From fbfb5d2f027747a040515c790d65d2b973f670f4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= Date: Fri, 28 Jul 2006 14:49:47 +0000 Subject: [PATCH] Protect against php code input from user (bug #1530370). --- ChangeLog | 4 ++++ scripts/setup.php | 14 +++++++++----- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index f2fd42d5a..8a2ce76e2 100755 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,10 @@ $Id$ $Source$ +2006-07-28 Michal Čihař + * scripts/setup.php: Protect against php code input from user (bug + #1530370). + 2006-07-27 Marc Delisle * pdf_pages.php: automatic layout for InnoDB tables * tbl_properties_operations.php: problem switching from InnoDB to MyISAM diff --git a/scripts/setup.php b/scripts/setup.php index 594bfa8b7..0d9e38523 100644 --- a/scripts/setup.php +++ b/scripts/setup.php @@ -395,17 +395,21 @@ function get_server_auth($val) { * * @return string fancy server name */ -function get_server_name($val, $id = FALSE) { +function get_server_name($val, $id = FALSE, $escape = true) { if (!empty($val['verbose'])) { - $ret = htmlspecialchars($val['verbose']); + $ret = $val['verbose']; } else { - $ret = htmlspecialchars($val['host']); + $ret = $val['host']; } $ret .= ' (' . get_server_auth($val) . ')'; if ($id !== FALSE) { $ret .= ' [' . ($id + 1) . ']' ; } - return $ret; + if ($escape) { + return htmlspecialchars($ret); + } else { + return $ret; + } } @@ -502,7 +506,7 @@ function get_cfg_string($cfg) { if (count($c['Servers']) > 0) { $ret .= "/* Servers configuration */\n\$i = 0;\n"; foreach ($c['Servers'] as $cnt => $srv) { - $ret .= "\n/* Server " . get_server_name($srv, $cnt) . " */\n\$i++;\n"; + $ret .= "\n/* Server " . strtr(get_server_name($srv, $cnt, false), '*', '-') . " */\n\$i++;\n"; foreach ($srv as $key => $val) { $ret .= get_cfg_val("\$cfg['Servers'][\$i]['$key']", $val); }