From 55b1648bdf9aa67201331c0315e217b26d53b510 Mon Sep 17 00:00:00 2001
From: Craig Knudsen <craig@k5n.us>
Date: Wed, 13 Sep 2023 17:51:40 -0400
Subject: [PATCH] Fixes for install page and invalid settings of cachedir

---
 includes/formvars.php | 2 +-
 install/index.php     | 9 ++++++++-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/includes/formvars.php b/includes/formvars.php
index 120d7eafc..29df006c9 100644
--- a/includes/formvars.php
+++ b/includes/formvars.php
@@ -46,7 +46,7 @@ function preventHacking ( $name, $instr ) {
     // CSRF protection can be disabled in Admin Settings, but
     // the tokens are still added to forms.
     if (empty($CSRF_PROTECTION) || $CSRF_PROTECTION != 'N') {
-      if (empty($_REQUEST['csrf_form_key'])) {
+      if (empty($_REQUEST['csrf_form_key']) || empty($_SESSION['csrf_form_key'])) {
         die_miserable_death (translate('Fatal Error') . ': '
            . translate('Invalid form request'));
       }
diff --git a/install/index.php b/install/index.php
index 1422d4c0a..57f3032e7 100644
--- a/install/index.php
+++ b/install/index.php
@@ -755,6 +755,13 @@
       echo "Bugger off.<br>";
       exit;
     }
+    foreach ($settings as $k => $v) {
+      // Don't allow someone to put start/end PHP tags in settings.php
+      if (preg_match('/<\?(php)?|(\?>)/', $v)) {
+        echo "Bugger off.<br>";
+        exit;
+      }
+    }
     $fd = @fopen($file, 'w+b', false);
 
     if (empty($fd))
@@ -775,7 +782,7 @@
         if ($v != '<br>' && $v != '')
           fwrite($fd, $k . ': ' . $v . "\r\n");
       }
-      fwrite($fd, "# end settings.php */\r\n?\>\r\n");
+      fwrite($fd, "# end settings.php */\r\n?>\r\n");
       fclose($fd);
 
       if ($post_action != $testSettingsStr && $post_action2 != $createNewStr)