From 435dfbbe7e940e4a074709a257bbf3a1b8e9cf87 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20Chapeaux?= Date: Tue, 25 Sep 2001 23:24:15 +0000 Subject: [PATCH] fixed some security issues --- ChangeLog | 4 ++ left.php3 | 31 +------------ libraries/common.lib.php3 | 92 +++++++++++++++++++++++++++++++++++++-- tbl_move_copy.php3 | 9 +++- tbl_properties.php3 | 27 +++++++++++- tbl_rename.php3 | 7 +++ 6 files changed, 134 insertions(+), 36 deletions(-) diff --git a/ChangeLog b/ChangeLog index 91eb4a0cd..afb7ade2e 100755 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,10 @@ phpMyAdmin - Changelog $Id$ $Source$ +2001-09-25 Loïc Chapeaux + * libraries/common.lib.php3; left.php3; tbl_move_copy.php3; + tbl_properties.php3; tbl_rename.php3: fixed some security issues. + 2001-09-25 Loïc Chapeaux * lang/italian.inc.php3: updated thanks to Pietro Danesi. diff --git a/left.php3 b/left.php3 index b5786753b..5d46f43bb 100755 --- a/left.php3 +++ b/left.php3 @@ -19,36 +19,7 @@ require('./libraries/common.lib.php3'); * before the user choose among available ones at the welcome screen. */ if ($server > 0) { - $num_dbs = count($dblist); - // 1. $cfgServers[n]['only_db'] exists -> gets the valid databases list - if ($num_dbs) { - $true_dblist = array(); - for ($i = 0; $i < $num_dbs; $i++) { - $dblink = @mysql_select_db($dblist[$i]); - if ($dblink) { - $true_dblist[] = $dblist[$i]; - } // end if - } // end for - unset($dblist); - $dblist = $true_dblist; - unset($true_dblist); - $num_dbs = count($dblist); - } // end if - // 2. no $cfgServers[n]['only_db'] - else { - $dbs = mysql_list_dbs() or mysql_die('', 'mysql_list_dbs()', FALSE, ''); - $num_dbs = @mysql_num_rows($dbs); - $real_num_dbs = 0; - for ($i = 0; $i < $num_dbs; $i++) { - $db_name_tmp = mysql_dbname($dbs, $i); - $dblink = @mysql_select_db($db_name_tmp); - if ($dblink) { - $dblist[] = $db_name_tmp; - $real_num_dbs++; - } - } // end for - $num_dbs = $real_num_dbs; - } // end else + available_databases(); // this function is defined in "common.lib.php3" } else { $num_dbs = 0; } diff --git a/libraries/common.lib.php3 b/libraries/common.lib.php3 index ab5b6b479..cdce215dd 100644 --- a/libraries/common.lib.php3 +++ b/libraries/common.lib.php3 @@ -23,7 +23,8 @@ if (!defined('__LIB_COMMON__')){ * the include of libraries/defines.lib.php3 must be after the connection * to db to get the MySql version * - * the auth() function must be before the connection to db + * the auth() function must be before the connection to db but after the + * pmaIsInto() function * * the mysql_die() function must be before the connection to db but after * mysql extension has been loaded @@ -36,7 +37,9 @@ if (!defined('__LIB_COMMON__')){ * MySQL release number) * - load of mysql extension (if necessary) * - definition of mysql_die() + * - definition of pmaIsInto() * - db connection + * - advanced authentication work if required * - second load of the libraries/define.lib.php3 library to get the MySQL * release number) * - other functions, respecting dependencies @@ -203,6 +206,28 @@ if (!defined('__LIB_COMMON__')){ } // end of the 'mysql_die()' function + /** + * Defines whether a string exists inside an array or not + * + * @param string string to search for + * @param mixed array to search into + * + * @return integer the rank of the $toFind string in the array or '-1' if + * it hasn't been found + * + * @access public + */ + function pmaIsInto($toFind = '', &$in) + { + $max = count($in); + for ($i = 0; $i < $max && ($toFind != $in[$i]); $i++) { + // void(); + } + + return ($i < $max) ? $i : -1; + } // end of the 'pmaIsInto()' function + + /** * Use mysql_connect() or mysql_pconnect()? */ @@ -412,7 +437,10 @@ if (!defined('__LIB_COMMON__')){ auth(); } else { while ($row = mysql_fetch_array($rs)) { - $dblist[] = $row['Db']; + // loic1: avoid multiple entries for dbs + if (pmaIsInto($row['Db'], $dblist) == -1) { + $dblist[] = $row['Db']; + } } mysql_free_result($rs); } @@ -429,7 +457,10 @@ if (!defined('__LIB_COMMON__')){ // database names instead of with regular // expressions. while ($row = mysql_fetch_array($rs)) { - $uva_mydbs[$row['Db']] = 1; + // loic1: avoid multiple entries for dbs + if (pmaIsInto($row['Db'], $dblist) == -1) { + $uva_mydbs[$row['Db']] = 1; + } } mysql_free_result($rs); $uva_alldbs = mysql_list_dbs(); @@ -498,6 +529,61 @@ if (!defined('__LIB_COMMON__')){ } + /** + * Get the list and number of available databases. + * + * @param string the url to go back to in case of error + * + * @return boolean always true + * + * @global array the list of available databases + * @global integer the number of available databases + */ + function available_databases($error_url = '') + { + global $dblist; + global $num_dbs; + + $num_dbs = count($dblist); + + // 1. A list of allowed databases has already been defined by the + // authentification process -> gets the available databases list + if ($num_dbs) { + $true_dblist = array(); + for ($i = 0; $i < $num_dbs; $i++) { + $dblink = @mysql_select_db($dblist[$i]); + if ($dblink) { + $true_dblist[] = $dblist[$i]; + } // end if + } // end for + unset($dblist); + $dblist = $true_dblist; + unset($true_dblist); + $num_dbs = count($dblist); + } // end if + + // 2. Allowed database list is empty -> gets the list of all databases + // on the server + else { + $dbs = mysql_list_dbs() or mysql_die('', 'mysql_list_dbs()', FALSE, $error_url); + $num_dbs = @mysql_num_rows($dbs); + $real_num_dbs = 0; + for ($i = 0; $i < $num_dbs; $i++) { + $db_name_tmp = mysql_dbname($dbs, $i); + $dblink = @mysql_select_db($db_name_tmp); + if ($dblink) { + $dblist[] = $db_name_tmp; + $real_num_dbs++; + } + } // end for + mysql_free_result($dbs); + $num_dbs = $real_num_dbs; + } // end else + + return TRUE; + } // end of the 'available_databases()' function + + /** * Gets constants that defines the PHP, MySQL... releases. * This include must be located physically before any code that needs to diff --git a/tbl_move_copy.php3 b/tbl_move_copy.php3 index 5cd1e7d4e..e87eb7eb5 100644 --- a/tbl_move_copy.php3 +++ b/tbl_move_copy.php3 @@ -62,6 +62,13 @@ if (isset($new_name) && trim($new_name) != '') { } $new_name = stripslashes($new_name); } + + // Ensure the target is valid + // The functions used below are defined in "common.lib.php3" + available_databases('main.php3?lang=' . $lang . '&server=' . $server); + if (pmaIsInto($db, $dblist) == -1 || pmaIsInto($target_db, $dblist) == -1) { + exit(); + } if (MYSQL_INT_VERSION < 32306) { check_reserved_words($target_db, $err_url); check_reserved_words($new_name, $err_url); @@ -88,7 +95,7 @@ if (isset($new_name) && trim($new_name) != '') { if ($result != FALSE && $what == 'data') { // speedup copy table - staybyte - 22. Juni 2001 if (MYSQL_INT_VERSION >= 32300) { - $sql_insert_data = 'INSERT INTO ' . $target . ' SELECT * FROM ' . backquote($table); + $sql_insert_data = 'INSERT INTO ' . $target . ' SELECT * FROM ' . $source; $result = @mysql_query($sql_insert_data); if (mysql_error()) { include('./header.inc.php3'); diff --git a/tbl_properties.php3 b/tbl_properties.php3 index dae0b76c7..94d615f20 100755 --- a/tbl_properties.php3 +++ b/tbl_properties.php3 @@ -991,7 +991,18 @@ echo "\n"; - +  .  @@ -1021,7 +1032,19 @@ echo "\n"; - +  .  diff --git a/tbl_rename.php3 b/tbl_rename.php3 index 4a22b50d2..96c75dfdd 100755 --- a/tbl_rename.php3 +++ b/tbl_rename.php3 @@ -29,6 +29,13 @@ if (isset($new_name) && trim($new_name) != '') { if (get_magic_quotes_gpc()) { $new_name = stripslashes($new_name); } + + // Ensure the target is valid + // The functions used below are defined in "common.lib.php3" + available_databases('main.php3?lang=' . $lang . '&server=' . $server); + if (pmaIsInto($db, $dblist) == -1) { + exit(); + } if (MYSQL_INT_VERSION < 32306) { check_reserved_words($new_name, $err_url); }