diff options
-rw-r--r-- | changelog.md | 6 | ||||
-rw-r--r-- | ncp-web/ncp-launcher.php | 6 | ||||
-rw-r--r-- | ncp-web/wizard/index.php | 7 |
3 files changed, 13 insertions, 6 deletions
diff --git a/changelog.md b/changelog.md index d6ac1220..b7dea74c 100644 --- a/changelog.md +++ b/changelog.md @@ -1,7 +1,9 @@ -[v1.0.1](https://github.com/nextcloud/nextcloudpi/commit/720b0db) (2019-01-08) nc-update-nc: remove backup after restoring +[v1.0.2](https://github.com/nextcloud/nextcloudpi/commit/a2f79d2) (2019-01-09) wizard: dont change missing parameters -[v1.0.0](https://github.com/nextcloud/nextcloudpi/commit/013198c) (2019-01-08) ncp-config: allow empty values +[v1.0.1](https://github.com/nextcloud/nextcloudpi/commit/f722c45) (2019-01-08) nc-update-nc: remove backup after restoring + +[v1.0.0 ](https://github.com/nextcloud/nextcloudpi/commit/013198c) (2019-01-08) ncp-config: allow empty values [v0.67.13](https://github.com/nextcloud/nextcloudpi/commit/21fee19) (2018-12-31) ncp-web: new chinese translate and update chinese translate. (#721) diff --git a/ncp-web/ncp-launcher.php b/ncp-web/ncp-launcher.php index 6f103f6b..33245018 100644 --- a/ncp-web/ncp-launcher.php +++ b/ncp-web/ncp-launcher.php @@ -59,8 +59,12 @@ if ( $_POST['action'] == "launch" && $_POST['config'] ) foreach ($cfg['params'] as $index => $param) { + // don't touch missing parameters + $id = $cfg['params'][$index]['id']; + if (!array_key_exists($id, $new_params)) continue; + // sanitize - $val = trim(escapeshellarg($new_params[$cfg['params'][$index]['id']]),"'"); + $val = trim(escapeshellarg($new_params[$id]),"'"); preg_match( '/ /' , $val , $matches ) and exit( '{ "output": "Invalid parameters" , "token": "' . getCSRFToken() . '" }' ); diff --git a/ncp-web/wizard/index.php b/ncp-web/wizard/index.php index e7471e4e..930dad1b 100644 --- a/ncp-web/wizard/index.php +++ b/ncp-web/wizard/index.php @@ -10,6 +10,10 @@ <?php session_start(); + ini_set('session.cookie_httponly', 1); + if ( isset($_SERVER['HTTPS']) ) + ini_set('session.cookie_secure', 1); + // security headers header("Content-Security-Policy: default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; object-src 'self';"); header("X-XSS-Protection: 1; mode=block"); @@ -18,9 +22,6 @@ header("X-Permitted-Cross-Domain-Policies: none"); header("X-Frame-Options: DENY"); header("Cache-Control: max-age=15778463"); - ini_set('session.cookie_httponly', 1); - if ( isset($_SERVER['HTTPS']) ) - ini_set('session.cookie_secure', 1); ?> <link rel="icon" type="image/png" href="../img/favicon.png" /> </head> |