Skip to content
Snippets Groups Projects
Commit 27d79147 authored by Andreas Gohr's avatar Andreas Gohr
Browse files

Merge pull request #109 from whoopdedo/input-validation 

input validations in installer
parents 3272d797 ed856534
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 64 additions and 38 deletions
install.php
+ 64
38
View file @ 27d79147
...@@ -29,8 +29,10 @@ if (get_magic_quotes_gpc() && !defined('MAGIC_QUOTES_STRIPPED')) { ...@@ -29,8 +29,10 @@ if (get_magic_quotes_gpc() && !defined('MAGIC_QUOTES_STRIPPED')) {
// language strings // language strings
require_once(DOKU_INC.'inc/lang/en/lang.php'); require_once(DOKU_INC.'inc/lang/en/lang.php');
$LC = preg_replace('/[^a-z\-]+/','',$_REQUEST['l']); if(isset($_REQUEST['l']) && !is_array($_REQUEST['l'])) {
if(!$LC) $LC = 'en'; $LC = preg_replace('/[^a-z\-]+/','',$_REQUEST['l']);
}
if(empty($LC)) $LC = 'en';
if($LC && $LC != 'en' ) { if($LC && $LC != 'en' ) {
require_once(DOKU_INC.'inc/lang/'.$LC.'/lang.php'); require_once(DOKU_INC.'inc/lang/'.$LC.'/lang.php');
} }
...@@ -56,7 +58,6 @@ $dokuwiki_hash = array( ...@@ -56,7 +58,6 @@ $dokuwiki_hash = array(
); );
// begin output // begin output
header('Content-Type: text/html; charset=utf-8'); header('Content-Type: text/html; charset=utf-8');
?> ?>
...@@ -131,17 +132,16 @@ header('Content-Type: text/html; charset=utf-8'); ...@@ -131,17 +132,16 @@ header('Content-Type: text/html; charset=utf-8');
}elseif(!check_configs()){ }elseif(!check_configs()){
echo '<p>'.$lang['i_modified'].'</p>'; echo '<p>'.$lang['i_modified'].'</p>';
print_errors(); print_errors();
}elseif($_REQUEST['submit']){ }elseif(check_data($_REQUEST['d'])){
if(!check_data($_REQUEST['d'])){ // check_data has sanitized all input parameters
print_errors(); if(!store_data($_REQUEST['d'])){
print_form($_REQUEST['d']);
}elseif(!store_data($_REQUEST['d'])){
echo '<p>'.$lang['i_failure'].'</p>'; echo '<p>'.$lang['i_failure'].'</p>';
print_errors(); print_errors();
}else{ }else{
echo '<p>'.$lang['i_success'].'</p>'; echo '<p>'.$lang['i_success'].'</p>';
} }
}else{ }else{
print_errors();
print_form($_REQUEST['d']); print_form($_REQUEST['d']);
} }
?> ?>
...@@ -213,7 +213,7 @@ function print_form($d){ ...@@ -213,7 +213,7 @@ function print_form($d){
<p><?php echo $lang['i_license']?></p> <p><?php echo $lang['i_license']?></p>
<?php <?php
array_unshift($license,array('name' => 'None', 'url'=>'')); array_unshift($license,array('name' => 'None', 'url'=>''));
if(!isset($d['license'])) $d['license'] = 'cc-by-sa'; if(empty($d['license'])) $d['license'] = 'cc-by-sa';
foreach($license as $key => $lic){ foreach($license as $key => $lic){
echo '<label for="lic_'.$key.'">'; echo '<label for="lic_'.$key.'">';
echo '<input type="radio" name="d[license]" value="'.htmlspecialchars($key).'" id="lic_'.$key.'"'. echo '<input type="radio" name="d[license]" value="'.htmlspecialchars($key).'" id="lic_'.$key.'"'.
...@@ -252,41 +252,65 @@ function print_retry() { ...@@ -252,41 +252,65 @@ function print_retry() {
* @author Andreas Gohr * @author Andreas Gohr
*/ */
function check_data(&$d){ function check_data(&$d){
static $form_default = array(
'title' => '',
'acl' => '1',
'superuser' => '',
'fullname' => '',
'email' => '',
'password' => '',
'confirm' => '',
'policy' => '0',
'license' => 'cc-by-sa'
);
global $lang; global $lang;
global $error; global $error;
if(!is_array($d)) $d = array();
foreach($d as $k => $v) {
if(is_array($v))
unset($d[$k]);
else
$d[$k] = (string)$v;
}
//autolowercase the username //autolowercase the username
$d['superuser'] = strtolower($d['superuser']); $d['superuser'] = isset($d['superuser']) ? strtolower($d['superuser']) : "";
$ok = true; $ok = false;
// check input if(isset($_REQUEST['submit'])) {
if(empty($d['title'])){ $ok = true;
$error[] = sprintf($lang['i_badval'],$lang['i_wikiname']);
$ok = false; // check input
} if(empty($d['title'])){
if($d['acl']){ $error[] = sprintf($lang['i_badval'],$lang['i_wikiname']);
if(!preg_match('/^[a-z0-9_]+$/',$d['superuser'])){
$error[] = sprintf($lang['i_badval'],$lang['i_superuser']);
$ok = false;
}
if(empty($d['password'])){
$error[] = sprintf($lang['i_badval'],$lang['pass']);
$ok = false;
}
if($d['confirm'] != $d['password']){
$error[] = sprintf($lang['i_badval'],$lang['passchk']);
$ok = false;
}
if(empty($d['fullname']) || strstr($d['fullname'],':')){
$error[] = sprintf($lang['i_badval'],$lang['fullname']);
$ok = false; $ok = false;
} }
if(empty($d['email']) || strstr($d['email'],':') || !strstr($d['email'],'@')){ if(isset($d['acl'])){
$error[] = sprintf($lang['i_badval'],$lang['email']); if(!preg_match('/^[a-z0-9_]+$/',$d['superuser'])){
$ok = false; $error[] = sprintf($lang['i_badval'],$lang['i_superuser']);
$ok = false;
}
if(empty($d['password'])){
$error[] = sprintf($lang['i_badval'],$lang['pass']);
$ok = false;
}
elseif(!isset($d['confirm']) || $d['confirm'] != $d['password']){
$error[] = sprintf($lang['i_badval'],$lang['passchk']);
$ok = false;
}
if(empty($d['fullname']) || strstr($d['fullname'],':')){
$error[] = sprintf($lang['i_badval'],$lang['fullname']);
$ok = false;
}
if(empty($d['email']) || strstr($d['email'],':') || !strstr($d['email'],'@')){
$error[] = sprintf($lang['i_badval'],$lang['email']);
$ok = false;
}
} }
} }
$d = array_merge($form_default, $d);
return $ok; return $ok;
} }
...@@ -531,11 +555,13 @@ function langsel(){ ...@@ -531,11 +555,13 @@ function langsel(){
*/ */
function print_errors(){ function print_errors(){
global $error; global $error;
echo '<ul>'; if(!empty($error)) {
foreach ($error as $err){ echo '<ul>';
echo "<li>$err</li>"; foreach ($error as $err){
echo "<li>$err</li>";
}
echo '</ul>';
} }
echo '</ul>';
} }
/** /**
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment