diff options
| author | Renato Botelho <garga@FreeBSD.org> | 2014-11-20 10:25:28 -0200 |
|---|---|---|
| committer | Renato Botelho <garga@FreeBSD.org> | 2014-11-20 10:25:49 -0200 |
| commit | c1a50dd741cb5dbf570bd87528f3ec08b2ead4ab (patch) | |
| tree | 71e7d7d3e58c5ad6d3ef06058eb2bc0485791c88 | |
| parent | a8c82ef9559b21432be7e3c225ed6f0e6a3bb9ca (diff) | |
| download | pfsense-c1a50dd741cb5dbf570bd87528f3ec08b2ead4ab.zip pfsense-c1a50dd741cb5dbf570bd87528f3ec08b2ead4ab.tar.gz | |
Remove debugging code that can lead us to XSS injection, also pass variables through htmlspecialchars() to sanitize
| -rw-r--r-- | usr/local/www/installer/installer.php | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/usr/local/www/installer/installer.php b/usr/local/www/installer/installer.php index 85360be..7c5761b 100644 --- a/usr/local/www/installer/installer.php +++ b/usr/local/www/installer/installer.php @@ -495,7 +495,7 @@ function verify_before_install() { } if(!$bootmanager) $bootmanager = $_REQUEST['bootmanager']; - echo "\n<!--" . print_r($_REQUEST, true) . " -->\n"; + // echo "\n<!--" . print_r($_REQUEST, true) . " -->\n"; $disk = pcsysinstall_get_disk_info(htmlspecialchars($_REQUEST['disk'])); $disksize = format_bytes($disk['size'] * 1048576); // Loop through posted items and create an array @@ -533,7 +533,7 @@ function verify_before_install() { $tmparray['encpass'] = $_REQUEST['encpass' . $x]; $disks[] = $tmparray; } - echo "\n<!-- " . print_r($disks, true) . " --> \n"; + // echo "\n<!-- " . print_r($disks, true) . " --> \n"; $bootmanagerupper = strtoupper($bootmanager); echo <<<EOFAMBAC <form method="post" action="installer.php"> @@ -593,11 +593,11 @@ EOFAMBACBAF; foreach($disks as $disk) { $desc = pcsysinstall_get_disk_info($disk['disk']); echo "<tr>"; - echo "<td> {$disk['mountpoint']}</td>"; - echo "<td>{$disk['fstype']}</td>"; - echo "<td>{$disk['disk']} {$desc['desc']}</td>"; - echo "<td>{$disk['size']}</td>"; - echo "<td>{$disk['encpass']}</td>"; + echo "<td> " . htmlspecialchars($disk['mountpoint']) . "</td>"; + echo "<td>" . htmlspecialchars($disk['fstype']) . "</td>"; + echo "<td>" . htmlspecialchars($disk['disk']) . " " . htmlspecialchars($desc['desc']) . "</td>"; + echo "<td>" . htmlspecialchars($disk['size']) . "</td>"; + echo "<td>" . htmlspecialchars($disk['encpass']) . "</td>"; echo "</tr>"; } @@ -968,7 +968,7 @@ EOF; $first_disk_size = $size - $swap_size; // Debugging - echo "\n\n<!-- $first_disk - " . print_r($disk_info, true) . " - $size - $first_disk_size -->\n\n"; + // echo "\n\n<!-- $first_disk - " . print_r($disk_info, true) . " - $size - $first_disk_size -->\n\n"; // Check to see if a on disk layout exists if(file_exists("/tmp/webInstaller_disk_layout.txt")) { |
