Skip to content

Commit

Permalink
security: Stop accepting other variables in install that we do not use (
Browse files Browse the repository at this point in the history 
librenms#7511)
  • Loading branch information
@laf
laf committed Oct 18, 2017
1 parent 9009633 commit cbc2757
Showing 1 changed file with 6 additions and 1 deletion.
7 changes: 6 additions & 1 deletion html/install.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,12 @@
if (empty($_POST) && !empty($_SESSION) && !isset($_REQUEST['stage'])) {
$_POST = $_SESSION;
} elseif (!file_exists("../config.php")) {
$_SESSION = array_replace($_SESSION, $_POST);
$allowed_vars = array('stage','build-ok','dbhost','dbuser','dbpass','dbname','dbport','dbsocket','add_user','add_pass','add_email');
foreach ($allowed_vars as $allowed) {
if (isset($_POST[$allowed])) {
$_SESSION[$allowed] = $_POST[$allowed];
}
}
}

$stage = isset($_POST['stage']) ? $_POST['stage'] : 0;
Expand Down

0 comments on commit cbc2757

Please sign in to comment.