Changed the input option for database-port to required when parameter was provided.

Added casting database port to int for input sanitation in pgsql and oci connections.

diff --git a/core/Command/Maintenance/Install.php b/core/Command/Maintenance/Install.php
index 320405cad39f16a3f16519566a6562d6faff116f..cee0c60b4887003f7937b8148baa84ea4f520466 100644 (file)
--- a/core/Command/Maintenance/Install.php
+++ b/core/Command/Maintenance/Install.php
@@ -50,7 +50,7 @@ class Install extends Command {
                        ->addOption('database', null, InputOption::VALUE_REQUIRED, 'Supported database type', 'sqlite')
                        ->addOption('database-name', null, InputOption::VALUE_REQUIRED, 'Name of the database')
                        ->addOption('database-host', null, InputOption::VALUE_REQUIRED, 'Hostname of the database', 'localhost')
-                       ->addOption('database-port', null, InputOption::VALUE_OPTIONAL, 'Port the database is listening on')
+                       ->addOption('database-port', null, InputOption::VALUE_REQUIRED, 'Port the database is listening on')
                        ->addOption('database-user', null, InputOption::VALUE_REQUIRED, 'User name to connect to the database')
                        ->addOption('database-pass', null, InputOption::VALUE_OPTIONAL, 'Password of the database user', null)
                        ->addOption('database-table-prefix', null, InputOption::VALUE_OPTIONAL, 'Prefix for all tables (default: oc_)', null)

diff --git a/lib/private/Setup/OCI.php b/lib/private/Setup/OCI.php
index 7fddf0e58e500b2bdb24275969624223533331f3..2366a014c53d4388540da167fdf3a2ccb97827e3 100644 (file)
--- a/lib/private/Setup/OCI.php
+++ b/lib/private/Setup/OCI.php
@@ -63,8 +63,8 @@ class OCI extends AbstractDatabase {
 
        public function setupDatabase($username) {
                $e_host = addslashes($this->dbHost);
-               // adding slashes for security reasons
-               $e_port = addslashes($this->dbPort);
+               // casting to int to avoid malicious input
+               $e_port = (int)$this->dbPort;
                $e_dbname = addslashes($this->dbName);
                //check if the database user has admin right
                if ($e_host == '') {

diff --git a/lib/private/Setup/PostgreSQL.php b/lib/private/Setup/PostgreSQL.php
index 35d8b8eac14a5ce739b9c79f4681e4d519478a82..464d1e02e21a411f6ecb0b26493028411edd97b2 100644 (file)
--- a/lib/private/Setup/PostgreSQL.php
+++ b/lib/private/Setup/PostgreSQL.php
@@ -36,8 +36,8 @@ class PostgreSQL extends AbstractDatabase {
 
                // adding port support through installer
                if(!empty($this->dbPort)) {
-                       // adding slashes for security reasons
-                       $port = addslashes($this->dbPort);
+                       // casting to int to avoid malicious input
+                       $port = (int)$this->dbPort;
                } else if(strpos($e_host, ':')) {
                        list($e_host, $port)=explode(':', $e_host, 2);
                } else {