From 51c311a1b053575741d902873b93b1813fa460de Mon Sep 17 00:00:00 2001 From: Tim Starling Date: Fri, 6 Feb 2009 03:46:35 +0000 Subject: [PATCH] More installer XSS --- config/index.php | 2 +- includes/db/DatabasePostgres.php | 101 ++++++++++++++++++------------- 2 files changed, 60 insertions(+), 43 deletions(-) diff --git a/config/index.php b/config/index.php index 83ead15264..6414cb966d 100644 --- a/config/index.php +++ b/config/index.php @@ -2013,7 +2013,7 @@ function testMemcachedServer( $server ) { fclose( $fp ); } if ( !$errstr ) { - echo "
  • Connected to memcached on $host:$port successfully"; + echo "
  • Connected to memcached on " . htmlspecialchars( "$host:$port" ) ." successfully
    • "; } return $errstr; } diff --git a/includes/db/DatabasePostgres.php b/includes/db/DatabasePostgres.php index f8c0eb5170..6b343b598d 100644 --- a/includes/db/DatabasePostgres.php +++ b/includes/db/DatabasePostgres.php @@ -208,10 +208,10 @@ class DatabasePostgres extends Database { $version = $this->getServerVersion(); $PGMINVER = '8.1'; if ($version < $PGMINVER) { - print "FAILED. Required version is $PGMINVER. You have $version\n"; + print "FAILED. Required version is $PGMINVER. You have " . htmlspecialchars( $version ) . "\n"; dieout(""); } - print "version $this->numeric_version is OK.\n"; + print "version " . htmlspecialchars( $this->numeric_version ) . " is OK.\n"; $safeuser = $this->quote_ident($wgDBuser); // Are we connecting as a superuser for the first time? @@ -225,7 +225,7 @@ class DatabasePostgres extends Database { FROM pg_catalog.pg_user WHERE usename = " . $this->addQuotes($wgDBsuperuser); $rows = $this->numRows($res = $this->doQuery($SQL)); if (!$rows) { - print "
  • ERROR: Could not read permissions for user \"$wgDBsuperuser\"
    • \n"; + print "
  • ERROR: Could not read permissions for user \"" . htmlspecialchars( $wgDBsuperuser ) . "\"
    • \n"; dieout(''); } $perms = pg_fetch_result($res, 0, 0); @@ -233,15 +233,15 @@ class DatabasePostgres extends Database { $SQL = "SELECT 1 FROM pg_catalog.pg_user WHERE usename = " . $this->addQuotes($wgDBuser); $rows = $this->numRows($this->doQuery($SQL)); if ($rows) { - print "
  • User \"$wgDBuser\" already exists, skipping account creation.
    • "; + print "
  • User \"" . htmlspecialchars( $wgDBuser ) . "\" already exists, skipping account creation.
    • "; } else { if ($perms != 1 and $perms != 3) { - print "
  • ERROR: the user \"$wgDBsuperuser\" cannot create other users. "; + print "
  • ERROR: the user \"" . htmlspecialchars( $wgDBsuperuser ) . "\" cannot create other users. "; print 'Please use a different Postgres user.
    • '; dieout(''); } - print "
  • Creating user $wgDBuser..."; + print "
  • Creating user " . htmlspecialchars( $wgDBuser ) . "..."; $safepass = $this->addQuotes($wgDBpassword); $SQL = "CREATE USER $safeuser NOCREATEDB PASSWORD $safepass"; $this->doQuery($SQL); @@ -252,15 +252,15 @@ class DatabasePostgres extends Database { $SQL = "SELECT 1 FROM pg_catalog.pg_database WHERE datname = " . $this->addQuotes($wgDBname); $rows = $this->numRows($this->doQuery($SQL)); if ($rows) { - print "
  • Database \"$wgDBname\" already exists, skipping database creation.
    • "; + print "
  • Database \"" . htmlspecialchars( $wgDBname ) . "\" already exists, skipping database creation.
    • "; } else { if ($perms < 2) { - print "
  • ERROR: the user \"$wgDBsuperuser\" cannot create databases. "; + print "
  • ERROR: the user \"" . htmlspecialchars( $wgDBsuperuser ) . "\" cannot create databases. "; print 'Please use a different Postgres user.
    • '; dieout(''); } - print "
  • Creating database $wgDBname..."; + print "
  • Creating database " . htmlspecialchars( $wgDBname ) . "..."; $safename = $this->quote_ident($wgDBname); $SQL = "CREATE DATABASE $safename OWNER $safeuser "; $this->doQuery($SQL); @@ -269,17 +269,21 @@ class DatabasePostgres extends Database { } // Reconnect to check out tsearch2 rights for this user - print "
  • Connecting to \"$wgDBname\" as superuser \"$wgDBsuperuser\" to check rights..."; + print "
  • Connecting to \"" . htmlspecialchars( $wgDBname ) . "\" as superuser \"" . + htmlspecialchars( $wgDBsuperuser ) . "\" to check rights..."; - $hstring=""; + $connectVars = array(); if ($this->mServer!=false && $this->mServer!="") { - $hstring="host=$this->mServer "; + $connectVars['host'] = $this->mServer; } if ($this->mPort!=false && $this->mPort!="") { - $hstring .= "port=$this->mPort "; + $connectVars['port'] = $this->mPort; } + $connectVars['dbname'] = $wgDBname; + $connectVars['user'] = $wgDBsuperuser; + $connectVars['password'] = $password; - @$this->mConn = pg_connect("$hstring dbname=$wgDBname user=$wgDBsuperuser password=$password"); + @$this->mConn = pg_connect( $this->makeConnectionString( $connectVars ) ); if ( $this->mConn == false ) { print "FAILED TO CONNECT!
    • "; dieout(""); @@ -289,15 +293,18 @@ class DatabasePostgres extends Database { if ($this->numeric_version < 8.3) { // Tsearch2 checks - print "
  • Checking that tsearch2 is installed in the database \"$wgDBname\"..."; + print "
  • Checking that tsearch2 is installed in the database \"" . + htmlspecialchars( $wgDBname ) . "\"..."; if (! $this->tableExists("pg_ts_cfg", $wgDBts2schema)) { - print "FAILED. tsearch2 must be installed in the database \"$wgDBname\"."; + print "FAILED. tsearch2 must be installed in the database \"" . + htmlspecialchars( $wgDBname ) . "\"."; print "Please see this article"; print " for instructions or ask on #postgresql on irc.freenode.net
    • \n"; dieout(""); } print "OK\n"; - print "
  • Ensuring that user \"$wgDBuser\" has select rights on the tsearch2 tables..."; + print "
  • Ensuring that user \"" . htmlspecialchars( $wgDBuser ) . + "\" has select rights on the tsearch2 tables..."; foreach (array('cfg','cfgmap','dict','parser') as $table) { $SQL = "GRANT SELECT ON pg_ts_$table TO $safeuser"; $this->doQuery($SQL); @@ -309,7 +316,7 @@ class DatabasePostgres extends Database { $result = $this->schemaExists($wgDBmwschema); $safeschema = $this->quote_ident($wgDBmwschema); if (!$result) { - print "
  • Creating schema $wgDBmwschema ..."; + print "
  • Creating schema " . htmlspecialchars( $wgDBmwschema ) . " ..."; $result = $this->doQuery("CREATE SCHEMA $safeschema AUTHORIZATION $safeuser"); if (!$result) { print "FAILED.
    • \n"; @@ -355,7 +362,7 @@ class DatabasePostgres extends Database { if ($this->numeric_version < 8.3) { // Do we have the basic tsearch2 table? - print "
  • Checking for tsearch2 in the schema \"$wgDBts2schema\"..."; + print "
  • Checking for tsearch2 in the schema \"" . htmlspecialchars( $wgDBts2schema ) . "\"..."; if (! $this->tableExists("pg_ts_dict", $wgDBts2schema)) { print "FAILED. Make sure tsearch2 is installed. See this article"; @@ -375,12 +382,13 @@ class DatabasePostgres extends Database { $SQL = "SELECT count(*) FROM $safetsschema.pg_ts_$tname"; $res = $this->doQuery($SQL); if (!$res) { - print "FAILED to access pg_ts_$tname. Make sure that the user ". - "\"$wgDBuser\" has SELECT access to all four tsearch2 tables
    • \n"; + print "FAILED to access " . htmlspecialchars( "pg_ts_$tname" ) . + ". Make sure that the user \"". htmlspecialchars( $wgDBuser ) . + "\" has SELECT access to all four tsearch2 tables\n"; dieout(""); } } - $SQL = "SELECT ts_name FROM $safetsschema.pg_ts_cfg WHERE locale = '$ctype'"; + $SQL = "SELECT ts_name FROM $safetsschema.pg_ts_cfg WHERE locale = " . $this->addQuotes( $ctype ) ; $SQL .= " ORDER BY CASE WHEN ts_name <> 'default' THEN 1 ELSE 0 END"; $res = $this->doQuery($SQL); error_reporting( E_ALL ); @@ -391,28 +399,30 @@ class DatabasePostgres extends Database { print "OK"; // Will the current locale work? Can we force it to? - print "
  • Verifying tsearch2 locale with $ctype..."; + print "
  • Verifying tsearch2 locale with " . htmlspecialchars( $ctype ) . "..."; $rows = $this->numRows($res); $resetlocale = 0; if (!$rows) { print "not found
    • \n"; - print "
  • Attempting to set default tsearch2 locale to \"$ctype\"..."; + print "
  • Attempting to set default tsearch2 locale to \"" . htmlspecialchars( $ctype ) . "\"..."; $resetlocale = 1; } else { $tsname = pg_fetch_result($res, 0, 0); if ($tsname != 'default') { - print "not set to default ($tsname)"; - print "
  • Attempting to change tsearch2 default locale to \"$ctype\"..."; + print "not set to default (" . htmlspecialchars( $tsname ) . ")"; + print "
  • Attempting to change tsearch2 default locale to \"" . + htmlspecialchars( $ctype ) . "\"..."; $resetlocale = 1; } } if ($resetlocale) { - $SQL = "UPDATE $safetsschema.pg_ts_cfg SET locale = '$ctype' WHERE ts_name = 'default'"; + $SQL = "UPDATE $safetsschema.pg_ts_cfg SET locale = " . $this->addQuotes( $ctype ) . " WHERE ts_name = 'default'"; $res = $this->doQuery($SQL); if (!$res) { print "FAILED. "; - print "Please make sure that the locale in pg_ts_cfg for \"default\" is set to \"$ctype\"
    • \n"; + print "Please make sure that the locale in pg_ts_cfg for \"default\" is set to \"" . + htmlspecialchars( $ctype ) . "\"\n"; dieout(""); } print "OK"; @@ -422,7 +432,7 @@ class DatabasePostgres extends Database { $SQL = "SELECT $safetsschema.to_tsvector('default','MediaWiki tsearch2 testing')"; $res = $this->doQuery($SQL); if (!$res) { - print "FAILED. Specifically, \"$SQL\" did not work."; + print "FAILED. Specifically, \"" . htmlspecialchars( $SQL ) . "\" did not work."; dieout(""); } print "OK"; @@ -434,28 +444,32 @@ class DatabasePostgres extends Database { // Does the schema already exist? Who owns it? $result = $this->schemaExists($wgDBmwschema); if (!$result) { - print "
  • Creating schema $wgDBmwschema ..."; + print "
  • Creating schema " . htmlspecialchars( $wgDBmwschema ) . " ..."; error_reporting( 0 ); $safeschema = $this->quote_ident($wgDBmwschema); $result = $this->doQuery("CREATE SCHEMA $safeschema"); error_reporting( E_ALL ); if (!$result) { - print "FAILED. The user \"$wgDBuser\" must be able to access the schema. ". + print "FAILED. The user \"" . htmlspecialchars( $wgDBuser ) . + "\" must be able to access the schema. ". "You can try making them the owner of the database, or try creating the schema with a ". - "different user, and then grant access to the \"$wgDBuser\" user.
    • \n"; + "different user, and then grant access to the \"" . + htmlspecialchars( $wgDBuser ) . "\" user.\n"; dieout(""); } print "OK\n"; } else if ($result != $wgDBuser) { - print "
  • Schema \"$wgDBmwschema\" exists but is not owned by \"$wgDBuser\". Not ideal.
    • \n"; + print "
  • Schema \"" . htmlspecialchars( $wgDBmwschema ) . "\" exists but is not owned by \"" . + htmlspecialchars( $wgDBuser ) . "\". Not ideal.
    • \n"; } else { - print "
  • Schema \"$wgDBmwschema\" exists and is owned by \"$wgDBuser\". Excellent.
    • \n"; + print "
  • Schema \"" . htmlspecialchars( $wgDBmwschema ) . "\" exists and is owned by \"" . + htmlspecialchars( $wgDBuser ) . "\". Excellent.
    • \n"; } // Always return GMT time to accomodate the existing integer-based timestamp assumption - print "
  • Setting the timezone to GMT for user \"$wgDBuser\" ..."; + print "
  • Setting the timezone to GMT for user \"" . htmlspecialchars( $wgDBuser ) . "\" ..."; $SQL = "ALTER USER $safeuser SET timezone = 'GMT'"; $result = pg_query($this->mConn, $SQL); if (!$result) { @@ -471,7 +485,7 @@ class DatabasePostgres extends Database { dieout(""); } - print "
  • Setting the datestyle to ISO, YMD for user \"$wgDBuser\" ..."; + print "
  • Setting the datestyle to ISO, YMD for user \"" . htmlspecialchars( $wgDBuser ) . "\" ..."; $SQL = "ALTER USER $safeuser SET datestyle = 'ISO, YMD'"; $result = pg_query($this->mConn, $SQL); if (!$result) { @@ -488,7 +502,7 @@ class DatabasePostgres extends Database { } // Fix up the search paths if needed - print "
  • Setting the search path for user \"$wgDBuser\" ..."; + print "
  • Setting the search path for user \"" . htmlspecialchars( $wgDBuser ) . "\" ..."; $path = $this->quote_ident($wgDBmwschema); if ($wgDBts2schema !== $wgDBmwschema) $path .= ", ". $this->quote_ident($wgDBts2schema); @@ -529,12 +543,14 @@ class DatabasePostgres extends Database { $result = $this->doQuery("CREATE LANGUAGE plpgsql"); error_reporting($olde); if (!$result) { - print "FAILED. You need to install the language plpgsql in the database $wgDBname
    • "; + print "FAILED. You need to install the language plpgsql in the database " . + htmlspecialchars( $wgDBname ) . ""; dieout(""); } } else { - print "FAILED. You need to install the language plpgsql in the database $wgDBname"; + print "FAILED. You need to install the language plpgsql in the database " . + htmlspecialchars( $wgDBname ) . ""; dieout(""); } } @@ -1229,7 +1245,8 @@ END; $res = $this->doQuery($SQL); error_reporting( $olde ); if (!$res) { - print "FAILED. Make sure that the user \"$wgDBuser\" can write to the schema \"$wgDBmwschema\"\n"; + print "FAILED. Make sure that the user \"" . htmlspecialchars( $wgDBuser ) . + "\" can write to the schema \"" . htmlspecialchars( $wgDBmwschema ) . "\"\n"; dieout(""); } $this->doQuery("DROP TABLE $safeschema.$ctest"); @@ -1244,11 +1261,11 @@ END; $tss = $this->addQuotes($wgDBts2schema); $pgp = $this->addQuotes($wgDBport); $dbn = $this->addQuotes($this->mDBname); - $ctype = pg_fetch_result($this->doQuery("SHOW lc_ctype"),0,0); + $ctype = $this->addQuotes( pg_fetch_result($this->doQuery("SHOW lc_ctype"),0,0) ); $SQL = "UPDATE mediawiki_version SET mw_version=$mwv, pg_version=$pgv, pg_user=$pgu, ". "mw_schema = $mws, ts2_schema = $tss, pg_port=$pgp, pg_dbname=$dbn, ". - "ctype = '$ctype' ". + "ctype = $ctype ". "WHERE type = 'Creation'"; $this->query($SQL); -- 2.20.1