Skip to content

Commit 3ca82f4

Browse files
divinity76jaapmarcus
divinity76
and
jaapmarcus
authored
fortify MediaWikiSetup (hestiacp#4565)
* fortify MediaWikiSetup * oops forgot cleanup * NPM Format --------- Co-authored-by: Jaap Marcus <9754650+jaapmarcus@users.noreply.github.com>
1 parent 5a3a886 commit 3ca82f4

File tree

1 file changed

+15
-11
lines changed

1 file changed

+15
-11
lines changed

web/src/app/WebApp/Installers/MediaWiki/MediaWikiSetup.php

Lines changed: 15 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@
44

55
use Hestia\System\Util;
66
use Hestia\WebApp\Installers\BaseSetup as BaseSetup;
7+
use function Hestiacp\quoteshellarg\quoteshellarg;
78

89
class MediaWikiSetup extends BaseSetup {
910
protected $appInfo = [
@@ -68,19 +69,22 @@ public function install(array $options = null) {
6869
"v-run-cli-cmd",
6970
[
7071
"/usr/bin/php" . $options["php_version"],
71-
$this->getDocRoot("maintenance/install.php"),
72-
"--dbserver=" . $options["database_host"],
73-
"--dbname=" . $this->appcontext->user() . "_" . $options["database_name"],
74-
"--installdbuser=" . $this->appcontext->user() . "_" . $options["database_user"],
75-
"--installdbpass=" . $options["database_password"],
76-
"--dbuser=" . $this->appcontext->user() . "_" . $options["database_user"],
77-
"--dbpass=" . $options["database_password"],
78-
"--server=" . $webDomain,
72+
quoteshellarg($this->getDocRoot("maintenance/install.php")),
73+
"--dbserver=" . quoteshellarg($options["database_host"]),
74+
"--dbname=" .
75+
quoteshellarg($this->appcontext->user() . "_" . $options["database_name"]),
76+
"--installdbuser=" .
77+
quoteshellarg($this->appcontext->user() . "_" . $options["database_user"]),
78+
"--installdbpass=" . quoteshellarg($options["database_password"]),
79+
"--dbuser=" .
80+
quoteshellarg($this->appcontext->user() . "_" . $options["database_user"]),
81+
"--dbpass=" . quoteshellarg($options["database_password"]),
82+
"--server=" . quoteshellarg($webDomain),
7983
"--scriptpath=", // must NOT be /
80-
"--lang=" . $options["language"],
81-
"--pass=" . $options["admin_password"],
84+
"--lang=" . quoteshellarg($options["language"]),
85+
"--pass=" . quoteshellarg($options["admin_password"]),
8286
"MediaWiki", // A Space here would trigger the next argument and preemptively set the admin username
83-
$options["admin_username"],
87+
quoteshellarg($options["admin_username"]),
8488
],
8589
$status,
8690
);

0 commit comments

Comments
 (0)