a9146afc573265e (patch) | |
| tree | 54371782dda7b6b6bf332dd9c66fcb8c54a8c374 | |
| parent | 01248f09bc5aaac87ab4fbe6608ecbd687f886db (diff) | |
| parent | daaba66f85c101b6b9ed41a3bfa4af7bf3e674bc (diff) | |
Merge branch 'master' of git.tt-rss.org:fox/tt-rss
| -rw-r--r--[-rwxr-xr-x] | config.php-dist | 0 | ||||
| -rw-r--r--[-rwxr-xr-x] | install/index.php | 74 |
2 files changed, 38 insertions, 36 deletions
diff --git a/config.php-dist b/config.php-dist index 824c378a7..824c378a7 100755..100644 --- a/config.php-dist +++ b/config.php-dist diff --git a/install/index.php b/install/index.php index b7aedf29d..15fe1aa5a 100755..100644 --- a/install/index.php +++ b/install/index.php @@ -153,14 +153,16 @@ $rv = file_get_contents("../config.php-dist"); + $escape_chars = "\\'"; + $settings = [ "%DB_TYPE" => $DB_TYPE == 'pgsql' ? 'pgsql' : 'mysql', - "%DB_HOST" => addslashes($DB_HOST), - "%DB_USER" => addslashes($DB_USER), - "%DB_NAME" => addslashes($DB_NAME), - "%DB_PASS" => addslashes($DB_PASS), - "%DB_PORT" => intval($DB_PORT), - "%SELF_URL_PATH" => addslashes($SELF_URL_PATH) + "%DB_HOST" => addcslashes($DB_HOST, $escape_chars), + "%DB_USER" => addcslashes($DB_USER, $escape_chars), + "%DB_NAME" => addcslashes($DB_NAME, $escape_chars), + "%DB_PASS" => addcslashes($DB_PASS, $escape_chars), + "%DB_PORT" => $DB_PORT ? intval($DB_PORT) : '', + "%SELF_URL_PATH" => addcslashes($SELF_URL_PATH, $escape_chars) ]; $rv = str_replace(array_keys($settings), array_values($settings), $rv); @@ -234,28 +236,28 @@ <fieldset> <label>Username:</label> - <input dojoType="dijit.form.TextBox" required name="DB_USER" size="20" value="<?php echo $DB_USER ?>"/> + <input dojoType="dijit.form.TextBox" required name="DB_USER" size="20" value="<?php echo htmlspecialchars($DB_USER) ?>"/> </fieldset> <fieldset> <label>Password:</label> - <input dojoType="dijit.form.TextBox" name="DB_PASS" size="20" type="password" value="<?php echo $DB_PASS ?>"/> + <input dojoType="dijit.form.TextBox" name="DB_PASS" size="20" type="password" value="<?php echo htmlspecialchars($DB_PASS) ?>"/> </fieldset> <fieldset> <label>Database name:</label> - <input dojoType="dijit.form.TextBox" required name="DB_NAME" size="20" value="<?php echo $DB_NAME ?>"/> + <input dojoType="dijit.form.TextBox" required name="DB_NAME" size="20" value="<?php echo htmlspecialchars($DB_NAME) ?>"/> </fieldset> <fieldset> <label>Host name:</label> - <input dojoType="dijit.form.TextBox" name="DB_HOST" size="20" value="<?php echo $DB_HOST ?>"/> + <input dojoType="dijit.form.TextBox" name="DB_HOST" size="20" value="<?php echo htmlspecialchars($DB_HOST) ?>"/> <span class="hint">If needed</span> </fieldset> <fieldset> <label>Port:</label> - <input dojoType="dijit.form.TextBox" name="DB_PORT" type="number" size="20" value="<?php echo $DB_PORT ?>"/> + <input dojoType="dijit.form.TextBox" name="DB_PORT" type="number" size="20" value="<?php echo htmlspecialchars($DB_PORT) ?>"/> <span class="hint">Usually 3306 for MySQL or 5432 for PostgreSQL</span> </fieldset> @@ -265,7 +267,7 @@ <fieldset> <label>Tiny Tiny RSS URL:</label> - <input dojoType="dijit.form.TextBox" type="url" name="SELF_URL_PATH" placeholder="<?php echo $SELF_URL_PATH; ?>" value="<?php echo $SELF_URL_PATH ?>"/> + <input dojoType="dijit.form.TextBox" type="url" name="SELF_URL_PATH" placeholder="<?php echo htmlspecialchars($SELF_URL_PATH); ?>" value="<?php echo htmlspecialchars($SELF_URL_PATH) ?>"/> </fieldset> <p><button type="submit" dojoType="dijit.form.Button" class="alt-primary">Test configuration</button></p> @@ -336,7 +338,7 @@ $pdo = pdo_connect($DB_HOST, $DB_USER, $DB_PASS, $DB_NAME, $DB_TYPE, $DB_PORT); if (!$pdo) { - print_error("Unable to connect to database using specified parameters (driver: $DB_TYPE)."); + print_error("Unable to connect to database using specified parameters (driver: " . htmlspecialchars($DB_TYPE) . ")."); exit; } @@ -362,13 +364,13 @@ <form method="post"> <input type="hidden" name="op" value="installschema"> - <input type="hidden" name="DB_USER" value="<?php echo $DB_USER ?>"/> - <input type="hidden" name="DB_PASS" value="<?php echo $DB_PASS ?>"/> - <input type="hidden" name="DB_NAME" value="<?php echo $DB_NAME ?>"/> - <input type="hidden" name="DB_HOST" value="<?php echo $DB_HOST ?>"/> - <input type="hidden" name="DB_PORT" value="<?php echo $DB_PORT ?>"/> - <input type="hidden" name="DB_TYPE" value="<?php echo $DB_TYPE ?>"/> - <input type="hidden" name="SELF_URL_PATH" value="<?php echo $SELF_URL_PATH ?>"/> + <input type="hidden" name="DB_USER" value="<?php echo htmlspecialchars($DB_USER) ?>"/> + <input type="hidden" name="DB_PASS" value="<?php echo htmlspecialchars($DB_PASS) ?>"/> + <input type="hidden" name="DB_NAME" value="<?php echo htmlspecialchars($DB_NAME) ?>"/> + <input type="hidden" name="DB_HOST" value="<?php echo htmlspecialchars($DB_HOST) ?>"/> + <input type="hidden" name="DB_PORT" value="<?php echo htmlspecialchars($DB_PORT) ?>"/> + <input type="hidden" name="DB_TYPE" value="<?php echo htmlspecialchars($DB_TYPE) ?>"/> + <input type="hidden" name="SELF_URL_PATH" value="<?php echo htmlspecialchars($SELF_URL_PATH) ?>"/> <p> <?php if ($need_confirm) { ?> @@ -382,13 +384,13 @@ </td><td> <form method="post"> - <input type="hidden" name="DB_USER" value="<?php echo $DB_USER ?>"/> - <input type="hidden" name="DB_PASS" value="<?php echo $DB_PASS ?>"/> - <input type="hidden" name="DB_NAME" value="<?php echo $DB_NAME ?>"/> - <input type="hidden" name="DB_HOST" value="<?php echo $DB_HOST ?>"/> - <input type="hidden" name="DB_PORT" value="<?php echo $DB_PORT ?>"/> - <input type="hidden" name="DB_TYPE" value="<?php echo $DB_TYPE ?>"/> - <input type="hidden" name="SELF_URL_PATH" value="<?php echo $SELF_URL_PATH ?>"/> + <input type="hidden" name="DB_USER" value="<?php echo htmlspecialchars($DB_USER) ?>"/> + <input type="hidden" name="DB_PASS" value="<?php echo htmlspecialchars($DB_PASS) ?>"/> + <input type="hidden" name="DB_NAME" value="<?php echo htmlspecialchars($DB_NAME) ?>"/> + <input type="hidden" name="DB_HOST" value="<?php echo htmlspecialchars($DB_HOST) ?>"/> + <input type="hidden" name="DB_PORT" value="<?php echo htmlspecialchars($DB_PORT) ?>"/> + <input type="hidden" name="DB_TYPE" value="<?php echo htmlspecialchars($DB_TYPE) ?>"/> + <input type="hidden" name="SELF_URL_PATH" value="<?php echo htmlspecialchars($SELF_URL_PATH) ?>"/> <input type="hidden" name="op" value="skipschema"> @@ -440,16 +442,16 @@ <form action="" method="post"> <input type="hidden" name="op" value="saveconfig"> - <input type="hidden" name="DB_USER" value="<?php echo $DB_USER ?>"/> - <input type="hidden" name="DB_PASS" value="<?php echo $DB_PASS ?>"/> - <input type="hidden" name="DB_NAME" value="<?php echo $DB_NAME ?>"/> - <input type="hidden" name="DB_HOST" value="<?php echo $DB_HOST ?>"/> - <input type="hidden" name="DB_PORT" value="<?php echo $DB_PORT ?>"/> - <input type="hidden" name="DB_TYPE" value="<?php echo $DB_TYPE ?>"/> - <input type="hidden" name="SELF_URL_PATH" value="<?php echo $SELF_URL_PATH ?>"/> + <input type="hidden" name="DB_USER" value="<?php echo htmlspecialchars($DB_USER) ?>"/> + <input type="hidden" name="DB_PASS" value="<?php echo htmlspecialchars($DB_PASS) ?>"/> + <input type="hidden" name="DB_NAME" value="<?php echo htmlspecialchars($DB_NAME) ?>"/> + <input type="hidden" name="DB_HOST" value="<?php echo htmlspecialchars($DB_HOST) ?>"/> + <input type="hidden" name="DB_PORT" value="<?php echo htmlspecialchars($DB_PORT) ?>"/> + <input type="hidden" name="DB_TYPE" value="<?php echo htmlspecialchars($DB_TYPE) ?>"/> + <input type="hidden" name="SELF_URL_PATH" value="<?php echo htmlspecialchars($SELF_URL_PATH) ?>"/> <?php print "<textarea rows='20' style='width : 100%'>"; - echo make_config($DB_TYPE, $DB_HOST, $DB_USER, $DB_NAME, $DB_PASS, - $DB_PORT, $SELF_URL_PATH); + echo htmlspecialchars(make_config($DB_TYPE, $DB_HOST, $DB_USER, $DB_NAME, $DB_PASS, + $DB_PORT, $SELF_URL_PATH)); print "</textarea>"; ?> <hr/> |