GSP/Panel
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: address code review - remove magic_quotes_gpc, improve security warnings, add identifier escaping docs

Browse source 
Agent-Logs-Url: https://github.com/GameServerPanel/GSP/sessions/4b32e3c2-afec-458b-bf16-48e58045cc8b

Co-authored-by: iaretechnician <2749183+iaretechnician@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot] 2026-04-27 19:58:55 +00:00 committed by GitHub
parent b8543dfbc5
commit 1ba96d2b11
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 25 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

12
docs/GSP_INSTALLER.md
View file

@ -88,7 +88,17 @@ If the database already contains tables prefixed with `ogp_`:
This allows upgrading an existing OGP installation to GSP without losing data. This allows upgrading an existing OGP installation to GSP without losing data.
### 8. Branding ### 8. MD5 password hashing (legacy)
The `OGPDatabaseMySQL::addUser()` method stores passwords using `MD5()`.
This is legacy behaviour inherited from OGP and matches the existing panel
login system. MD5 is cryptographically broken for new systems; however,
changing the hashing scheme requires coordinated changes to the login code
(`index.php`, `modules/register/`, etc.) and is outside the scope of the
installer. Operators are strongly advised to audit and upgrade the hashing
scheme in a follow-up change.
### 9. Branding
The installer title and default site settings reference **GSP Game Server The installer title and default site settings reference **GSP Game Server
Panel** and **WDS** instead of "Open Game Panel". Panel** and **WDS** instead of "Open Game Panel".

21
install.php
View file

@ -26,7 +26,6 @@ define("MODULES", "modules/");
// Strip Input Function, prevents HTML in unwanted places // Strip Input Function, prevents HTML in unwanted places
function stripinput($text) { function stripinput($text) {
if (ini_get('magic_quotes_gpc')) $text = stripslashes($text);
$search = array("\"", "'", "\\", '\"', "\'", "<", ">", "&nbsp;"); $search = array("\"", "'", "\\", '\"', "\'", "<", ">", "&nbsp;");
$replace = array("&quot;", "&#39;", "&#92;", "&quot;", "&#39;", "&lt;", "&gt;", " "); $replace = array("&quot;", "&#39;", "&#92;", "&quot;", "&#39;", "&lt;", "&gt;", " ");
$text = str_replace($search, $replace, $text); $text = str_replace($search, $replace, $text);
@ -153,7 +152,7 @@ function install() {
echo "<tr><td>".get_lang('database_hostname').":</td> echo "<tr><td>".get_lang('database_hostname').":</td>
<td><input type='text' value='".htmlspecialchars(isset($db_host) ? $db_host : $default_host)."' name='db_host' class='textbox' /></td></tr>"; <td><input type='text' value='".htmlspecialchars(isset($db_host) ? $db_host : $default_host)."' name='db_host' class='textbox' /></td></tr>";
// Port (GSP addition) // Port (GSP addition no lang key needed; label is always in English for installer)
echo "<tr><td>Database Port:</td> echo "<tr><td>Database Port:</td>
<td><input type='text' value='".htmlspecialchars(isset($db_port) ? $db_port : "3306")."' name='db_port' class='textbox' /></td></tr>"; <td><input type='text' value='".htmlspecialchars(isset($db_port) ? $db_port : "3306")."' name='db_port' class='textbox' /></td></tr>";
@ -295,10 +294,13 @@ function install() {
$db->setSettings($site_settings); $db->setSettings($site_settings);
// --- Auto-create default admin user --- // --- Auto-create default admin user ---
// NOTE: The default password 'admin' is intentionally weak for first-boot convenience.
// The installer prominently warns the operator to change it. Passwords are stored as
// MD5 to match the existing panel login system (legacy behaviour).
$existing_admin = $db->getUser('admin'); $existing_admin = $db->getUser('admin');
if (!$existing_admin) { if (!$existing_admin) {
$db->addUser('admin', 'admin', 'admin', 'admin@localhost'); $db->addUser('admin', 'admin', 'admin', 'admin@localhost');
print_success("Default admin account created (username: <strong>admin</strong>, password: <strong>admin</strong>)."); print_success("Default admin account created (username: <strong>admin</strong>).");
} else { } else {
echo "<p class='note'>Admin user already exists skipped creation.</p>"; echo "<p class='note'>Admin user already exists skipped creation.</p>";
} }
@ -307,7 +309,7 @@ function install() {
updateGameConfigsPostInstall(); updateGameConfigsPostInstall();
echo "<p class='note' style='color:#c00; font-weight:bold;'>".get_lang('remove_install_and_secure_config')."</p>"; echo "<p class='note' style='color:#c00; font-weight:bold;'>".get_lang('remove_install_and_secure_config')."</p>";
echo "<p class='note'><strong>Change the default admin password after your first login!</strong></p>"; echo "<p class='note' style='color:#c00; font-weight:bold;'>SECURITY: The default admin password is <strong>admin</strong>. Change it immediately after your first login at Admin &rarr; User Management.</p>";
echo "<p class='note'><a href='index.php'>".get_lang('go_to_panel')."</a></p>"; echo "<p class='note'><a href='index.php'>".get_lang('go_to_panel')."</a></p>";
echo "</td></tr></table>\n"; echo "</td></tr></table>\n";
echo "</div>\n"; echo "</div>\n";
@ -386,9 +388,14 @@ function gsp_migrate_tables($db, $table_prefix) {
} }
/** /**
* Helper to escape a table name for use in RENAME TABLE. * Sanitize a MySQL identifier (table name) for use in RENAME TABLE.
* We can't use $db->realEscapeSingle() easily for identifiers here, *
* so we strip everything except alphanumeric and underscores. * Table names sourced from SHOW TABLES consist only of alphanumeric
* characters and underscores in standard installations. This function
* enforces that invariant by stripping any other characters, making the
* identifier safe to embed between backticks in a SQL statement.
* If a table name ever contained characters outside [a-zA-Z0-9_] it would
* simply be skipped rather than cause an injection.
*/ */
function mysqli_real_escape_string_compat($identifier) { function mysqli_real_escape_string_compat($identifier) {
return preg_replace('/[^a-zA-Z0-9_]/', '', $identifier); return preg_replace('/[^a-zA-Z0-9_]/', '', $identifier);