Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
merge r20706 from branch 2.4 to trunk
bug 2843: filter $_GET['dl'], it must be a md5sum-like string and nothing else


git-svn-id: http://piwigo.org/svn/trunk@20707 68402e56-0260-453c-a942-63ccdbb3a9ee
  • Loading branch information
plegall committed Feb 11, 2013
1 parent 853dea3 commit ed1b88c
Showing 1 changed file with 7 additions and 1 deletion.
8 changes: 7 additions & 1 deletion install.php
Expand Up @@ -109,7 +109,11 @@
@include(PHPWG_ROOT_PATH. 'local/config/config.inc.php');
defined('PWG_LOCAL_DIR') or define('PWG_LOCAL_DIR', 'local/');

include(PHPWG_ROOT_PATH . 'include/functions.inc.php');

// download database config file if exists
check_input_parameter('dl', $_GET, false, '/^[a-f0-9]{32}$/');

if (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))
{
$filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];
Expand Down Expand Up @@ -156,7 +160,6 @@
}

include(PHPWG_ROOT_PATH . 'include/constants.php');
include(PHPWG_ROOT_PATH . 'include/functions.inc.php');
include(PHPWG_ROOT_PATH . 'admin/include/functions.php');

include(PHPWG_ROOT_PATH . 'admin/include/languages.class.php');
Expand Down Expand Up @@ -284,6 +287,9 @@
// writing the configuration file
if ( !($fp = @fopen( $config_file, 'w' )))
{
// make sure nobody can list files of _data directory
secure_directory(PHPWG_ROOT_PATH.$conf['data_location']);

$tmp_filename = md5(uniqid(time()));
$fh = @fopen( PHPWG_ROOT_PATH.$conf['data_location'] . 'pwg_' . $tmp_filename, 'w' );
@fputs($fh, $file_content, strlen($file_content));
Expand Down

0 comments on commit ed1b88c

Please sign in to comment.