Fixes for install page and invalid settings of cachedir

craigk5n · Sep 13, 2023 · 55b1648 · 55b1648
1 parent f947a5c
commit 55b1648
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 2 deletions.
diff --git a/includes/formvars.php b/includes/formvars.php
@@ -46,7 +46,7 @@ function preventHacking ( $name, $instr ) {
     // CSRF protection can be disabled in Admin Settings, but
     // the tokens are still added to forms.
     if (empty($CSRF_PROTECTION) || $CSRF_PROTECTION != 'N') {
-      if (empty($_REQUEST['csrf_form_key'])) {
+      if (empty($_REQUEST['csrf_form_key']) || empty($_SESSION['csrf_form_key'])) {
         die_miserable_death (translate('Fatal Error') . ': '
            . translate('Invalid form request'));
       }

diff --git a/install/index.php b/install/index.php
@@ -755,6 +755,13 @@
       echo "Bugger off.<br>";
       exit;
     }
+    foreach ($settings as $k => $v) {
+      // Don't allow someone to put start/end PHP tags in settings.php
+      if (preg_match('/<\?(php)?|(\?>)/', $v)) {
+        echo "Bugger off.<br>";
+        exit;
+      }
+    }
     $fd = @fopen($file, 'w+b', false);
 
     if (empty($fd))
@@ -775,7 +782,7 @@
         if ($v != '<br>' && $v != '')
           fwrite($fd, $k . ': ' . $v . "\r\n");
       }
-      fwrite($fd, "# end settings.php */\r\n?\>\r\n");
+      fwrite($fd, "# end settings.php */\r\n?>\r\n");
       fclose($fd);
 
       if ($post_action != $testSettingsStr && $post_action2 != $createNewStr)