merge fixes from trunk (bugs #1672379. #1671813, #1541147)

2007-03-02 14:13:13 +00:00
parent 81f6ea7f9f
commit 1f7afb504f
3 changed files with 97 additions and 72 deletions
--- a/9
+++ b/9
@@ -5,6 +5,12 @@ phpMyAdmin - ChangeLog
 $Id$
 $HeadURL$

+2007-03-02 Sebastian Mendel <cybot_tm@users.sourceforge.net>
+    * libraries/common.lib.php: bug #1672379 Call to undefined function PMA_removeCookie()
+
+2007-03-01 Sebastian Mendel <cybot_tm@users.sourceforge.net>
+    * libraries/common.lib.php: bug #1671813 CVE-2006-1549 deep recursion crash
+
 2007-02-28 Marc Delisle  <lem9@users.sourceforge.net>
    * libraries/config.default.php: set $cfg['Servers'][$i]['ssl'] default
      value to false, we got reports from some users having problems with the
@@ -113,6 +119,9 @@ $HeadURL$
      thanks to Ivan Kirillov
    ### 2.10.0-beta1 released from QA_2_10

+2007-01-29 Sebastian Mendel <cybot_tm@users.sourceforge.net>
+    * js/querywindow.js: fixed bug #1541147 - # in database names
+
 2007-01-26 Michal Čihař  <michal@cihar.com>
    * libraries/common.lib.php, libraries/js_escape.lib.php,
      test/escape_js_string.php, test/core.lib.php: Move java script escaping
--- a/libraries/common.lib.php
+++ b/libraries/common.lib.php
@@ -271,6 +271,10 @@ function PMA_array_merge_recursive()
 */
 function PMA_arrayWalkRecursive(&$array, $function, $apply_to_keys_also = false)
 {
+    static $recursive_counter = 0;
+    if (++$recursive_counter > 1000) {
+        die('possible deep recursion attack');
+    }
    foreach ($array as $key => $value) {
        if (is_array($value)) {
            PMA_arrayWalkRecursive($array[$key], $function, $apply_to_keys_also);
@@ -286,6 +290,7 @@ function PMA_arrayWalkRecursive(&$array, $function, $apply_to_keys_also = false)
            }
        }
    }
+    $recursive_counter++;
 }

 /**
@@ -345,6 +350,77 @@ function PMA_getenv($var_name) {
    return '';
 }

+/**
+ * removes cookie
+ *
+ * @uses    PMA_Config::isHttps()
+ * @uses    PMA_Config::getCookiePath()
+ * @uses    setcookie()
+ * @uses    time()
+ * @param   string  $cookie     name of cookie to remove
+ * @return  boolean result of setcookie()
+ */
+function PMA_removeCookie($cookie)
+{
+    return setcookie($cookie, '', time() - 3600,
+        PMA_Config::getCookiePath(), '', PMA_Config::isHttps());
+}
+
+/**
+ * sets cookie if value is different from current cokkie value,
+ * or removes if value is equal to default
+ *
+ * @uses    PMA_Config::isHttps()
+ * @uses    PMA_Config::getCookiePath()
+ * @uses    $_COOKIE
+ * @uses    PMA_removeCookie()
+ * @uses    setcookie()
+ * @uses    time()
+ * @param   string  $cookie     name of cookie to remove
+ * @param   mixed   $value      new cookie value
+ * @param   string  $default    default value
+ * @param   int     $validity   validity of cookie in seconds (default is one month)
+ * @param   bool    $httponlt   whether cookie is only for HTTP (and not for scripts)
+ * @return  boolean result of setcookie()
+ */
+function PMA_setCookie($cookie, $value, $default = null, $validity = null, $httponly = true)
+{
+    if ($validity == null) {
+        $validity = 2592000;
+    }
+    if (strlen($value) && null !== $default && $value === $default
+     && isset($_COOKIE[$cookie])) {
+        // remove cookie, default value is used
+        return PMA_removeCookie($cookie);
+    }
+
+    if (! strlen($value) && isset($_COOKIE[$cookie])) {
+        // remove cookie, value is empty
+        return PMA_removeCookie($cookie);
+    }
+
+    if (! isset($_COOKIE[$cookie]) || $_COOKIE[$cookie] !== $value) {
+        // set cookie with new value
+        /* Calculate cookie validity */
+        if ($validity == 0) {
+            $v = 0;
+        } else {
+            $v = time() + $validity;
+        }
+        /* Use native support for httponly cookies if available */
+        if (version_compare(PHP_VERSION, '5.2.0', 'ge')) {
+            return setcookie($cookie, $value, $v,
+                PMA_Config::getCookiePath(), '', PMA_Config::isHttps(), $httponly);
+        } else {
+            return setcookie($cookie, $value, $v,
+                PMA_Config::getCookiePath() . ($httponly ? '; HttpOnly' : ''), '', PMA_Config::isHttps());
+        }
+    }
+
+    // cookie has already $value as value
+    return true;
+}
+
 /**
 * include here only libraries which contain only function definitions
 * no code im main()!
@@ -2338,77 +2414,6 @@ if (typeof(window.parent) != 'undefined'
            .htmlspecialchars($database) . '</a>';
    }

-    /**
-     * removes cookie
-     *
-     * @uses    PMA_Config::isHttps()
-     * @uses    PMA_Config::getCookiePath()
-     * @uses    setcookie()
-     * @uses    time()
-     * @param   string  $cookie     name of cookie to remove
-     * @return  boolean result of setcookie()
-     */
-    function PMA_removeCookie($cookie)
-    {
-        return setcookie($cookie, '', time() - 3600,
-            PMA_Config::getCookiePath(), '', PMA_Config::isHttps());
-    }
-
-    /**
-     * sets cookie if value is different from current cokkie value,
-     * or removes if value is equal to default
-     *
-     * @uses    PMA_Config::isHttps()
-     * @uses    PMA_Config::getCookiePath()
-     * @uses    $_COOKIE
-     * @uses    PMA_removeCookie()
-     * @uses    setcookie()
-     * @uses    time()
-     * @param   string  $cookie     name of cookie to remove
-     * @param   mixed   $value      new cookie value
-     * @param   string  $default    default value
-     * @param   int     $validity   validity of cookie in seconds (default is one month)
-     * @param   bool    $httponlt   whether cookie is only for HTTP (and not for scripts)
-     * @return  boolean result of setcookie()
-     */
-    function PMA_setCookie($cookie, $value, $default = null, $validity = null, $httponly = true)
-    {
-        if ($validity == null) {
-            $validity = 2592000;
-        }
-        if (strlen($value) && null !== $default && $value === $default
-         && isset($_COOKIE[$cookie])) {
-            // remove cookie, default value is used
-            return PMA_removeCookie($cookie);
-        }
-
-        if (! strlen($value) && isset($_COOKIE[$cookie])) {
-            // remove cookie, value is empty
-            return PMA_removeCookie($cookie);
-        }
-
-        if (! isset($_COOKIE[$cookie]) || $_COOKIE[$cookie] !== $value) {
-            // set cookie with new value
-            /* Calculate cookie validity */
-            if ($validity == 0) {
-                $v = 0;
-            } else {
-                $v = time() + $validity;
-            }
-            /* Use native support for httponly cookies if available */
-            if (version_compare(PHP_VERSION, '5.2.0', 'ge')) {
-                return setcookie($cookie, $value, $v,
-                    PMA_Config::getCookiePath(), '', PMA_Config::isHttps(), $httponly);
-            } else {
-                return setcookie($cookie, $value, $v,
-                    PMA_Config::getCookiePath() . ($httponly ? '; HttpOnly' : ''), '', PMA_Config::isHttps());
-            }
-        }
-
-        // cookie has already $value as value
-        return true;
-    }
-
    /**
     * Displays a lightbulb hint explaining a known external bug
     * that affects a functionality
@@ -2451,6 +2456,17 @@ if (isset($_REQUEST['GLOBALS']) || isset($_FILES['GLOBALS'])
    die('GLOBALS overwrite attempt');
 }

+/**
+ * protect against deep recursion attack CVE-2006-1549,
+ * 1000 seems to be more than enough
+ *
+ * @see http://www.php-security.org/MOPB/MOPB-02-2007.html
+ * @see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1549
+ */
+if (count($GLOBALS) > 1000) {
+    die('possible deep recurse attack');
+}
+
 /**
 * Check for numeric keys
 * (if register_globals is on, numeric key can be found in $GLOBALS)
--- a/pmd/scripts/move.js
+++ b/pmd/scripts/move.js
@@ -177,7 +177,7 @@ function Main()
  Small_tab_refresh();
  Re_load();
  id_hint = document.getElementById('hint');
-  if (ieIE) {
+  if (isIE) {
    General_scroll();
  }
 }