Whoops! Fixed an SQL injection vulnerability in the CLI installer. (Not like it's a huge deal because the vulnerability was only introduced last commit and if you make it to that stage you already know the database password)
<?php/* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License * as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. * * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for details. */class Namespace_Special extends Namespace_Default{ public function __construct($page_id, $namespace, $revision_id = 0) { global $db, $session, $paths, $template, $plugins; // Common objects $this->page_id = sanitize_page_id($page_id); $this->namespace = $namespace; $this->revision_id = intval($revision_id); $this->exists = function_exists("page_{$this->namespace}_{$this->page_id}"); } function send() { global $output; if ( $this->exists ) { @call_user_func("page_{$this->namespace}_{$this->page_id}"); } else { $output->header(); $this->error_404(); $output->footer(); } } function error_404() { global $lang, $output; $func_name = "page_{$this->namespace}_{$this->page_id}"; if ( $this->namespace == 'Admin' ) die_semicritical($lang->get('page_msg_admin_404_title'), $lang->get('page_msg_admin_404_body', array('func_name' => $func_name)), true); $title = $lang->get('page_err_custompage_function_missing_title'); $message = $lang->get('page_err_custompage_function_missing_body', array( 'function_name' => $func_name )); $output->set_title($title); $output->header(); echo "<p>$message</p>"; $output->footer(); }}