Fix for ticket #2828, part II: apostrophe in site name set in installer created a broken config.php.

The previous commit fixed the base installer to properly quote its strings when creating config.php... but you'd actually end up with double-escaping if you had magic_quotes_gpc on. Magic quotes are evil and lame, but we gotta deal with em. :P Updated the web installer code to check for magic quotes, and to grab its variables consistently through the same interface.
This commit is contained in:
Brion Vibber 2010-10-14 16:47:56 -07:00
parent 3f74f44603
commit 56403c4beb

View File

@ -45,13 +45,61 @@ require INSTALLDIR . '/lib/installer.php';
* Helper class for building form * Helper class for building form
*/ */
class Posted { class Posted {
/**
* HTML-friendly escaped string for the POST param of given name, or empty.
* @param string $name
* @return string
*/
function value($name) function value($name)
{ {
if (isset($_POST[$name])) { return htmlspecialchars($this->string($name));
return htmlspecialchars(strval($_POST[$name]));
} else {
return '';
} }
/**
* The given POST parameter value, forced to a string.
* Missing value will give ''.
*
* @param string $name
* @return string
*/
function string($name)
{
return strval($this->raw($name));
}
/**
* The given POST parameter value, in its original form.
* Magic quotes are stripped, if provided.
* Missing value will give null.
*
* @param string $name
* @return mixed
*/
function raw($name)
{
if (isset($_POST[$name])) {
return $this->dequote($_POST[$name]);
} else {
return null;
}
}
/**
* If necessary, strip magic quotes from the given value.
*
* @param mixed $val
* @return mixed
*/
function dequote($val)
{
if (get_magic_quotes_gpc()) {
if (is_string($val)) {
return stripslashes($val);
} else if (is_array($val)) {
return array_map(array($this, 'dequote'), $val);
}
}
return $val;
} }
} }
@ -107,11 +155,7 @@ class WebInstaller extends Installer
global $dbModules; global $dbModules;
$post = new Posted(); $post = new Posted();
$dbRadios = ''; $dbRadios = '';
if (isset($_POST['dbtype'])) { $dbtype = $post->raw('dbtype');
$dbtype = $_POST['dbtype'];
} else {
$dbtype = null;
}
foreach (self::$dbModules as $type => $info) { foreach (self::$dbModules as $type => $info) {
if ($this->checkExtension($info['check_module'])) { if ($this->checkExtension($info['check_module'])) {
if ($dbtype == null || $dbtype == $type) { if ($dbtype == null || $dbtype == $type) {
@ -245,19 +289,20 @@ STR;
*/ */
function prepare() function prepare()
{ {
$this->host = $_POST['host']; $post = new Posted();
$this->dbtype = $_POST['dbtype']; $this->host = $post->string('host');
$this->database = $_POST['database']; $this->dbtype = $post->string('dbtype');
$this->username = $_POST['dbusername']; $this->database = $post->string('database');
$this->password = $_POST['dbpassword']; $this->username = $post->string('dbusername');
$this->sitename = $_POST['sitename']; $this->password = $post->string('dbpassword');
$this->fancy = !empty($_POST['fancy']); $this->sitename = $post->string('sitename');
$this->fancy = (bool)$post->string('fancy');
$this->adminNick = strtolower($_POST['admin_nickname']); $this->adminNick = strtolower($post->string('admin_nickname'));
$this->adminPass = $_POST['admin_password']; $this->adminPass = $post->string('admin_password');
$adminPass2 = $_POST['admin_password2']; $adminPass2 = $post->string('admin_password2');
$this->adminEmail = $_POST['admin_email']; $this->adminEmail = $post->string('admin_email');
$this->adminUpdates = $_POST['admin_updates']; $this->adminUpdates = $post->string('admin_updates');
$this->server = $_SERVER['HTTP_HOST']; $this->server = $_SERVER['HTTP_HOST'];
$this->path = substr(dirname($_SERVER['PHP_SELF']), 1); $this->path = substr(dirname($_SERVER['PHP_SELF']), 1);