3 files changed, 8 insertions, 8 deletions
diff --git a/phpBB/install/database_update.php b/phpBB/install/database_update.php
index cd060a0b2b..b69d44d7be 100644
--- a/phpBB/install/database_update.php
+++ b/phpBB/install/database_update.php
@@ -145,7 +145,7 @@ unset($dbpasswd);
 $user->ip = '';
 if ($request->server('REMOTE_ADDR'))
 {
-	$user->ip = (function_exists('phpbb_ip_normalise')) ? phpbb_ip_normalise($request->server('REMOTE_ADDR')) : $request->server('REMOTE_ADDR', '', true);
+	$user->ip = (function_exists('phpbb_ip_normalise')) ? phpbb_ip_normalise($request->server('REMOTE_ADDR')) : $request->server('REMOTE_ADDR');
 }
 
 $sql = "SELECT config_value
diff --git a/phpBB/install/index.php b/phpBB/install/index.php
index bba26fde7a..f43d95301f 100644
--- a/phpBB/install/index.php
+++ b/phpBB/install/index.php
@@ -430,14 +430,14 @@ class module
 		global $request;
 
 		// HTTP_HOST is having the correct browser url in most cases...
-		$server_name = strtolower($request->header('Host', $request->server('SERVER_NAME')));
+		$server_name = strtolower(htmlspecialchars_decode($request->header('Host', $request->server('SERVER_NAME'))));
 		$server_port = $request->server('SERVER_PORT', 0);
 		$secure = $request->is_secure() ? 1 : 0;
 
-		$script_name = $request->server('PHP_SELF');
+		$script_name = htmlspecialchars_decode($request->server('PHP_SELF'));
 		if (!$script_name)
 		{
-			$script_name = $request->server('REQUEST_URI');
+			$script_name = htmlspecialchars_decode($request->server('REQUEST_URI'));
 		}
 
 		// Replace backslashes and doubled slashes (could happen on some proxy setups)
diff --git a/phpBB/install/install_install.php b/phpBB/install/install_install.php
index 12f541e5f8..1a69638220 100644
--- a/phpBB/install/install_install.php
+++ b/phpBB/install/install_install.php
@@ -1017,7 +1017,7 @@ class install_install extends module
 		$s_hidden_fields .= '<input type="hidden" name="language" value="' . $data['language'] . '" />';
 
 		// HTTP_HOST is having the correct browser url in most cases...
-		$server_name = strtolower($request->header('Host', $request->server('SERVER_NAME')));
+		$server_name = strtolower(htmlspecialchars_decode($request->header('Host', $request->server('SERVER_NAME'))));
 
 		// HTTP HOST can carry a port number...
 		if (strpos($server_name, ':') !== false)
@@ -1033,10 +1033,10 @@ class install_install extends module
 
 		if ($data['script_path'] === '')
 		{
-			$name = $request->server('PHP_SELF');
+			$name = htmlspecialchars_decode($request->server('PHP_SELF'));
 			if (!$name)
 			{
-				$name = $request->server('REQUEST_URI');
+				$name = htmlspecialchars_decode($request->server('REQUEST_URI'));
 			}
 
 			// Replace backslashes and doubled slashes (could happen on some proxy setups)
@@ -1117,7 +1117,7 @@ class install_install extends module
 		}
 
 		// HTTP_HOST is having the correct browser url in most cases...
-		$server_name = strtolower($request->header('Host', $request->server('SERVER_NAME')));
+		$server_name = strtolower(htmlspecialchars_decode($request->header('Host', $request->server('SERVER_NAME'))));
 		$referer = strtolower($request->header('Referer'));
 
 		// HTTP HOST can carry a port number...