Merge pull request from GHSA-vg6w-8w9v-xxqc

bryanacido · Jan 28, 2021 · b198170 · b198170
1 parent 10be1cb
commit b198170
Show file tree

Hide file tree

Showing 3 changed files with 367 additions and 287 deletions.
diff --git a/app/Http/Controllers/SetupController.php b/app/Http/Controllers/SetupController.php
@@ -3,6 +3,7 @@
 use Illuminate\Http\Request;
 use Illuminate\Http\Redirect;
 use Illuminate\Support\Facades\Artisan;
+use Illuminate\Support\Facades\Schema;
 
 use App\Helpers\CryptoHelper;
 use App\Models\User;
@@ -218,8 +219,8 @@ public static function performSetup(Request $request) {
     }
 
     public static function finishSetup(Request $request) {
-        // get data from cookie, decode JSON
         if (!isset($_COOKIE['setup_arguments'])) {
+            // Abort if setup arguments are missing.
             abort(404);
         }
 
@@ -229,12 +230,19 @@ public static function finishSetup(Request $request) {
         // unset cookie
         setcookie('setup_arguments', '', time()-3600);
 
-        $transaction_authorised = env('TMP_SETUP_AUTH_KEY') == $setup_finish_args->setup_auth_key;
+        $transaction_authorised = env('TMP_SETUP_AUTH_KEY') === $setup_finish_args->setup_auth_key;
 
         if ($transaction_authorised != true) {
             abort(403, 'Transaction unauthorised.');
         }
 
+        $usersTableExists = Schema::hasTable('users');
+
+        if ($usersTableExists) {
+            // If the users table exists, then the setup process may have already been completed before.
+            abort(403, 'Setup has been completed already.');
+        }
+
         $database_created = self::createDatabase();
         if (!$database_created) {
             return redirect(route('setup'))->with('error', 'Could not create database. Perhaps your credentials were incorrect?');

diff --git a/composer.json b/composer.json
@@ -14,7 +14,7 @@
         "torann/geoip": "^1.0",
         "geoip2/geoip2": "^2.4",
         "nesbot/carbon": "^1.22",
-        "doctrine/dbal": "^2.5",
+        "doctrine/dbal": "2.5.11",
         "google/recaptcha": "~1.1",
         "symfony/http-foundation": "2.7.51"
     },