Escape pg connection string on setup

1 files changed, 13 insertions, 3 deletions

diff --git a/lib/setup.php b/lib/setup.php
index 5387a0ef493..bad0f5301c7 100644
--- a/lib/setup.php
+++ b/lib/setup.php
@@ -155,8 +155,11 @@ class OC_Setup {
 				OC_CONFIG::setValue('dbhost', $dbhost);
 				OC_CONFIG::setValue('dbtableprefix', $dbtableprefix);
 
+				$e_host = addslashes($dbhost);
+				$e_user = addslashes($dbuser);
+				$e_password = addslashes($dbpass);
 				//check if the database user has admin right
-				$connection_string = "host=$dbhost dbname=postgres user=$dbuser password=$dbpass";
+				$connection_string = "host='$e_host' dbname=postgres user='$e_user' password='$e_password'";
 				$connection = @pg_connect($connection_string);
 				if(!$connection) {
 					$error[] = array(
@@ -166,8 +169,9 @@ class OC_Setup {
 					return $error;
 				}
 				else {
+					$e_user = pg_escape_string($dbuser);
 					//check for roles creation rights in postgresql
-					$query="SELECT 1 FROM pg_roles WHERE rolcreaterole=TRUE AND rolname='$dbuser'";
+					$query="SELECT 1 FROM pg_roles WHERE rolcreaterole=TRUE AND rolname='$e_user'";
 					$result = pg_query($connection, $query);
 					if($result and pg_num_rows($result) > 0) {
 						//use the admin login data for the new database user
@@ -199,7 +203,13 @@ class OC_Setup {
 					// connect to the ownCloud database (dbname=$dbname) an check if it needs to be filled
 					$dbuser = OC_CONFIG::getValue('dbuser');
 					$dbpass = OC_CONFIG::getValue('dbpassword');
-					$connection_string = "host=$dbhost dbname=$dbname user=$dbuser password=$dbpass";
+
+					$e_host = addslashes($dbhost);
+					$e_dbname = addslashes($dbname);
+					$e_user = addslashes($dbuser);
+					$e_password = addslashes($dbpass);
+
+					$connection_string = "host='$e_host' dbname='$e_dbname' user='$e_user' password='$e_password'";
 					$connection = @pg_connect($connection_string);
 					if(!$connection) {
 						$error[] = array(