External-Mirrors/nextcloudpi
2
0
Fork 0
mirror of https://github.com/nextcloud/nextcloudpi.git synced 2026-01-10 15:12:01 -03:30
Code Issues Packages Projects Releases Wiki Activity

wizard: dont change missing parameters

Browse Source
This commit is contained in:
nachoparker 2019-01-09 21:53:32 -07:00
parent f722c457c4
commit 06b00e4cc7
3 changed files with 13 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
changelog.md
View File

@ -1,7 +1,9 @@
[v1.0.1](https://github.com/nextcloud/nextcloudpi/commit/720b0db) (2019-01-08) nc-update-nc: remove backup after restoring
[v1.0.2](https://github.com/nextcloud/nextcloudpi/commit/a2f79d2) (2019-01-09) wizard: dont change missing parameters
[v1.0.0](https://github.com/nextcloud/nextcloudpi/commit/013198c) (2019-01-08) ncp-config: allow empty values
[v1.0.1](https://github.com/nextcloud/nextcloudpi/commit/f722c45) (2019-01-08) nc-update-nc: remove backup after restoring
[v1.0.0 ](https://github.com/nextcloud/nextcloudpi/commit/013198c) (2019-01-08) ncp-config: allow empty values
[v0.67.13](https://github.com/nextcloud/nextcloudpi/commit/21fee19) (2018-12-31) ncp-web: new chinese translate and update chinese translate. (#721)

6
ncp-web/ncp-launcher.php
View File

@ -59,8 +59,12 @@ if ( $_POST['action'] == "launch" && $_POST['config'] )
foreach ($cfg['params'] as $index => $param)
{
// don't touch missing parameters
$id = $cfg['params'][$index]['id'];
if (!array_key_exists($id, $new_params)) continue;
// sanitize
$val = trim(escapeshellarg($new_params[$cfg['params'][$index]['id']]),"'");
$val = trim(escapeshellarg($new_params[$id]),"'");
preg_match( '/ /' , $val , $matches )
and exit( '{ "output": "Invalid parameters" , "token": "' . getCSRFToken() . '" }' );

7
ncp-web/wizard/index.php
View File

@ -10,6 +10,10 @@
<?php
session_start();
ini_set('session.cookie_httponly', 1);
if ( isset($_SERVER['HTTPS']) )
ini_set('session.cookie_secure', 1);
// security headers
header("Content-Security-Policy: default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; object-src 'self';");
header("X-XSS-Protection: 1; mode=block");
@ -18,9 +22,6 @@
header("X-Permitted-Cross-Domain-Policies: none");
header("X-Frame-Options: DENY");
header("Cache-Control: max-age=15778463");
ini_set('session.cookie_httponly', 1);
if ( isset($_SERVER['HTTPS']) )
ini_set('session.cookie_secure', 1);
?>
<link rel="icon" type="image/png" href="../img/favicon.png" />
</head>