mirror/librenms-librenms
1
0
Fork 0
mirror of https://github.com/librenms/librenms.git synced 2024-10-07 16:52:45 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

security: Stop accepting other variables in install that we do not use (#7511)

Browse Source
This commit is contained in:
Neil Lathwood
2017-10-18 13:19:16 +01:00
committed by GitHub
parent 3dab275f14
commit 1205f12f10
1 changed files with 6 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
html/install.php
View File

@@ -3,7 +3,12 @@ session_start();
if (empty($_POST) && !empty($_SESSION) && !isset($_REQUEST['stage'])) {
$_POST = $_SESSION;
} elseif (!file_exists("../config.php")) {
$_SESSION = array_replace($_SESSION, $_POST);
$allowed_vars = array('stage','build-ok','dbhost','dbuser','dbpass','dbname','dbport','dbsocket','add_user','add_pass','add_email');
foreach ($allowed_vars as $allowed) {
if (isset($_POST[$allowed])) {
$_SESSION[$allowed] = $_POST[$allowed];
}
}
}
$stage = isset($_POST['stage']) ? $_POST['stage'] : 0;