From 0cf52c8461a91b3c8d45fa7b9f73873b12073691 Mon Sep 17 00:00:00 2001 From: Olivier Perez Date: Thu, 7 Jul 2016 14:15:34 +0200 Subject: [PATCH] Merge branch 'bugfix/install-config-escape' into 'develop' Added escaping for install in config.tpl In the installation process, string like the one below should be a valid application name (or DB password). > Framadate c'est vraiment super ! "Datez" comme vous voulez \o/ It missed some escaping for single quote (') and backslash (\\), resulting in PHP parse errors. It should be cherry-picked to the `release` branch too. See merge request !136 --- app/inc/smarty.php | 3 +++ tpl/admin/config.tpl | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/app/inc/smarty.php b/app/inc/smarty.php index 39f191c..248fc01 100644 --- a/app/inc/smarty.php +++ b/app/inc/smarty.php @@ -64,6 +64,9 @@ function smarty_modifier_markdown($md, $clear = false) { function smarty_modifier_resource($link) { return Utils::get_server_name() . $link; } +function smarty_modifier_addslashes_single_quote($string) { + return addcslashes($string, '\\\''); +} function smarty_modifier_html($html) { return Utils::htmlEscape($html); diff --git a/tpl/admin/config.tpl b/tpl/admin/config.tpl index bb5d9dc..2865359 100644 --- a/tpl/admin/config.tpl +++ b/tpl/admin/config.tpl @@ -23,7 +23,7 @@ // const APP_URL = ''; // Application name -const NOMAPPLICATION = '{$appName}'; +const NOMAPPLICATION = '{$appName|addslashes_single_quote}'; // Database administrator email const ADRESSEMAILADMIN = '{$appMail}'; @@ -38,7 +38,7 @@ const DB_CONNECTION_STRING = '{$dbConnectionString}'; const DB_USER= '{$dbUser}'; // Database password -const DB_PASSWORD = '{$dbPassword}'; +const DB_PASSWORD = '{$dbPassword|addslashes_single_quote}'; // Table name prefix const TABLENAME_PREFIX = '{$dbPrefix}';