From 4a9a1137fc8723fd878731ef46fa34d12c32ee71 Mon Sep 17 00:00:00 2001
From: anonymoususer72041
<247563575+anonymoususer72041@users.noreply.github.com>
Date: Wed, 31 Dec 2025 15:37:02 +0100
Subject: [PATCH] Do not expose database password during upgrade
---
installwizard.php | 2 +-
modules/install/ajax/ui.php | 11 +++++++++--
2 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/installwizard.php b/installwizard.php
index 911d5fd39..d448eab44 100755
--- a/installwizard.php
+++ b/installwizard.php
@@ -123,7 +123,7 @@
| Database Password: |
- |
+ |
| Database Host: * |
diff --git a/modules/install/ajax/ui.php b/modules/install/ajax/ui.php
index 53db04e79..fae1d5f13 100755
--- a/modules/install/ajax/ui.php
+++ b/modules/install/ajax/ui.php
@@ -120,7 +120,7 @@
CATSUtility::changeConfigSetting('DATABASE_USER', "'" . $_REQUEST['user'] . "'");
}
- if (isset($_REQUEST['pass']))
+ if (isset($_REQUEST['pass']) && $_REQUEST['pass'] !== '')
{
CATSUtility::changeConfigSetting('DATABASE_PASS', "'" . $_REQUEST['pass'] . "'");
}
@@ -146,13 +146,20 @@
die();
}
+ $dbPassPlaceholder = '';
+ if (DATABASE_PASS !== '')
+ {
+ $dbPassPlaceholder = 'Leave blank to keep existing password';
+ }
+
echo '
';
break;