From 4cbcd96081320c5bc2d27ea0deffe223f2a98334 Mon Sep 17 00:00:00 2001
From: "Alexander M. Turek" <me@derrabus.de>
Date: Tue, 22 Feb 2005 23:07:59 +0000
Subject: [PATCH] bugs #1149381 and 1149383

---
 ChangeLog                      |  8 ++++++--
 libraries/grab_globals.lib.php | 16 ++++++++++++++++
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 917296e63..26b33bb05 100755
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,6 +5,10 @@ phpMyAdmin - Changelog
 $Id$
 $Source$
 
+2005-02-22 Alexander M. Turek  <me@derrabus.de>
+    * libraries/grab_globals.lib.php: Hotfix against bug #1149381 and parts
+      of bug #1149383.
+
 2005-02-21 Marc Delisle  <lem9@users.sourceforge.net>
     * pdf_pages.php: patch #1120466 (modified): optional column names
       in visual scratchboard, thanks to Remco Aalbers - remcoa
@@ -16,8 +20,8 @@ $Source$
 
 2005-02-16 Alexander M. Turek  <me@derrabus.de>
     * db_details_export.php: Views are not exportable yet.
-	* themes/*/css/theme_right.css.php: Allow to mark a whole row as disabled.
-	* server_engines.php: Use new CSS class 'disabled' for unavailable
+    * themes/*/css/theme_right.css.php: Allow to mark a whole row as disabled.
+    * server_engines.php: Use new CSS class 'disabled' for unavailable
       engines.
 
 2005-02-14 Michal Čihař  <michal@cihar.com>
diff --git a/libraries/grab_globals.lib.php b/libraries/grab_globals.lib.php
index 93572d33a..5c5a35620 100644
--- a/libraries/grab_globals.lib.php
+++ b/libraries/grab_globals.lib.php
@@ -18,6 +18,22 @@ function PMA_gpc_extract($array, &$target) {
     }
     $is_magic_quotes = get_magic_quotes_gpc();
     foreach ($array AS $key => $value) {
+        /**
+         * 2005-02-22, rabus:
+         *
+         * This is just an ugly hotfix to avoid changing internal config
+         * parameters.
+         *
+         * Currently, the following variable names are rejected when found in
+         * $_GET or $_POST: cfg and str*
+         *
+         * Warning: this is also affects array keys:
+         * Variables like $_GET['harmless']['cfg'] will also be rejected!
+         */
+        if ($key == 'cfg' || substr($key, 0, 3) == 'str') {
+            continue;
+        }
+
         if (is_array($value)) {
             // there could be a variable coming from a cookie of
             // another application, with the same name as this array