From aa4e47e8dbe23a4e919b8e472d234f31652fea2b Mon Sep 17 00:00:00 2001
From: garvinhicking <garvinhicking>
Date: Tue, 25 Mar 2008 12:39:55 +0000
Subject: [PATCH] Patch by hanno boeck

---
 docs/NEWS                           |  3 +++
 include/db/mysql.inc.php            |  8 ++++----
 include/db/mysqli.inc.php           |  4 ++--
 include/functions_installer.inc.php | 24 ++++++++++++------------
 4 files changed, 21 insertions(+), 18 deletions(-)

diff --git a/docs/NEWS b/docs/NEWS
index 5a5b441..31ef38d 100644
--- a/docs/NEWS
+++ b/docs/NEWS
@@ -10,6 +10,9 @@ Version 1.4 ()
 Version 1.3.1 ()
 ------------------------------------------------------------------------
 
+    * Add XSS security checks for installer, even though very
+      hypothetical application :) (Hanno Böck)
+
     * Add {serendipity_getImageSize} smarty function (judebert)
     
     * Add escaping to "Top Referrers" plugin and honor local configuration
diff --git a/include/db/mysql.inc.php b/include/db/mysql.inc.php
index a5cf518..ec0b8e6 100644
--- a/include/db/mysql.inc.php
+++ b/include/db/mysql.inc.php
@@ -96,13 +96,13 @@ function &serendipity_db_query($sql, $single = false, $result_type = "both", $re
     }
 
     if (!$expectError && mysql_error($serendipity['dbConn']) != '') {
-        $msg = '<pre>' . $sql . '</pre> / ' . mysql_error($serendipity['dbConn']);
+        $msg = '<pre>' . $sql . '</pre> / ' . htmlspecialchars(mysql_error($serendipity['dbConn']));
         return $msg;
     }
 
     if (!$c) {
         if (!$expectError && !$serendipity['production']) {
-            print '<pre>' . $sql . '</pre> / ' . mysql_error($serendipity['dbConn']);
+            print '<pre>' . $sql . '</pre> / ' . htmlspecialchars(mysql_error($serendipity['dbConn']));
             if (function_exists('debug_backtrace') && $reportErr == true) {
                 highlight_string(var_export(debug_backtrace(), 1));
             }
@@ -340,7 +340,7 @@ function serendipity_db_probe($hash, &$errs) {
 
     if (!($c = @mysql_connect($hash['dbHost'], $hash['dbUser'], $hash['dbPass']))) {
         $errs[] = 'Could not connect to database; check your settings.';
-        $errs[] = 'The mySQL error was: ' . mysql_error();
+        $errs[] = 'The mySQL error was: ' . htmlspecialchars(mysql_error());
         return false;
     }
 
@@ -348,7 +348,7 @@ function serendipity_db_probe($hash, &$errs) {
 
     if (!@mysql_select_db($hash['dbName'])) {
         $errs[] = 'The database you specified does not exist.';
-        $errs[] = 'The mySQL error was: ' . mysql_error();
+        $errs[] = 'The mySQL error was: ' . htmlspecialchars(mysql_error());
         return false;
     }
 
diff --git a/include/db/mysqli.inc.php b/include/db/mysqli.inc.php
index 3e4f60e..49d7e0c 100644
--- a/include/db/mysqli.inc.php
+++ b/include/db/mysqli.inc.php
@@ -319,7 +319,7 @@ function serendipity_db_probe($hash, &$errs) {
 
     if (!$c) {
         $errs[] = 'Could not connect to database; check your settings.';
-        $errs[] = 'The mySQL error was: ' . mysqli_connect_error();
+        $errs[] = 'The mySQL error was: ' . htmlspecialchars(mysqli_connect_error());
         return false;
     }
 
@@ -327,7 +327,7 @@ function serendipity_db_probe($hash, &$errs) {
 
     if ( !@mysqli_select_db($c, $hash['dbName']) ) {
         $errs[] = 'The database you specified does not exist.';
-        $errs[] = 'The mySQL error was: ' . mysqli_error($c);
+        $errs[] = 'The mySQL error was: ' . htmlspecialchars(mysqli_error($c));
         return false;
     }
 
diff --git a/include/functions_installer.inc.php b/include/functions_installer.inc.php
index 669606f..0edeb64 100644
--- a/include/functions_installer.inc.php
+++ b/include/functions_installer.inc.php
@@ -692,35 +692,35 @@ function serendipity_checkInstallation() {
 
     // Check dirs
     if (!is_dir($_POST['serendipityPath'])) {
-        $errs[] = sprintf(DIRECTORY_NON_EXISTANT, $_POST['serendipityPath']);
+        $errs[] = sprintf(DIRECTORY_NON_EXISTANT, htmlspecialchars($_POST['serendipityPath']));
     }
     /* This test has already been passed on the diagnosis page.  Besides
        it's a partially bogus test.
     elseif (!is_writable($_POST['serendipityPath']) ) {
-        $errs[] = sprintf(DIRECTORY_WRITE_ERROR, $_POST['serendipityPath']);
+        $errs[] = sprintf(DIRECTORY_WRITE_ERROR, htmlspecialchars($_POST['serendipityPath']));
     }*/
     elseif (!is_dir($_POST['serendipityPath'] . $_POST['uploadPath'] ) && @mkdir($_POST['serendipityPath'] . $_POST['uploadPath'], $umask) !== true) {
-        $errs[] = sprintf(DIRECTORY_CREATE_ERROR, $_POST['serendipityPath'] . $_POST['uploadPath']);
+        $errs[] = sprintf(DIRECTORY_CREATE_ERROR, htmlspecialchars($_POST['serendipityPath']) . htmlspecialchars($_POST['uploadPath']));
     }
     elseif (!is_writable($_POST['serendipityPath'] . $_POST['uploadPath'])) {
-        $errs[] = sprintf(DIRECTORY_WRITE_ERROR, $_POST['serendipityPath'] . $_POST['uploadPath']);
-        $errs[] = sprintf(DIRECTORY_RUN_CMD    , 'chmod go+rws', $_POST['serendipityPath'] . $_POST['uploadPath']);
+        $errs[] = sprintf(DIRECTORY_WRITE_ERROR, htmlspecialchars($_POST['serendipityPath']) . htmlspecialchars($_POST['uploadPath']));
+        $errs[] = sprintf(DIRECTORY_RUN_CMD    , 'chmod go+rws', htmlspecialchars($_POST['serendipityPath']) . htmlspecialchars($_POST['uploadPath']));
     }
 
     // Attempt to create the template compile directory, it might already be there, but we just want to be sure
     if (!is_dir($_POST['serendipityPath'] . PATH_SMARTY_COMPILE) && @mkdir($_POST['serendipityPath'] . PATH_SMARTY_COMPILE, $umask) !== true) {
-        $errs[] = sprintf(DIRECTORY_CREATE_ERROR, $_POST['serendipityPath'] . PATH_SMARTY_COMPILE);
-        $errs[] = sprintf(DIRECTORY_RUN_CMD     , 'mkdir'      , $_POST['serendipityPath'] . PATH_SMARTY_COMPILE);
-        $errs[] = sprintf(DIRECTORY_RUN_CMD     , 'chmod go+rwx', $_POST['serendipityPath'] . PATH_SMARTY_COMPILE);
+        $errs[] = sprintf(DIRECTORY_CREATE_ERROR, htmlspecialchars($_POST['serendipityPath']) . PATH_SMARTY_COMPILE);
+        $errs[] = sprintf(DIRECTORY_RUN_CMD     , 'mkdir'      , htmlspecialchars($_POST['serendipityPath']) . PATH_SMARTY_COMPILE);
+        $errs[] = sprintf(DIRECTORY_RUN_CMD     , 'chmod go+rwx', htmlspecialchars($_POST['serendipityPath']) . PATH_SMARTY_COMPILE);
     } elseif (is_dir($_POST['serendipityPath'] . PATH_SMARTY_COMPILE) && !is_writeable($_POST['serendipityPath'] . PATH_SMARTY_COMPILE) && @chmod($_POST['serendipityPath'] . PATH_SMARTY_COMPILE, $umask) !== true) {
-        $errs[] = sprintf(DIRECTORY_RUN_CMD     , 'chmod go+rwx', $_POST['serendipityPath'] . PATH_SMARTY_COMPILE);
+        $errs[] = sprintf(DIRECTORY_RUN_CMD     , 'chmod go+rwx', htmlspecialchars($_POST['serendipityPath']) . PATH_SMARTY_COMPILE);
     }
 
     // Attempt to create the archives directory
     if (!is_dir($_POST['serendipityPath'] . PATH_ARCHIVES) && @mkdir($_POST['serendipityPath'] . PATH_ARCHIVES, $umask) !== true) {
-        $errs[] = sprintf(DIRECTORY_CREATE_ERROR, $_POST['serendipityPath'] . PATH_ARCHIVES);
-        $errs[] = sprintf(DIRECTORY_RUN_CMD     , 'mkdir'      , $_POST['serendipityPath'] . PATH_ARCHIVES);
-        $errs[] = sprintf(DIRECTORY_RUN_CMD     , 'chmod go+rwx', $_POST['serendipityPath'] . PATH_ARCHIVES);
+        $errs[] = sprintf(DIRECTORY_CREATE_ERROR, htmlspecialchars($_POST['serendipityPath']) . PATH_ARCHIVES);
+        $errs[] = sprintf(DIRECTORY_RUN_CMD     , 'mkdir'      , htmlspecialchars($_POST['serendipityPath']) . PATH_ARCHIVES);
+        $errs[] = sprintf(DIRECTORY_RUN_CMD     , 'chmod go+rwx', htmlspecialchars($_POST['serendipityPath']) . PATH_ARCHIVES);
     }
 
     // Check imagick
-- 
2.39.5