Skip to content

Commit

Permalink
security(install): sanitize input when reporting an error
Browse files Browse the repository at this point in the history 
To prevent XSS attacks
  • Loading branch information
@jeabakker
jeabakker committed Oct 25, 2022
1 parent 3dc2c7b commit 966f1c9
Showing 1 changed file with 37 additions and 9 deletions.
46 changes: 37 additions & 9 deletions engine/classes/ElggInstaller.php
View file
Expand Up @@ -1150,43 +1150,49 @@ protected function validateDatabaseVars($submissionVars, $formVars) {
}

if (!empty($submissionVars['wwwroot']) && !\Elgg\Http\Urls::isValidMultiByteUrl($submissionVars['wwwroot'])) {
$app->internal_services->system_messages->addErrorMessage(elgg_echo('install:error:wwwroot', [$submissionVars['wwwroot']]));
$save_value = $this->sanitizeInputValue($submissionVars['wwwroot']);
$app->internal_services->system_messages->addErrorMessage(elgg_echo('install:error:wwwroot', [$save_value]));

return false;
}

// check that data root is absolute path
if (stripos(PHP_OS, 'win') === 0) {
if (strpos($submissionVars['dataroot'], ':') !== 1) {
$app->internal_services->system_messages->addErrorMessage(elgg_echo('install:error:relative_path', [$submissionVars['dataroot']]));
$save_value = $this->sanitizeInputValue($submissionVars['dataroot']);
$app->internal_services->system_messages->addErrorMessage(elgg_echo('install:error:relative_path', [$save_value]));

return false;
}
} else {
if (strpos($submissionVars['dataroot'], '/') !== 0) {
$app->internal_services->system_messages->addErrorMessage(elgg_echo('install:error:relative_path', [$submissionVars['dataroot']]));
$save_value = $this->sanitizeInputValue($submissionVars['dataroot']);
$app->internal_services->system_messages->addErrorMessage(elgg_echo('install:error:relative_path', [$save_value]));

return false;
}
}

// check that data root exists
if (!is_dir($submissionVars['dataroot'])) {
$app->internal_services->system_messages->addErrorMessage(elgg_echo('install:error:datadirectoryexists', [$submissionVars['dataroot']]));
$save_value = $this->sanitizeInputValue($submissionVars['dataroot']);
$app->internal_services->system_messages->addErrorMessage(elgg_echo('install:error:datadirectoryexists', [$save_value]));

return false;
}

// check that data root is writable
if (!is_writable($submissionVars['dataroot'])) {
$app->internal_services->system_messages->addErrorMessage(elgg_echo('install:error:writedatadirectory', [$submissionVars['dataroot']]));
$save_value = $this->sanitizeInputValue($submissionVars['dataroot']);
$app->internal_services->system_messages->addErrorMessage(elgg_echo('install:error:writedatadirectory', [$save_value]));

return false;
}

// check that data root is not subdirectory of Elgg root
if (stripos($submissionVars['dataroot'], Paths::project()) === 0) {
$app->internal_services->system_messages->addErrorMessage(elgg_echo('install:error:locationdatadirectory', [$submissionVars['dataroot']]));
$save_value = $this->sanitizeInputValue($submissionVars['dataroot']);
$app->internal_services->system_messages->addErrorMessage(elgg_echo('install:error:locationdatadirectory', [$save_value]));

return false;
}
Expand Down Expand Up @@ -1241,7 +1247,8 @@ protected function checkDatabaseSettings($user, $password, $dbname, $host, $port
if (0 === strpos($e->getMessage(), "Elgg couldn't connect")) {
$app->internal_services->system_messages->addErrorMessage(elgg_echo('install:error:databasesettings'));
} else {
$app->internal_services->system_messages->addErrorMessage(elgg_echo('install:error:nodatabase', [$dbname]));
$save_value = $this->sanitizeInputValue($dbname);
$app->internal_services->system_messages->addErrorMessage(elgg_echo('install:error:nodatabase', [$save_value]));
}

return false;
Expand Down Expand Up @@ -1408,7 +1415,8 @@ protected function validateSettingsVars($submissionVars, $formVars) {

// check that email address is email address
if ($submissionVars['siteemail'] && !elgg_is_valid_email((string) $submissionVars['siteemail'])) {
$app->internal_services->system_messages->addErrorMessage(elgg_echo('install:error:emailaddress', [$submissionVars['siteemail']]));
$save_value = $this->sanitizeInputValue($submissionVars['siteemail']);
$app->internal_services->system_messages->addErrorMessage(elgg_echo('install:error:emailaddress', [$save_value]));

return false;
}
Expand Down Expand Up @@ -1539,7 +1547,8 @@ protected function validateAdminVars($submissionVars, $formVars) {

// check that email address is email address
if ($submissionVars['email'] && !elgg_is_valid_email((string) $submissionVars['email'])) {
$app->internal_services->system_messages->addErrorMessage(elgg_echo('install:error:emailaddress', [$submissionVars['email']]));
$save_value = $this->sanitizeInputValue($submissionVars['email']);
$app->internal_services->system_messages->addErrorMessage(elgg_echo('install:error:emailaddress', [$save_value]));

return false;
}
Expand Down Expand Up @@ -1595,4 +1604,23 @@ protected function createAdminAccount($submissionVars, $login = false) {

return true;
}

/**
* Sanitize input to help prevent XSS
*
* @param mixed $input_value the input to sanitize
*
* @return mixed
*/
protected function sanitizeInputValue($input_value) {
if (is_array($input_value)) {
return array_map([$this, __FUNCTION__], $input_value);
}

if (!is_string($input_value)) {
return $input_value;
}

return htmlspecialchars($input_value);
}
}

0 comments on commit 966f1c9

Please sign in to comment.