|
1
|
|
|
<?php |
|
2
|
|
|
|
|
3
|
|
|
namespace SET\Http\Controllers\Installation; |
|
4
|
|
|
|
|
5
|
|
|
use Exception; |
|
6
|
|
|
use Illuminate\Http\Request; |
|
7
|
|
|
use Illuminate\Support\Facades\Artisan; |
|
8
|
|
|
use RachidLaasri\LaravelInstaller\Helpers\EnvironmentManager; |
|
9
|
|
|
use SET\Http\Controllers\Controller; |
|
10
|
|
|
|
|
11
|
|
|
class EnvironmentController extends Controller |
|
12
|
|
|
{ |
|
13
|
|
|
/** |
|
14
|
|
|
* @var EnvironmentManager |
|
15
|
|
|
*/ |
|
16
|
|
|
protected $EnvironmentManager; |
|
17
|
|
|
protected $envPath; |
|
18
|
|
|
|
|
19
|
|
|
/** |
|
20
|
|
|
* @param EnvironmentManager $environmentManager |
|
21
|
|
|
*/ |
|
22
|
|
|
public function __construct(EnvironmentManager $environmentManager) |
|
23
|
|
|
{ |
|
24
|
|
|
$this->EnvironmentManager = $environmentManager; |
|
25
|
|
|
$this->envPath = base_path('.env'); |
|
26
|
|
|
} |
|
27
|
|
|
|
|
28
|
|
|
/** |
|
29
|
|
|
* Display the Environment page. |
|
30
|
|
|
* |
|
31
|
|
|
* @return \Illuminate\View\View |
|
32
|
|
|
*/ |
|
33
|
|
|
public function index() |
|
34
|
|
|
{ |
|
35
|
|
|
$envConfig = $this->EnvironmentManager->getEnvContent(); |
|
36
|
|
|
$fields = $this->breakApartEnv($envConfig); |
|
37
|
|
|
|
|
38
|
|
|
return view('vendor.installer.environment', compact('fields')); |
|
39
|
|
|
} |
|
40
|
|
|
|
|
41
|
|
|
/** |
|
42
|
|
|
* Processes the newly saved environment configuration and redirects back. |
|
43
|
|
|
* |
|
44
|
|
|
* @param Request $input |
|
45
|
|
|
* |
|
46
|
|
|
* @return \Illuminate\Http\RedirectResponse |
|
47
|
|
|
*/ |
|
48
|
|
|
public function store(Request $input) |
|
49
|
|
|
{ |
|
50
|
|
|
$env = $this->flattenRequest($input); |
|
51
|
|
|
$message = $this->saveFile($env); |
|
52
|
|
|
|
|
53
|
|
|
Artisan::call('key:generate'); |
|
54
|
|
|
|
|
55
|
|
|
return redirect()->route('LaravelInstaller::requirements') |
|
56
|
|
|
->with(['message' => $message]); |
|
57
|
|
|
} |
|
58
|
|
|
|
|
59
|
|
|
/** |
|
60
|
|
|
* Key should be before the first = symbol and value should be after. |
|
61
|
|
|
* Each new line (\r\n) should be a new array entry. |
|
62
|
|
|
* |
|
63
|
|
|
* @param $string |
|
64
|
|
|
* |
|
65
|
|
|
* @return array |
|
66
|
|
|
*/ |
|
67
|
|
|
private function breakApartEnv($string) |
|
68
|
|
|
{ |
|
69
|
|
|
preg_match_all('/([^=]*?)=([^\r\n]*?)[\r\n]+/', $string, $matches); |
|
70
|
|
|
|
|
71
|
|
|
$array = array_combine($matches[1], $matches[2]); |
|
72
|
|
|
$array['MAIL_FROM_NAME'] = $this->removeQuotes($array['MAIL_FROM_NAME']); |
|
73
|
|
|
return $array; |
|
74
|
|
|
} |
|
75
|
|
|
|
|
76
|
|
|
private function flattenRequest(Request $input) |
|
77
|
|
|
{ |
|
78
|
|
|
$fields = $this->breakApartEnv($this->EnvironmentManager->getEnvContent()); |
|
79
|
|
|
$results = filter_var_array(array_merge($fields, $input->toArray())); |
|
80
|
|
|
unset($results['_token']); |
|
81
|
|
|
$results['MAIL_FROM_NAME'] = '"'.$this->removeQuotes($results['MAIL_FROM_NAME']).'"'; |
|
82
|
|
|
|
|
83
|
|
|
$env = ''; |
|
84
|
|
|
foreach ($results as $key => $value) { |
|
85
|
|
|
$env .= $key.'='.$value."\r\n"; |
|
86
|
|
|
} |
|
87
|
|
|
|
|
88
|
|
|
return $env; |
|
89
|
|
|
} |
|
90
|
|
|
|
|
91
|
|
|
/** |
|
92
|
|
|
* Save the edited content to the file. |
|
93
|
|
|
* |
|
94
|
|
|
* @param $string |
|
95
|
|
|
* |
|
96
|
|
|
* @return string |
|
97
|
|
|
*/ |
|
98
|
|
|
public function saveFile($string) |
|
99
|
|
|
{ |
|
100
|
|
|
$message = trans('messages.environment.success'); |
|
101
|
|
|
|
|
102
|
|
|
try { |
|
103
|
|
|
file_put_contents($this->envPath, $string); |
|
|
|
|
|
|
104
|
|
|
} catch (Exception $e) { |
|
105
|
|
|
$message = trans('messages.environment.errors'); |
|
106
|
|
|
} |
|
107
|
|
|
|
|
108
|
|
|
return $message; |
|
109
|
|
|
} |
|
110
|
|
|
|
|
111
|
|
|
private function removeQuotes($string) |
|
112
|
|
|
{ |
|
113
|
|
|
$string = str_replace('"', "", $string); |
|
114
|
|
|
return str_replace("'", "", $string); |
|
115
|
|
|
} |
|
116
|
|
|
} |
|
117
|
|
|
|
scci /
security-employee-tracker
$stringcan contain request data and is used in file manipulation context(s) leading to a potential security vulnerability.8 paths for user data to reach this point
$this->parameters['HTTP_AUTHORIZATION']seems to return tainted data, and$authorizationHeaderis assigned in ServerBag.php on line 62$this->parameters['HTTP_AUTHORIZATION']seems to return tainted data, and$authorizationHeaderis assignedin vendor/ServerBag.php on line 62
in vendor/ServerBag.php on line 77
in vendor/ParameterBag.php on line 45
$filesis assignedin vendor/src/Illuminate/Http/Request.php on line 431
in vendor/src/Illuminate/Http/Request.php on line 454
in vendor/src/Illuminate/Http/Request.php on line 435
in vendor/src/Illuminate/Http/Request.php on line 434
$this->allFiles()is passed through array_replace_recursive()in vendor/src/Illuminate/Http/Request.php on line 323
in vendor/src/Illuminate/Http/Request.php on line 1015
$input->toArray()is passed through array_merge(), andarray_merge($fields, $input->toArray())is passed through filter_var_array(), and$resultsis assignedin app/Http/Controllers/Installation/EnvironmentController.php on line 79
$resultsis assignedin app/Http/Controllers/Installation/EnvironmentController.php on line 81
$keyis assignedin app/Http/Controllers/Installation/EnvironmentController.php on line 84
$envis assignedin app/Http/Controllers/Installation/EnvironmentController.php on line 85
$envis assignedin app/Http/Controllers/Installation/EnvironmentController.php on line 50
$envis passed to EnvironmentController::saveFile()in app/Http/Controllers/Installation/EnvironmentController.php on line 51
$_POST,and$_POSTis passed to Request::createRequestFromFactory() in Request.php on line 281$_POST,and$_POSTis passed to Request::createRequestFromFactory()in vendor/Request.php on line 281
$requestis passed to Request::__construct()in vendor/Request.php on line 1939
$requestis passed to Request::initialize()in vendor/Request.php on line 222
$requestis passed to ParameterBag::__construct()in vendor/Request.php on line 240
in vendor/ParameterBag.php on line 35
in vendor/ParameterBag.php on line 45
$filesis assignedin vendor/src/Illuminate/Http/Request.php on line 431
in vendor/src/Illuminate/Http/Request.php on line 454
in vendor/src/Illuminate/Http/Request.php on line 435
in vendor/src/Illuminate/Http/Request.php on line 434
$this->allFiles()is passed through array_replace_recursive()in vendor/src/Illuminate/Http/Request.php on line 323
in vendor/src/Illuminate/Http/Request.php on line 1015
$input->toArray()is passed through array_merge(), andarray_merge($fields, $input->toArray())is passed through filter_var_array(), and$resultsis assignedin app/Http/Controllers/Installation/EnvironmentController.php on line 79
$resultsis assignedin app/Http/Controllers/Installation/EnvironmentController.php on line 81
$keyis assignedin app/Http/Controllers/Installation/EnvironmentController.php on line 84
$envis assignedin app/Http/Controllers/Installation/EnvironmentController.php on line 85
$envis assignedin app/Http/Controllers/Installation/EnvironmentController.php on line 50
$envis passed to EnvironmentController::saveFile()in app/Http/Controllers/Installation/EnvironmentController.php on line 51
$_SERVER,and$serveris assigned in Request.php on line 271$_SERVER,and$serveris assignedin vendor/Request.php on line 271
$serveris passed to Request::createRequestFromFactory()in vendor/Request.php on line 281
$serveris passed to Request::__construct()in vendor/Request.php on line 1939
$serveris passed to Request::initialize()in vendor/Request.php on line 222
$serveris passed to ParameterBag::__construct()in vendor/Request.php on line 245
in vendor/ParameterBag.php on line 35
in vendor/ParameterBag.php on line 45
$filesis assignedin vendor/src/Illuminate/Http/Request.php on line 431
in vendor/src/Illuminate/Http/Request.php on line 454
in vendor/src/Illuminate/Http/Request.php on line 435
in vendor/src/Illuminate/Http/Request.php on line 434
$this->allFiles()is passed through array_replace_recursive()in vendor/src/Illuminate/Http/Request.php on line 323
in vendor/src/Illuminate/Http/Request.php on line 1015
$input->toArray()is passed through array_merge(), andarray_merge($fields, $input->toArray())is passed through filter_var_array(), and$resultsis assignedin app/Http/Controllers/Installation/EnvironmentController.php on line 79
$resultsis assignedin app/Http/Controllers/Installation/EnvironmentController.php on line 81
$keyis assignedin app/Http/Controllers/Installation/EnvironmentController.php on line 84
$envis assignedin app/Http/Controllers/Installation/EnvironmentController.php on line 85
$envis assignedin app/Http/Controllers/Installation/EnvironmentController.php on line 50
$envis passed to EnvironmentController::saveFile()in app/Http/Controllers/Installation/EnvironmentController.php on line 51
HTTP_CONTENT_LENGTHfrom$_SERVER,and$serveris assigned in Request.php on line 274HTTP_CONTENT_LENGTHfrom$_SERVER,and$serveris assignedin vendor/Request.php on line 274
$serveris passed to Request::createRequestFromFactory()in vendor/Request.php on line 281
$serveris passed to Request::__construct()in vendor/Request.php on line 1939
$serveris passed to Request::initialize()in vendor/Request.php on line 222
$serveris passed to ParameterBag::__construct()in vendor/Request.php on line 245
in vendor/ParameterBag.php on line 35
in vendor/ParameterBag.php on line 45
$filesis assignedin vendor/src/Illuminate/Http/Request.php on line 431
in vendor/src/Illuminate/Http/Request.php on line 454
in vendor/src/Illuminate/Http/Request.php on line 435
in vendor/src/Illuminate/Http/Request.php on line 434
$this->allFiles()is passed through array_replace_recursive()in vendor/src/Illuminate/Http/Request.php on line 323
in vendor/src/Illuminate/Http/Request.php on line 1015
$input->toArray()is passed through array_merge(), andarray_merge($fields, $input->toArray())is passed through filter_var_array(), and$resultsis assignedin app/Http/Controllers/Installation/EnvironmentController.php on line 79
$resultsis assignedin app/Http/Controllers/Installation/EnvironmentController.php on line 81
$keyis assignedin app/Http/Controllers/Installation/EnvironmentController.php on line 84
$envis assignedin app/Http/Controllers/Installation/EnvironmentController.php on line 85
$envis assignedin app/Http/Controllers/Installation/EnvironmentController.php on line 50
$envis passed to EnvironmentController::saveFile()in app/Http/Controllers/Installation/EnvironmentController.php on line 51
HTTP_CONTENT_TYPEfrom$_SERVER,and$serveris assigned in Request.php on line 277HTTP_CONTENT_TYPEfrom$_SERVER,and$serveris assignedin vendor/Request.php on line 277
$serveris passed to Request::createRequestFromFactory()in vendor/Request.php on line 281
$serveris passed to Request::__construct()in vendor/Request.php on line 1939
$serveris passed to Request::initialize()in vendor/Request.php on line 222
$serveris passed to ParameterBag::__construct()in vendor/Request.php on line 245
in vendor/ParameterBag.php on line 35
in vendor/ParameterBag.php on line 45
$filesis assignedin vendor/src/Illuminate/Http/Request.php on line 431
in vendor/src/Illuminate/Http/Request.php on line 454
in vendor/src/Illuminate/Http/Request.php on line 435
in vendor/src/Illuminate/Http/Request.php on line 434
$this->allFiles()is passed through array_replace_recursive()in vendor/src/Illuminate/Http/Request.php on line 323
in vendor/src/Illuminate/Http/Request.php on line 1015
$input->toArray()is passed through array_merge(), andarray_merge($fields, $input->toArray())is passed through filter_var_array(), and$resultsis assignedin app/Http/Controllers/Installation/EnvironmentController.php on line 79
$resultsis assignedin app/Http/Controllers/Installation/EnvironmentController.php on line 81
$keyis assignedin app/Http/Controllers/Installation/EnvironmentController.php on line 84
$envis assignedin app/Http/Controllers/Installation/EnvironmentController.php on line 85
$envis assignedin app/Http/Controllers/Installation/EnvironmentController.php on line 50
$envis passed to EnvironmentController::saveFile()in app/Http/Controllers/Installation/EnvironmentController.php on line 51
$server['HTTP_HOST']seems to return tainted data, and$serveris assigned in Request.php on line 347$server['HTTP_HOST']seems to return tainted data, and$serveris assignedin vendor/Request.php on line 347
$serveris assignedin vendor/Request.php on line 395
$serveris assignedin vendor/Request.php on line 396
$serveris passed to Request::createRequestFromFactory()in vendor/Request.php on line 398
$serveris passed to Request::__construct()in vendor/Request.php on line 1939
$serveris passed to Request::initialize()in vendor/Request.php on line 222
$serveris passed to ParameterBag::__construct()in vendor/Request.php on line 245
in vendor/ParameterBag.php on line 35
in vendor/ParameterBag.php on line 45
$filesis assignedin vendor/src/Illuminate/Http/Request.php on line 431
in vendor/src/Illuminate/Http/Request.php on line 454
in vendor/src/Illuminate/Http/Request.php on line 435
in vendor/src/Illuminate/Http/Request.php on line 434
$this->allFiles()is passed through array_replace_recursive()in vendor/src/Illuminate/Http/Request.php on line 323
in vendor/src/Illuminate/Http/Request.php on line 1015
$input->toArray()is passed through array_merge(), andarray_merge($fields, $input->toArray())is passed through filter_var_array(), and$resultsis assignedin app/Http/Controllers/Installation/EnvironmentController.php on line 79
$resultsis assignedin app/Http/Controllers/Installation/EnvironmentController.php on line 81
$keyis assignedin app/Http/Controllers/Installation/EnvironmentController.php on line 84
$envis assignedin app/Http/Controllers/Installation/EnvironmentController.php on line 85
$envis assignedin app/Http/Controllers/Installation/EnvironmentController.php on line 50
$envis passed to EnvironmentController::saveFile()in app/Http/Controllers/Installation/EnvironmentController.php on line 51
$this->parameters['PHP_AUTH_USER']seems to return tainted data, and$headersis assigned in ServerBag.php on line 43$this->parameters['PHP_AUTH_USER']seems to return tainted data, and$headersis assignedin vendor/ServerBag.php on line 43
$headersis assignedin vendor/ServerBag.php on line 44
$this->server->getHeaders()is passed to HeaderBag::__construct()in vendor/Request.php on line 246
$valuesis assignedin vendor/HeaderBag.php on line 31
$valuesis passed to HeaderBag::set()in vendor/HeaderBag.php on line 32
(array) $valuesis passed through array_values(), and$valuesis assignedin vendor/HeaderBag.php on line 142
in vendor/HeaderBag.php on line 145
in vendor/HeaderBag.php on line 125
$requestUriis assignedin vendor/Request.php on line 1709
$requestUriis passed to ParameterBag::set()in vendor/Request.php on line 1740
in vendor/ParameterBag.php on line 99
in vendor/ParameterBag.php on line 45
$filesis assignedin vendor/src/Illuminate/Http/Request.php on line 431
in vendor/src/Illuminate/Http/Request.php on line 454
in vendor/src/Illuminate/Http/Request.php on line 435
in vendor/src/Illuminate/Http/Request.php on line 434
$this->allFiles()is passed through array_replace_recursive()in vendor/src/Illuminate/Http/Request.php on line 323
in vendor/src/Illuminate/Http/Request.php on line 1015
$input->toArray()is passed through array_merge(), andarray_merge($fields, $input->toArray())is passed through filter_var_array(), and$resultsis assignedin app/Http/Controllers/Installation/EnvironmentController.php on line 79
$resultsis assignedin app/Http/Controllers/Installation/EnvironmentController.php on line 81
$keyis assignedin app/Http/Controllers/Installation/EnvironmentController.php on line 84
$envis assignedin app/Http/Controllers/Installation/EnvironmentController.php on line 85
$envis assignedin app/Http/Controllers/Installation/EnvironmentController.php on line 50
$envis passed to EnvironmentController::saveFile()in app/Http/Controllers/Installation/EnvironmentController.php on line 51
$this->parameters['PHP_AUTH_PW']seems to return tainted data, and$headersis assigned in ServerBag.php on line 44$this->parameters['PHP_AUTH_PW']seems to return tainted data, and$headersis assignedin vendor/ServerBag.php on line 44
$this->server->getHeaders()is passed to HeaderBag::__construct()in vendor/Request.php on line 246
$valuesis assignedin vendor/HeaderBag.php on line 31
$valuesis passed to HeaderBag::set()in vendor/HeaderBag.php on line 32
(array) $valuesis passed through array_values(), and$valuesis assignedin vendor/HeaderBag.php on line 142
in vendor/HeaderBag.php on line 145
in vendor/HeaderBag.php on line 125
$requestUriis assignedin vendor/Request.php on line 1709
$requestUriis passed to ParameterBag::set()in vendor/Request.php on line 1740
in vendor/ParameterBag.php on line 99
in vendor/ParameterBag.php on line 45
$filesis assignedin vendor/src/Illuminate/Http/Request.php on line 431
in vendor/src/Illuminate/Http/Request.php on line 454
in vendor/src/Illuminate/Http/Request.php on line 435
in vendor/src/Illuminate/Http/Request.php on line 434
$this->allFiles()is passed through array_replace_recursive()in vendor/src/Illuminate/Http/Request.php on line 323
in vendor/src/Illuminate/Http/Request.php on line 1015
$input->toArray()is passed through array_merge(), andarray_merge($fields, $input->toArray())is passed through filter_var_array(), and$resultsis assignedin app/Http/Controllers/Installation/EnvironmentController.php on line 79
$resultsis assignedin app/Http/Controllers/Installation/EnvironmentController.php on line 81
$keyis assignedin app/Http/Controllers/Installation/EnvironmentController.php on line 84
$envis assignedin app/Http/Controllers/Installation/EnvironmentController.php on line 85
$envis assignedin app/Http/Controllers/Installation/EnvironmentController.php on line 50
$envis passed to EnvironmentController::saveFile()in app/Http/Controllers/Installation/EnvironmentController.php on line 51
General Strategies to prevent injection
In general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values:
if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) { throw new \InvalidArgumentException('This input is not allowed.'); }For numeric data, we recommend to explicitly cast the data: