Home Explore Help
Sign In
yosoyhendrix
/
hestiacp
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

fortify MediaWikiSetup (#4565)

* fortify MediaWikiSetup

* oops forgot cleanup

* NPM Format

---------

Co-authored-by: Jaap Marcus <9754650+jaapmarcus@users.noreply.github.com>
divinity76 1 year ago
parent
5a3a88636a
commit
3ca82f4e5c
1 changed files with 15 additions and 11 deletions
Split View Show Diff Stats
  1. 15 11
      web/src/app/WebApp/Installers/MediaWiki/MediaWikiSetup.php

+ 15 - 11
web/src/app/WebApp/Installers/MediaWiki/MediaWikiSetup.php
View File 

@@ -4,6 +4,7 @@ namespace Hestia\WebApp\Installers\MediaWiki;
 
 
 use Hestia\System\Util;
 
 use Hestia\WebApp\Installers\BaseSetup as BaseSetup;
 
+use function Hestiacp\quoteshellarg\quoteshellarg;
 
 
 class MediaWikiSetup extends BaseSetup {
 
 	protected $appInfo = [
 
@@ -68,19 +69,22 @@ class MediaWikiSetup extends BaseSetup {
 
 			"v-run-cli-cmd",
 
 			[
 
 				"/usr/bin/php" . $options["php_version"],
 
-				$this->getDocRoot("maintenance/install.php"),
 
-				"--dbserver=" . $options["database_host"],
 
-				"--dbname=" . $this->appcontext->user() . "_" . $options["database_name"],
 
-				"--installdbuser=" . $this->appcontext->user() . "_" . $options["database_user"],
 
-				"--installdbpass=" . $options["database_password"],
 
-				"--dbuser=" . $this->appcontext->user() . "_" . $options["database_user"],
 
-				"--dbpass=" . $options["database_password"],
 
-				"--server=" . $webDomain,
 
+				quoteshellarg($this->getDocRoot("maintenance/install.php")),
 
+				"--dbserver=" . quoteshellarg($options["database_host"]),
 
+				"--dbname=" .
 
+				quoteshellarg($this->appcontext->user() . "_" . $options["database_name"]),
 
+				"--installdbuser=" .
 
+				quoteshellarg($this->appcontext->user() . "_" . $options["database_user"]),
 
+				"--installdbpass=" . quoteshellarg($options["database_password"]),
 
+				"--dbuser=" .
 
+				quoteshellarg($this->appcontext->user() . "_" . $options["database_user"]),
 
+				"--dbpass=" . quoteshellarg($options["database_password"]),
 
+				"--server=" . quoteshellarg($webDomain),
 
 				"--scriptpath=", // must NOT be /
 
-				"--lang=" . $options["language"],
 
-				"--pass=" . $options["admin_password"],
 
+				"--lang=" . quoteshellarg($options["language"]),
 
+				"--pass=" . quoteshellarg($options["admin_password"]),
 
 				"MediaWiki", // A Space here would trigger the next argument and preemptively set the admin username
 
-				$options["admin_username"],
 
+				quoteshellarg($options["admin_username"]),
 
 			],
 
 			$status,
 
 		);