From 0638937ada237f6bd05620dfb16cfa17c6b971b7 Mon Sep 17 00:00:00 2001
From: Thomas Pulzer <t.pulzer@kniel.de>
Date: Wed, 6 Jul 2016 11:31:28 +0200
Subject: [PATCH] Changed the input option for database-port to required when
 parameter was provided. Added casting database port to int for input
 sanitation in pgsql and oci connections.

---
 core/Command/Maintenance/Install.php | 2 +-
 lib/private/Setup/OCI.php            | 4 ++--
 lib/private/Setup/PostgreSQL.php     | 4 ++--
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/core/Command/Maintenance/Install.php b/core/Command/Maintenance/Install.php
index 320405cad39..cee0c60b488 100644
--- a/core/Command/Maintenance/Install.php
+++ b/core/Command/Maintenance/Install.php
@@ -50,7 +50,7 @@ class Install extends Command {
 			->addOption('database', null, InputOption::VALUE_REQUIRED, 'Supported database type', 'sqlite')
 			->addOption('database-name', null, InputOption::VALUE_REQUIRED, 'Name of the database')
 			->addOption('database-host', null, InputOption::VALUE_REQUIRED, 'Hostname of the database', 'localhost')
-			->addOption('database-port', null, InputOption::VALUE_OPTIONAL, 'Port the database is listening on')
+			->addOption('database-port', null, InputOption::VALUE_REQUIRED, 'Port the database is listening on')
 			->addOption('database-user', null, InputOption::VALUE_REQUIRED, 'User name to connect to the database')
 			->addOption('database-pass', null, InputOption::VALUE_OPTIONAL, 'Password of the database user', null)
 			->addOption('database-table-prefix', null, InputOption::VALUE_OPTIONAL, 'Prefix for all tables (default: oc_)', null)
diff --git a/lib/private/Setup/OCI.php b/lib/private/Setup/OCI.php
index 7fddf0e58e5..2366a014c53 100644
--- a/lib/private/Setup/OCI.php
+++ b/lib/private/Setup/OCI.php
@@ -63,8 +63,8 @@ class OCI extends AbstractDatabase {
 
 	public function setupDatabase($username) {
 		$e_host = addslashes($this->dbHost);
-		// adding slashes for security reasons
-		$e_port = addslashes($this->dbPort);
+		// casting to int to avoid malicious input
+		$e_port = (int)$this->dbPort;
 		$e_dbname = addslashes($this->dbName);
 		//check if the database user has admin right
 		if ($e_host == '') {
diff --git a/lib/private/Setup/PostgreSQL.php b/lib/private/Setup/PostgreSQL.php
index 35d8b8eac14..464d1e02e21 100644
--- a/lib/private/Setup/PostgreSQL.php
+++ b/lib/private/Setup/PostgreSQL.php
@@ -36,8 +36,8 @@ class PostgreSQL extends AbstractDatabase {
 
 		// adding port support through installer
 		if(!empty($this->dbPort)) {
-			// adding slashes for security reasons
-			$port = addslashes($this->dbPort);
+			// casting to int to avoid malicious input
+			$port = (int)$this->dbPort;
 		} else if(strpos($e_host, ':')) {
 			list($e_host, $port)=explode(':', $e_host, 2);
 		} else {
-- 
2.39.5