Merge pull request from GHSA-prvh-9m4h-4m79

glpi-project · Oct 6, 2020 · a8109d4 · a8109d4
1 parent 6ca9a0e
commit a8109d4
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/install/install.php b/install/install.php
@@ -598,10 +598,17 @@ function checkConfigFile() {
    }
 }
 
-if (!isset($_POST["install"])) {
+if (!isset($_SESSION['can_process_install']) || !isset($_POST["install"])) {
    $_SESSION = [];
 
    checkConfigFile();
+
+   // Add a flag that will be used to validate that installation can be processed.
+   // This flag is put here just after checking that DB config file does not exist yet.
+   // It is mandatory to validate that `Etape_4` to `Etape_6` are not used outside installation process
+   // to change GLPI base URL without even being authenticated.
+   $_SESSION['can_process_install'] = true;
+
    header_html("Select your language");
    choose_language();