From 0136afb0680a69eda0f2c9fb0be235f28c0f12a5 Mon Sep 17 00:00:00 2001 From: Marc Delisle Date: Sun, 12 Apr 2009 11:42:14 +0000 Subject: [PATCH] bug #2729191 [config] CheckConfigurationPermissions = false is worthless --- ChangeLog | 1 + libraries/Config.class.php | 13 +++++++++++-- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5080139ec..356fd47d3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -26,6 +26,7 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA thanks to Luke Armstrong - bug #2740550 [interface] Using textarea CharEditing drops default values - bug #2634827 [import] Using DELIMITER ends with infinite cycle +- bug #2729191 [config] CheckConfigurationPermissions = false is worthless 3.1.3.1 (2009-03-24) - [security] HTTP Response Splitting and file inclusion vulnerabilities diff --git a/libraries/Config.class.php b/libraries/Config.class.php index 3a022efd5..2b3eb6b60 100644 --- a/libraries/Config.class.php +++ b/libraries/Config.class.php @@ -401,6 +401,8 @@ class PMA_Config //$this->checkPmaAbsoluteUri(); $this->settings = PMA_array_merge_recursive($this->settings, $cfg); + $this->checkPermissions(); + // Handling of the collation must be done after merging of $cfg // (from config.inc.php) so that $cfg['DefaultConnectionCollation'] // can have an effect. Note that the presence of collation @@ -475,6 +477,15 @@ class PMA_Config die('Existing configuration file (' . $this->getSource() . ') is not readable.'); } + return true; + } + + /** + * verifies the permissions on config file (if asked by configuration) + * (must be called after config.inc.php has been merged) + */ + function checkPermissions() + { // Check for permissions (on platforms that support it): if ($this->get('CheckConfigurationPermissions')) { $perms = @fileperms($this->getSource()); @@ -487,8 +498,6 @@ class PMA_Config } } } - - return true; } /**