diff --git a/ChangeLog b/ChangeLog index b65382e2a..519000d28 100755 --- a/ChangeLog +++ b/ChangeLog @@ -7,6 +7,9 @@ $Source$ 2004-06-15 Marc Delisle * queryframe.php: undefined $cfgRelation, thanks to Michael Keck (mkkeck) + * export.php, sql.php, db_details_importdocsql.php, ldi_check.php, + tbl_replace.php, libraries/common.lib.php, + libraries/transformations.lib.php: new function PMA_securePATH() 2004-06-15 Michal Čihař * lang/czech: Updated. diff --git a/db_details_importdocsql.php b/db_details_importdocsql.php index af32ba7b3..0103be0b2 100644 --- a/db_details_importdocsql.php +++ b/db_details_importdocsql.php @@ -201,7 +201,7 @@ if (isset($cfg['docSQLDir']) && !empty($cfg['docSQLDir'])) { } else { // echo '

Starting Import

'; - $docpath = $cfg['docSQLDir'] . preg_replace('@\.\.*@', '.', $docpath); + $docpath = $cfg['docSQLDir'] . PMA_securePath($docpath); if (substr($docpath, -1) != '/') { $docpath .= '/'; } diff --git a/ldi_check.php b/ldi_check.php index 87c50b2e3..07836b0d4 100644 --- a/ldi_check.php +++ b/ldi_check.php @@ -48,7 +48,7 @@ if (isset($btnLDI) && isset($local_textfile) && $local_textfile != '') { if (substr($cfg['UploadDir'], -1) != '/') { $cfg['UploadDir'] .= '/'; } - $textfile = $DOCUMENT_ROOT . dirname($PHP_SELF) . '/' . preg_replace('@^./@s', '', $cfg['UploadDir']) . preg_replace('@\.\.*@', '.', $local_textfile); + $textfile = $DOCUMENT_ROOT . dirname($PHP_SELF) . '/' . preg_replace('@^./@s', '', $cfg['UploadDir']) . PMA_securePath($local_textfile); if (file_exists($textfile)) { $open_basedir = @ini_get('open_basedir'); diff --git a/libraries/transformations.lib.php b/libraries/transformations.lib.php index 97f970dcb..ac361d97f 100644 --- a/libraries/transformations.lib.php +++ b/libraries/transformations.lib.php @@ -186,7 +186,7 @@ function PMA_setMIME($db, $table, $key, $mimetype, $transformation, $transformat function PMA_sanitizeTransformationFile(&$filename) { // garvin: for security, never allow to break out from transformations directory - $include_file = preg_replace('@\.\.*@', '.', $filename); + $include_file = PMA_securePath($filename); // This value can also contain a 'php3' value, in which case we map this filename to our new 'php' variant $testfile = preg_replace('@\.inc\.php3$@', '.inc.php', $include_file); diff --git a/sql.php b/sql.php index 068cb5931..59b8355ad 100644 --- a/sql.php +++ b/sql.php @@ -165,7 +165,7 @@ if (isset($btnDrop) && $btnDrop == $strNo) { unset($table); } $active_page = $goto; - require('./' . preg_replace('@\.\.*@', '.', $goto)); + require('./' . PMA_securePath($goto)); } else { PMA_sendHeaderLocation($cfg['PmaAbsoluteUri'] . str_replace('&', '&', $goto)); } @@ -580,7 +580,7 @@ else { $message .= ' ' . (isset($GLOBALS['querytime']) ? '(' . sprintf($strQueryTime, $GLOBALS['querytime']) . ')' : ''); if ($is_gotofile) { - $goto = preg_replace('@\.\.*@', '.', $goto); + $goto = PMA_securePath($goto); // Checks for a valid target script if (isset($table) && $table == '') { unset($table); diff --git a/tbl_replace.php b/tbl_replace.php index 0d6d08454..1817e03e5 100644 --- a/tbl_replace.php +++ b/tbl_replace.php @@ -183,7 +183,7 @@ if (empty($valuelist) && empty($query)) { if ($is_gotofile) { $js_to_run = 'functions.js'; require_once('./header.inc.php'); - require('./' . preg_replace('@\.\.*@', '.', $goto)); + require('./' . PMA_securePath($goto)); } else { PMA_sendHeaderLocation($cfg['PmaAbsoluteUri'] . $goto . '&disp_message=' . urlencode($message) . '&disp_query='); @@ -235,7 +235,7 @@ if ($is_gotofile) { $js_to_run = 'functions.js'; $active_page = $goto; require_once('./header.inc.php'); - require('./' . preg_replace('@\.\.*@', '.', $goto)); + require('./' . PMA_securePath($goto)); } else { // I don't understand this one: //$add_query = (strpos(' ' . $goto, 'tbl_change') ? '&disp_query=' . urlencode($sql_query) : '');