bugs #1149381 and 1149383

ChangeLog

@@ -5,6 +5,10 @@ phpMyAdmin - Changelog
 $Id$
 $Source$
 
+2005-02-22 Alexander M. Turek  <me@derrabus.de>
+    * libraries/grab_globals.lib.php: Hotfix against bug #1149381 and parts
+      of bug #1149383.
+
 2005-02-21 Marc Delisle  <lem9@users.sourceforge.net>
     * pdf_pages.php: patch #1120466 (modified): optional column names
       in visual scratchboard, thanks to Remco Aalbers - remcoa
@@ -16,8 +20,8 @@ $Source$
 
 2005-02-16 Alexander M. Turek  <me@derrabus.de>
     * db_details_export.php: Views are not exportable yet.
-	* themes/*/css/theme_right.css.php: Allow to mark a whole row as disabled.
-	* server_engines.php: Use new CSS class 'disabled' for unavailable
+    * themes/*/css/theme_right.css.php: Allow to mark a whole row as disabled.
+    * server_engines.php: Use new CSS class 'disabled' for unavailable
       engines.
 
 2005-02-14 Michal Čihař  <michal@cihar.com>

libraries/grab_globals.lib.php

@@ -18,6 +18,22 @@ function PMA_gpc_extract($array, &$target) {
     }
     $is_magic_quotes = get_magic_quotes_gpc();
     foreach ($array AS $key => $value) {
+        /**
+         * 2005-02-22, rabus:
+         *
+         * This is just an ugly hotfix to avoid changing internal config
+         * parameters.
+         *
+         * Currently, the following variable names are rejected when found in
+         * $_GET or $_POST: cfg and str*
+         *
+         * Warning: this is also affects array keys:
+         * Variables like $_GET['harmless']['cfg'] will also be rejected!
+         */
+        if ($key == 'cfg' || substr($key, 0, 3) == 'str') {
+            continue;
+        }
+
         if (is_array($value)) {
             // there could be a variable coming from a cookie of
             // another application, with the same name as this array