Reworked blob file upload. More security cautions, and preserve

fields contents, if no new file was uploaded. Moved is_uploaded_file
function from read_dump.php3 to common.lib.php3 for reusability.

ChangeLog

@@ -5,6 +5,13 @@ phpMyAdmin - Changelog
 $Id$
 $Source$
 
+
+2003-02-17 Garvin Hicking <me@supergarv.de>
+    * tbl_replace_fields.php3, read_dump.php3, libraries/common.lib.php3:
+      Reworked blob file upload. More security cautions, and preserve
+      fields contents, if no new file was uploaded. Moved is_uploaded_file
+      function from read_dump.php3 to common.lib.php3 for reusability.
+      
 2003-02-16 Michal Cihar  <nijel@users.sourceforge.net>
     * tbl_change.php3, tbl_replace_fields.php3: Removed checkbox for binary
       upload, upload field moved into table.

libraries/common.lib.php3

@@ -1660,5 +1660,31 @@ if (typeof(document.getElementById) != 'undefined'
         define('PMA_MULTIBYTE_ENCODING', 1);
     } // end if
 
+    // garvin: moved from read_dump.php3 because this should be used in tbl_replace_fields.php3 as well.
+    if (!function_exists('is_uploaded_file')) {
+        /**
+         * Emulates the 'is_uploaded_file()' function for old php versions.
+         * Grabbed at the php manual:
+         *     http://www.php.net/manual/en/features.file-upload.php
+         *
+         * @param   string    the name of the file to check
+         *
+         * @return  boolean   wether the file has been uploaded or not
+         *
+         * @access  public
+         */
+        function is_uploaded_file($filename) {
+            if (!$tmp_file = @get_cfg_var('upload_tmp_dir')) {
+                $tmp_file = tempnam('','');
+                $deleted  = @unlink($tmp_file);
+                $tmp_file = dirname($tmp_file);
+            }
+            $tmp_file     .= '/' . basename($filename);
+    
+            // User might have trailing slash in php.ini...
+            return (ereg_replace('/+', '/', $tmp_file) == $filename);
+        } // end of the 'is_uploaded_file()' emulated function
+    } // end if
+
 } // $__PMA_COMMON_LIB__
 ?>

read_dump.php3

@@ -139,31 +139,6 @@ function PMA_splitSqlFile(&$ret, $sql, $release)
 } // end of the 'PMA_splitSqlFile()' function
 
 
-if (!function_exists('is_uploaded_file')) {
-    /**
-     * Emulates the 'is_uploaded_file()' function for old php versions.
-     * Grabbed at the php manual:
-     *     http://www.php.net/manual/en/features.file-upload.php
-     *
-     * @param   string    the name of the file to check
-     *
-     * @return  boolean   wether the file has been uploaded or not
-     *
-     * @access  public
-     */
-    function is_uploaded_file($filename) {
-        if (!$tmp_file = @get_cfg_var('upload_tmp_dir')) {
-            $tmp_file = tempnam('','');
-            $deleted  = @unlink($tmp_file);
-            $tmp_file = dirname($tmp_file);
-        }
-        $tmp_file     .= '/' . basename($filename);
-
-        // User might have trailing slash in php.ini...
-        return (ereg_replace('/+', '/', $tmp_file) == $filename);
-    } // end of the 'is_uploaded_file()' emulated function
-} // end if
-
 /**
  * Reads (and decompresses) a (compressed) file into a string
  *

tbl_replace_fields.php3

@@ -7,14 +7,47 @@
 
         // f i e l d    u p l o a d e d    f r o m    a    f i l e
 
-        if (isset(${"fields_upload_" . $key}) && !empty(${"fields_upload_" . $key}) && ${"fields_upload_" . $key} != 'none') {
+        // garvin: original if-clause checked, whether input was stored in a possible fields_upload_XX var.
+        // Now check, if the field is set. If it is empty or a malicious file, do not alter fields contents. 
+        // If an empty or invalid file is specified, the binary data gets deleter. Maybe a nice
+        // new text-variable is appropriate to document this behaviour.
+        
+        // garvin: security cautions! You could trick the form and submit any file the webserver has access to
+        // for upload to a binary field. Shouldn't be that easy! ;)
+        
+        if (isset(${"fields_upload_" . $key}) && ${"fields_upload_" . $key} != 'none'){
+            // garvin: This fields content is a blob-file upload.
+
+            if (!empty(${"fields_upload_" . $key})) {
+                // garvin: The blob-field is not empty. Check what we have there.
+
                 $data_file = ${"fields_upload_" . $key};
+
+                if (is_uploaded_file($data_file)) {
+                    // garvin: A valid uploaded file is found. Look into the file...
+
                     $val = fread(fopen($data_file, "rb"), filesize($data_file));
                     // nijel: This is probably the best way how to put binary data
                     // into MySQL and it also allow not to care about charset
                     // conversion that would otherwise corrupt the data.
+                    
+                    if (empty($val)) {
+                        // garvin: an empty file was uploaded. Remove blob-field's contents.
+                        $val = "''";
+                    } else {
+                        // garvin: The upload was valid. Check in new blob-field's contents.
                         $val = '0x' . bin2hex($val);
                         $seen_binary = TRUE;
+                    }
+                } else {
+                    // garvin: Danger, will robinson. File is malicious. Preserver blob-field contents.
+                    unset($val);
+                }
+            } else {
+                // garvin: Post-field contains no data. PRESERVE BLOB-FIELD CONTENTS!
+                unset($val);
+            }
+            // garvin: else-case would be, no file was submitted, the post-fields content's are empty.
         } else {
 
         // f i e l d    v a l u e    i n    t h e    f o r m