security: restrict AJAX during upgrade and escape installer config writes (#706)

anonymoususer72041 · web-flow · commit 3002a29f4c3c · 2026-04-21T13:27:15.000+01:00
* Restrict ajax.php to installer actions when INSTALL_BLOCK is missing

* Escape installer config values before writing config.php
diff --git a/ajax.php b/ajax.php
@@ -106,6 +106,31 @@
     die();
 }
 
+$installerActive = (!file_exists('INSTALL_BLOCK'));
+if ($installerActive)
+{
+    $module = '';
+    if (strpos($_REQUEST['f'], ':') !== false)
+    {
+        $parameters = explode(':', $_REQUEST['f']);
+        $module = preg_replace("/[^A-Za-z0-9]/", "", $parameters[0]);
+    }
+
+    if ($module !== 'install')
+    {
+        header('Content-type: text/xml');
+        echo '<?xml version="1.0" encoding="', AJAX_ENCODING, '"?>', "\n";
+        echo(
+            "<data>\n" .
+            "    <errorcode>-1</errorcode>\n" .
+            "    <errormessage>Installer is active. Only installer AJAX actions are allowed.</errormessage>\n" .
+            "</data>\n"
+        );
+
+        die();
+    }
+}
+
 if (strpos($_REQUEST['f'], ':') === false)
 {
     $function = preg_replace("/[^A-Za-z0-9]/", "", $_REQUEST['f']);
diff --git a/modules/install/ajax/ui.php b/modules/install/ajax/ui.php
@@ -124,22 +124,22 @@
         {
             if (isset($_REQUEST['user']) && !empty($_REQUEST['user']))
             {
-                CATSUtility::changeConfigSetting('DATABASE_USER', "'" . $_REQUEST['user'] . "'");
+                CATSUtility::changeConfigSetting('DATABASE_USER', var_export($_REQUEST['user'], true));
             }
 
             if (isset($_REQUEST['pass']) && $_REQUEST['pass'] !== '')
             {
-                CATSUtility::changeConfigSetting('DATABASE_PASS', "'" . $_REQUEST['pass'] . "'");
+                CATSUtility::changeConfigSetting('DATABASE_PASS', var_export($_REQUEST['pass'], true));
             }
 
             if (isset($_REQUEST['host']) && !empty($_REQUEST['host']))
             {
-                CATSUtility::changeConfigSetting('DATABASE_HOST', "'" . $_REQUEST['host'] . "'");
+                CATSUtility::changeConfigSetting('DATABASE_HOST', var_export($_REQUEST['host'], true));
             }
 
             if (isset($_REQUEST['name']) && !empty($_REQUEST['name']))
             {
-                CATSUtility::changeConfigSetting('DATABASE_NAME', "'" . $_REQUEST['name'] . "'");
+                CATSUtility::changeConfigSetting('DATABASE_NAME', var_export($_REQUEST['name'], true));
             }
 
             echo '
@@ -244,11 +244,11 @@
                 CATSUtility::changeConfigSetting('MAIL_SMTP_AUTH', 'false');
             }
 
-            CATSUtility::changeConfigSetting('MAIL_SENDMAIL_PATH', '"' . $mailSendmailPath . '"');
-            CATSUtility::changeConfigSetting('MAIL_SMTP_HOST', '"' . $mailSmtpHost . '"');
+            CATSUtility::changeConfigSetting('MAIL_SENDMAIL_PATH', var_export($mailSendmailPath, true));
+            CATSUtility::changeConfigSetting('MAIL_SMTP_HOST', var_export($mailSmtpHost, true));
             CATSUtility::changeConfigSetting('MAIL_SMTP_PORT', sprintf('%d', $mailSmtpPort));
-            CATSUtility::changeConfigSetting('MAIL_SMTP_USER', '"' . $mailSmtpUsername . '"');
-            CATSUtility::changeConfigSetting('MAIL_SMTP_PASS', '"' . $mailSmtpPassword . '"');
+            CATSUtility::changeConfigSetting('MAIL_SMTP_USER', var_export($mailSmtpUsername, true));
+            CATSUtility::changeConfigSetting('MAIL_SMTP_PASS', var_export($mailSmtpPassword, true));
 
             @session_name(CATS_SESSION_NAME);
             session_start();
@@ -420,20 +420,16 @@
             </script>';
 
         $antiwordPath = $_REQUEST['docExecutable'];
-        $antiwordWithSlashes = str_replace('\\', '\\\\', $antiwordPath);
-        CATSUtility::changeConfigSetting('ANTIWORD_PATH', '"' . $antiwordWithSlashes . '"');
+        CATSUtility::changeConfigSetting('ANTIWORD_PATH', var_export($antiwordPath, true));
 
         $pdftotextPath = $_REQUEST['pdfExecutable'];
-        $pdftotextWithSlashes = str_replace('\\', '\\\\', $pdftotextPath);
-        CATSUtility::changeConfigSetting('PDFTOTEXT_PATH', '"' . $pdftotextWithSlashes . '"');
+        CATSUtility::changeConfigSetting('PDFTOTEXT_PATH', var_export($pdftotextPath, true));
 
         $html2textPath = $_REQUEST['htmlExecutable'];
-        $html2textWithSlashes = str_replace('\\', '\\\\', $html2textPath);
-        CATSUtility::changeConfigSetting('HTML2TEXT_PATH', '"' . $html2textWithSlashes . '"');
+        CATSUtility::changeConfigSetting('HTML2TEXT_PATH', var_export($html2textPath, true));
 
         $unrtfPath = $_REQUEST['rtfExecutable'];
-        $unrtfWithSlashes = str_replace('\\', '\\\\', $unrtfPath);
-        CATSUtility::changeConfigSetting('UNRTF_PATH', '"' . $unrtfWithSlashes . '"');
+        CATSUtility::changeConfigSetting('UNRTF_PATH', var_export($unrtfPath, true));
 
         break;
 

Original file line number	Diff line number	Diff line change
`@@ -124,22 +124,22 @@`
`124`	`124`	`{`
`125`	`125`	`if (isset($_REQUEST['user']) && !empty($_REQUEST['user']))`
`126`	`126`	`{`
`127`		`- CATSUtility::changeConfigSetting('DATABASE_USER', "'" . $_REQUEST['user'] . "'");`
	`127`	`+ CATSUtility::changeConfigSetting('DATABASE_USER', var_export($_REQUEST['user'], true));`
`128`	`128`	`}`
`129`	`129`
`130`	`130`	`if (isset($_REQUEST['pass']) && $_REQUEST['pass'] !== '')`
`131`	`131`	`{`
`132`		`- CATSUtility::changeConfigSetting('DATABASE_PASS', "'" . $_REQUEST['pass'] . "'");`
	`132`	`+ CATSUtility::changeConfigSetting('DATABASE_PASS', var_export($_REQUEST['pass'], true));`
`133`	`133`	`}`
`134`	`134`
`135`	`135`	`if (isset($_REQUEST['host']) && !empty($_REQUEST['host']))`
`136`	`136`	`{`
`137`		`- CATSUtility::changeConfigSetting('DATABASE_HOST', "'" . $_REQUEST['host'] . "'");`
	`137`	`+ CATSUtility::changeConfigSetting('DATABASE_HOST', var_export($_REQUEST['host'], true));`
`138`	`138`	`}`
`139`	`139`
`140`	`140`	`if (isset($_REQUEST['name']) && !empty($_REQUEST['name']))`
`141`	`141`	`{`
`142`		`- CATSUtility::changeConfigSetting('DATABASE_NAME', "'" . $_REQUEST['name'] . "'");`
	`142`	`+ CATSUtility::changeConfigSetting('DATABASE_NAME', var_export($_REQUEST['name'], true));`
`143`	`143`	`}`
`144`	`144`
`145`	`145`	`echo '`
`@@ -244,11 +244,11 @@`
`244`	`244`	`CATSUtility::changeConfigSetting('MAIL_SMTP_AUTH', 'false');`
`245`	`245`	`}`
`246`	`246`
`247`		`- CATSUtility::changeConfigSetting('MAIL_SENDMAIL_PATH', '"' . $mailSendmailPath . '"');`
`248`		`- CATSUtility::changeConfigSetting('MAIL_SMTP_HOST', '"' . $mailSmtpHost . '"');`
	`247`	`+ CATSUtility::changeConfigSetting('MAIL_SENDMAIL_PATH', var_export($mailSendmailPath, true));`
	`248`	`+ CATSUtility::changeConfigSetting('MAIL_SMTP_HOST', var_export($mailSmtpHost, true));`
`249`	`249`	`CATSUtility::changeConfigSetting('MAIL_SMTP_PORT', sprintf('%d', $mailSmtpPort));`
`250`		`- CATSUtility::changeConfigSetting('MAIL_SMTP_USER', '"' . $mailSmtpUsername . '"');`
`251`		`- CATSUtility::changeConfigSetting('MAIL_SMTP_PASS', '"' . $mailSmtpPassword . '"');`
	`250`	`+ CATSUtility::changeConfigSetting('MAIL_SMTP_USER', var_export($mailSmtpUsername, true));`
	`251`	`+ CATSUtility::changeConfigSetting('MAIL_SMTP_PASS', var_export($mailSmtpPassword, true));`
`252`	`252`
`253`	`253`	`@session_name(CATS_SESSION_NAME);`
`254`	`254`	`session_start();`
`@@ -420,20 +420,16 @@`
`420`	`420`	`</script>';`
`421`	`421`
`422`	`422`	`$antiwordPath = $_REQUEST['docExecutable'];`
`423`		`- $antiwordWithSlashes = str_replace('\\', '\\\\', $antiwordPath);`
`424`		`- CATSUtility::changeConfigSetting('ANTIWORD_PATH', '"' . $antiwordWithSlashes . '"');`
	`423`	`+ CATSUtility::changeConfigSetting('ANTIWORD_PATH', var_export($antiwordPath, true));`
`425`	`424`
`426`	`425`	`$pdftotextPath = $_REQUEST['pdfExecutable'];`
`427`		`- $pdftotextWithSlashes = str_replace('\\', '\\\\', $pdftotextPath);`
`428`		`- CATSUtility::changeConfigSetting('PDFTOTEXT_PATH', '"' . $pdftotextWithSlashes . '"');`
	`426`	`+ CATSUtility::changeConfigSetting('PDFTOTEXT_PATH', var_export($pdftotextPath, true));`
`429`	`427`
`430`	`428`	`$html2textPath = $_REQUEST['htmlExecutable'];`
`431`		`- $html2textWithSlashes = str_replace('\\', '\\\\', $html2textPath);`
`432`		`- CATSUtility::changeConfigSetting('HTML2TEXT_PATH', '"' . $html2textWithSlashes . '"');`
	`429`	`+ CATSUtility::changeConfigSetting('HTML2TEXT_PATH', var_export($html2textPath, true));`
`433`	`430`
`434`	`431`	`$unrtfPath = $_REQUEST['rtfExecutable'];`
`435`		`- $unrtfWithSlashes = str_replace('\\', '\\\\', $unrtfPath);`
`436`		`- CATSUtility::changeConfigSetting('UNRTF_PATH', '"' . $unrtfWithSlashes . '"');`
	`432`	`+ CATSUtility::changeConfigSetting('UNRTF_PATH', var_export($unrtfPath, true));`
`437`	`433`
`438`	`434`	`break;`
`439`	`435`