[ticket/8713] Call htmlspecialchars_decode() on transfer (e.g. ftp) passwords.

PHPBB3-8713
2025-08-05 16:27:38 +02:00 · 2012-09-08 14:40:35 +02:00
parent f2607fc9e8
commit cc0c378caf
2 changed files with 40 additions and 5 deletions
--- a/phpBB/includes/acp/acp_language.php
+++ b/phpBB/includes/acp/acp_language.php
@@ -100,11 +100,25 @@ class acp_language
 			switch ($method)
 			{
 				case 'ftp':
-					$transfer = new ftp(request_var('host', ''), request_var('username', ''), $request->untrimmed_variable('password', ''), request_var('root_path', ''), request_var('port', ''), request_var('timeout', ''));
+					$transfer = new ftp(
+						request_var('host', ''),
+						request_var('username', ''),
+						htmlspecialchars_decode($request->untrimmed_variable('password', '')),
+						request_var('root_path', ''),
+						request_var('port', ''),
+						request_var('timeout', '')
+					);
 				break;

 				case 'ftp_fsock':
-					$transfer = new ftp_fsock(request_var('host', ''), request_var('username', ''), $request->untrimmed_variable('password', ''), request_var('root_path', ''), request_var('port', ''), request_var('timeout', ''));
+					$transfer = new ftp_fsock(
+						request_var('host', ''),
+						request_var('username', ''),
+						htmlspecialchars_decode($request->untrimmed_variable('password', '')),
+						request_var('root_path', ''),
+						request_var('port', ''),
+						request_var('timeout', '')
+					);
 				break;

 				default:
@@ -404,7 +418,14 @@ class acp_language
 						trigger_error($user->lang['INVALID_UPLOAD_METHOD'], E_USER_ERROR);
 					}

-					$transfer = new $method(request_var('host', ''), request_var('username', ''), $request->untrimmed_variable('password', ''), request_var('root_path', ''), request_var('port', ''), request_var('timeout', ''));
+					$transfer = new $method(
+						request_var('host', ''),
+						request_var('username', ''),
+						htmlspecialchars_decode($request->untrimmed_variable('password', '')),
+						request_var('root_path', ''),
+						request_var('port', ''),
+						request_var('timeout', '')
+					);

 					if (($result = $transfer->open_session()) !== true)
 					{
--- a/phpBB/install/install_update.php
+++ b/phpBB/install/install_update.php
@@ -862,7 +862,14 @@ class install_update extends module
 					$test_connection = false;
 					if ($test_ftp_connection || $submit)
 					{
-						$transfer = new $method(request_var('host', ''), request_var('username', ''), $request->untrimmed_variable('password', ''), request_var('root_path', ''), request_var('port', ''), request_var('timeout', ''));
+						$transfer = new $method(
+							request_var('host', ''),
+							request_var('username', ''),
+							htmlspecialchars_decode($request->untrimmed_variable('password', '')),
+							request_var('root_path', ''),
+							request_var('port', ''),
+							request_var('timeout', '')
+						);
 						$test_connection = $transfer->open_session();

 						// Make sure that the directory is correct by checking for the existence of common.php
@@ -948,7 +955,14 @@ class install_update extends module
 				}
 				else
 				{
-					$transfer = new $method(request_var('host', ''), request_var('username', ''), $request->untrimmed_variable('password', ''), request_var('root_path', ''), request_var('port', ''), request_var('timeout', ''));
+					$transfer = new $method(
+						request_var('host', ''),
+						request_var('username', ''),
+						htmlspecialchars_decode($request->untrimmed_variable('password', '')),
+						request_var('root_path', ''),
+						request_var('port', ''),
+						request_var('timeout', '')
+					);
 					$transfer->open_session();
 				}