From 9c3cf60592d99494903184c268581dd18cf5b353 Mon Sep 17 00:00:00 2001
From: JustAMacUser <myself-cmsmxc3e@zaikos.com>
Date: Tue, 21 Apr 2020 21:10:32 -0400
Subject: More fixes when installer generates config file.

* Use single quotes in config.php when when defining database values so PHP doesn't interpret `$` as a variable (mostly for the password constant).
* Use `addcslashes` instead of `addslashes` and only escape backslash and single quotes.
* Do not convert DB_PORT to integer if leaving it blank (the default).
---
 install/index.php | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)
 mode change 100755 => 100644 install/index.php

(limited to 'install/index.php')

diff --git a/install/index.php b/install/index.php
old mode 100755
new mode 100644
index b7aedf29d..543a4a3f2
--- a/install/index.php
+++ b/install/index.php
@@ -153,14 +153,16 @@
 
 		$rv = file_get_contents("../config.php-dist");
 
+		$escape_chars = "\\'";
+
 		$settings = [
 			"%DB_TYPE" => $DB_TYPE == 'pgsql' ? 'pgsql' : 'mysql',
-			"%DB_HOST" => addslashes($DB_HOST),
-			"%DB_USER" => addslashes($DB_USER),
-			"%DB_NAME" => addslashes($DB_NAME),
-			"%DB_PASS" => addslashes($DB_PASS),
-			"%DB_PORT" => intval($DB_PORT),
-			"%SELF_URL_PATH" => addslashes($SELF_URL_PATH)
+			"%DB_HOST" => addcslashes($DB_HOST, $escape_chars),
+			"%DB_USER" => addcslashes($DB_USER, $escape_chars),
+			"%DB_NAME" => addcslashes($DB_NAME, $escape_chars),
+			"%DB_PASS" => addcslashes($DB_PASS, $escape_chars),
+			"%DB_PORT" => $DB_PORT ? intval($DB_PORT) : '',
+			"%SELF_URL_PATH" => addcslashes($SELF_URL_PATH, $escape_chars)
 		];
 
 		$rv = str_replace(array_keys($settings), array_values($settings), $rv);
-- 
cgit v1.2.3