install.php
changeset 40 723bb7acf914
parent 39 c83ff194977a
child 69 63638a42cee9
--- a/install.php	Mon Jul 02 20:33:57 2007 -0400
+++ b/install.php	Tue Jul 03 14:07:35 2007 -0400
@@ -61,6 +61,8 @@
 require('includes/rijndael.php');
 require('includes/functions.php');
 
+strip_magic_quotes_gpc();
+
 //die('Key size: ' . AES_BITS . '<br />Block size: ' . AES_BLOCKSIZE);
 
 if(!function_exists('wikiFormat'))
@@ -664,7 +666,7 @@
       {
         var frm = document.forms.siteinfo;
         ret = true;
-        if(frm.sitename.value.match(/^([A-z0-9 ]+)$/g) && frm.sitename.value != 'Enano')
+        if(frm.sitename.value.match(/^(.+)$/g) && frm.sitename.value != 'Enano')
         {
           document.getElementById('s_name').src='images/good.gif';
         }
@@ -701,7 +703,7 @@
       <?php
         $k = array_keys($_POST);
         for($i=0;$i<sizeof($_POST);$i++) {
-          echo '<input type="hidden" name="'.$k[$i].'" value="'.$_POST[$k[$i]].'" />'."\n";
+          echo '<input type="hidden" name="'.htmlspecialchars($k[$i]).'" value="'.htmlspecialchars($_POST[$k[$i]]).'" />'."\n";
         }
       ?>
       <p>The next step is to enter some information about your website. You can always change this information later, using the administration panel.</p>
@@ -796,7 +798,7 @@
       <?php
         $k = array_keys($_POST);
         for($i=0;$i<sizeof($_POST);$i++) {
-          echo '<input type="hidden" name="'.$k[$i].'" value="'.$_POST[$k[$i]].'" />'."\n";
+          echo '<input type="hidden" name="'.htmlspecialchars($k[$i]).'" value="'.htmlspecialchars($_POST[$k[$i]]).'" />'."\n";
         }
       ?>
       <p>Next, enter your desired username and password. The account you create here will be used to administer your site.</p>
@@ -836,48 +838,52 @@
     </form>
     <script type="text/javascript">
     // <![CDATA[
-      disableJSONExts();
-      str = '';
-      for(i=0;i<keySizeInBits/4;i++) str+='0';
-      var key = hexToByteArray(str);
-      var pt = hexToByteArray(str);
-      var ct = rijndaelEncrypt(pt, key, "ECB");
-      var ect = byteArrayToHex(ct);
-      switch(keySizeInBits)
-      {
-        case 128:
-          v = '66e94bd4ef8a2c3b884cfa59ca342b2e';
-          break;
-        case 192:
-          v = 'aae06992acbf52a3e8f4a96ec9300bd7aae06992acbf52a3e8f4a96ec9300bd7';
-          break;
-        case 256:
-          v = 'dc95c078a2408989ad48a21492842087dc95c078a2408989ad48a21492842087';
-          break;
-      }
-      var testpassed = ( ect == v && md5_vm_test() );
-      var frm = document.forms.login;
-      if(testpassed)
-      {
-        frm.use_crypt.value = 'yes';
-        var cryptkey = frm.crypt_key.value;
-        frm.crypt_key.value = '';
-        if(cryptkey != byteArrayToHex(hexToByteArray(cryptkey)))
-        {
-          alert('Byte array conversion SUCKS');
-          testpassed = false;
-        }
-        cryptkey = hexToByteArray(cryptkey);
-        if(!cryptkey || ( ( typeof cryptkey == 'string' || typeof cryptkey == 'object' ) ) && cryptkey.length != keySizeInBits / 8 )
-        {
-          frm._cont.disabled = true;
-          len = ( typeof cryptkey == 'string' || typeof cryptkey == 'object' ) ? '\nLen: '+cryptkey.length : '';
-          alert('The key is messed up\nType: '+typeof(cryptkey)+len);
-        }
-      }
       frm.admin_user.focus();
       function runEncryption()
       {
+        str = '';
+        for(i=0;i<keySizeInBits/4;i++) str+='0';
+        var key = hexToByteArray(str);
+        var pt = hexToByteArray(str);
+        var ct = rijndaelEncrypt(pt, key, "ECB");
+        var ect = byteArrayToHex(ct);
+        switch(keySizeInBits)
+        {
+          case 128:
+            v = '66e94bd4ef8a2c3b884cfa59ca342b2e';
+            break;
+          case 192:
+            v = 'aae06992acbf52a3e8f4a96ec9300bd7aae06992acbf52a3e8f4a96ec9300bd7';
+            break;
+          case 256:
+            v = 'dc95c078a2408989ad48a21492842087dc95c078a2408989ad48a21492842087';
+            break;
+        }
+        var testpassed = ( ect == v && md5_vm_test() );
+        var frm = document.forms.login;
+        if(testpassed)
+        {
+          // alert('encryption self-test passed');
+          frm.use_crypt.value = 'yes';
+          var cryptkey = frm.crypt_key.value;
+          frm.crypt_key.value = '';
+          if(cryptkey != byteArrayToHex(hexToByteArray(cryptkey)))
+          {
+            alert('Byte array conversion SUCKS');
+            testpassed = false;
+          }
+          cryptkey = hexToByteArray(cryptkey);
+          if(!cryptkey || ( ( typeof cryptkey == 'string' || typeof cryptkey == 'object' ) ) && cryptkey.length != keySizeInBits / 8 )
+          {
+            frm._cont.disabled = true;
+            len = ( typeof cryptkey == 'string' || typeof cryptkey == 'object' ) ? '\nLen: '+cryptkey.length : '';
+            alert('The key is messed up\nType: '+typeof(cryptkey)+len);
+          }
+        }
+        else
+        {
+          // alert('encryption self-test FAILED');
+        }
         if(testpassed)
         {
           pass = frm.admin_pass.value;
@@ -891,7 +897,7 @@
             return false;
           }
           cryptstring = byteArrayToHex(cryptstring);
-          document.getElementById('cryptdebug').innerHTML = '<pre>Data: '+cryptstring+'<br />Key:  '+byteArrayToHex(cryptkey)+'</pre>';
+          // document.getElementById('cryptdebug').innerHTML = '<pre>Data: '+cryptstring+'<br />Key:  '+byteArrayToHex(cryptkey)+'</pre>';
           frm.crypt_data.value = cryptstring;
           frm.admin_pass.value = '';
           frm.admin_pass_confirm.value = '';
@@ -914,7 +920,7 @@
       <?php
         $k = array_keys($_POST);
         for($i=0;$i<sizeof($_POST);$i++) {
-          echo '<input type="hidden" name="'.$k[$i].'" value="'.$_POST[$k[$i]].'" />'."\n";
+          echo '<input type="hidden" name="'.htmlspecialchars($k[$i]).'" value="'.htmlspecialchars($_POST[$k[$i]]).'" />'."\n";
         }
       ?>
       <h3>Enano is ready to install.</h3>
@@ -1012,17 +1018,26 @@
       $cacheonoff = is_writable(ENANO_ROOT.'/cache/') ? '1' : '0';
       
       echo 'Decrypting administration password...';
-      require('config.php');
-      if ( !isset($cryptkey) )
+      
+      $aes = new AESCrypt(AES_BITS, AES_BLOCKSIZE);
+      
+      if ( !empty($_POST['crypt_data']) )
       {
-        echo 'failed!<br />Cannot get the key from config.php';
-        break;
+        require('config.php');
+        if ( !isset($cryptkey) )
+        {
+          echo 'failed!<br />Cannot get the key from config.php';
+          break;
+        }
+        $key = hexdecode($cryptkey);
+        
+        $dec = $aes->decrypt($_POST['crypt_data'], $key, ENC_HEX);
+        
       }
-      $aes = new AESCrypt(AES_BITS, AES_BLOCKSIZE);
-      $key = $aes->hexToByteArray($cryptkey);
-      $enc = $aes->hexToByteArray($_POST['crypt_data']);
-      $dec = $aes->rijndaelDecrypt($enc, $key, 'ECB');
-      $dec = $aes->byteArrayToString($dec);
+      else
+      {
+        $dec = $_POST['admin_pass'];
+      }
       echo 'done!<br />Generating '.AES_BITS.'-bit AES private key...';
       $privkey = $aes->gen_readymade_key();
       $pkba = hexdecode($privkey);