fix: address code review - remove magic_quotes_gpc, improve security warnings, add identifier escaping docs
Agent-Logs-Url: https://github.com/GameServerPanel/GSP/sessions/4b32e3c2-afec-458b-bf16-48e58045cc8b Co-authored-by: iaretechnician <2749183+iaretechnician@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
GitHub
parent
b8543dfbc5
commit
1ba96d2b11
2 changed files with 25 additions and 8 deletions
|
|
@ -88,7 +88,17 @@ If the database already contains tables prefixed with `ogp_`:
|
|||
|
||||
This allows upgrading an existing OGP installation to GSP without losing data.
|
||||
|
||||
### 8. Branding
|
||||
### 8. MD5 password hashing (legacy)
|
||||
|
||||
The `OGPDatabaseMySQL::addUser()` method stores passwords using `MD5()`.
|
||||
This is legacy behaviour inherited from OGP and matches the existing panel
|
||||
login system. MD5 is cryptographically broken for new systems; however,
|
||||
changing the hashing scheme requires coordinated changes to the login code
|
||||
(`index.php`, `modules/register/`, etc.) and is outside the scope of the
|
||||
installer. Operators are strongly advised to audit and upgrade the hashing
|
||||
scheme in a follow-up change.
|
||||
|
||||
### 9. Branding
|
||||
|
||||
The installer title and default site settings reference **GSP – Game Server
|
||||
Panel** and **WDS** instead of "Open Game Panel".
|
||||
|
|
|
|||
21
install.php
21
install.php
|
|
@ -26,7 +26,6 @@ define("MODULES", "modules/");
|
|||
|
||||
// Strip Input Function, prevents HTML in unwanted places
|
||||
function stripinput($text) {
|
||||
if (ini_get('magic_quotes_gpc')) $text = stripslashes($text);
|
||||
$search = array("\"", "'", "\\", '\"', "\'", "<", ">", " ");
|
||||
$replace = array(""", "'", "\", """, "'", "<", ">", " ");
|
||||
$text = str_replace($search, $replace, $text);
|
||||
|
|
@ -153,7 +152,7 @@ function install() {
|
|||
echo "<tr><td>".get_lang('database_hostname').":</td>
|
||||
<td><input type='text' value='".htmlspecialchars(isset($db_host) ? $db_host : $default_host)."' name='db_host' class='textbox' /></td></tr>";
|
||||
|
||||
// Port (GSP addition)
|
||||
// Port (GSP addition – no lang key needed; label is always in English for installer)
|
||||
echo "<tr><td>Database Port:</td>
|
||||
<td><input type='text' value='".htmlspecialchars(isset($db_port) ? $db_port : "3306")."' name='db_port' class='textbox' /></td></tr>";
|
||||
|
||||
|
|
@ -295,10 +294,13 @@ function install() {
|
|||
$db->setSettings($site_settings);
|
||||
|
||||
// --- Auto-create default admin user ---
|
||||
// NOTE: The default password 'admin' is intentionally weak for first-boot convenience.
|
||||
// The installer prominently warns the operator to change it. Passwords are stored as
|
||||
// MD5 to match the existing panel login system (legacy behaviour).
|
||||
$existing_admin = $db->getUser('admin');
|
||||
if (!$existing_admin) {
|
||||
$db->addUser('admin', 'admin', 'admin', 'admin@localhost');
|
||||
print_success("Default admin account created (username: <strong>admin</strong>, password: <strong>admin</strong>).");
|
||||
print_success("Default admin account created (username: <strong>admin</strong>).");
|
||||
} else {
|
||||
echo "<p class='note'>Admin user already exists – skipped creation.</p>";
|
||||
}
|
||||
|
|
@ -307,7 +309,7 @@ function install() {
|
|||
updateGameConfigsPostInstall();
|
||||
|
||||
echo "<p class='note' style='color:#c00; font-weight:bold;'>".get_lang('remove_install_and_secure_config')."</p>";
|
||||
echo "<p class='note'><strong>Change the default admin password after your first login!</strong></p>";
|
||||
echo "<p class='note' style='color:#c00; font-weight:bold;'>SECURITY: The default admin password is <strong>admin</strong>. Change it immediately after your first login at Admin → User Management.</p>";
|
||||
echo "<p class='note'><a href='index.php'>".get_lang('go_to_panel')."</a></p>";
|
||||
echo "</td></tr></table>\n";
|
||||
echo "</div>\n";
|
||||
|
|
@ -386,9 +388,14 @@ function gsp_migrate_tables($db, $table_prefix) {
|
|||
}
|
||||
|
||||
/**
|
||||
* Helper to escape a table name for use in RENAME TABLE.
|
||||
* We can't use $db->realEscapeSingle() easily for identifiers here,
|
||||
* so we strip everything except alphanumeric and underscores.
|
||||
* Sanitize a MySQL identifier (table name) for use in RENAME TABLE.
|
||||
*
|
||||
* Table names sourced from SHOW TABLES consist only of alphanumeric
|
||||
* characters and underscores in standard installations. This function
|
||||
* enforces that invariant by stripping any other characters, making the
|
||||
* identifier safe to embed between backticks in a SQL statement.
|
||||
* If a table name ever contained characters outside [a-zA-Z0-9_] it would
|
||||
* simply be skipped rather than cause an injection.
|
||||
*/
|
||||
function mysqli_real_escape_string_compat($identifier) {
|
||||
return preg_replace('/[^a-zA-Z0-9_]/', '', $identifier);
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue