PMA_securePath

2004-06-15 16:55:53 +00:00
parent ab543c6ac5
commit 5fb6e7976d
6 changed files with 10 additions and 7 deletions
--- a/3
+++ b/3
@@ -7,6 +7,9 @@ $Source$

 2004-06-15 Marc Delisle  <lem9@users.sourceforge.net>
    * queryframe.php: undefined $cfgRelation, thanks to Michael Keck (mkkeck)
+    * export.php, sql.php, db_details_importdocsql.php, ldi_check.php,
+      tbl_replace.php, libraries/common.lib.php, 
+      libraries/transformations.lib.php: new function PMA_securePATH()

 2004-06-15 Michal Čihař  <michal@cihar.com>
    * lang/czech: Updated.
--- a/db_details_importdocsql.php
+++ b/db_details_importdocsql.php
@@ -201,7 +201,7 @@ if (isset($cfg['docSQLDir']) && !empty($cfg['docSQLDir'])) {
        } else {

            // echo '<h1>Starting Import</h1>';
-            $docpath = $cfg['docSQLDir'] . preg_replace('@\.\.*@', '.', $docpath);
+            $docpath = $cfg['docSQLDir'] . PMA_securePath($docpath);
            if (substr($docpath, -1) != '/') {
                $docpath .= '/';
            }
--- a/ldi_check.php
+++ b/ldi_check.php
@@ -48,7 +48,7 @@ if (isset($btnLDI) && isset($local_textfile) && $local_textfile != '') {
    if (substr($cfg['UploadDir'], -1) != '/') {
        $cfg['UploadDir'] .= '/';
    }
-    $textfile = $DOCUMENT_ROOT . dirname($PHP_SELF) . '/' . preg_replace('@^./@s', '', $cfg['UploadDir']) . preg_replace('@\.\.*@', '.', $local_textfile);
+    $textfile = $DOCUMENT_ROOT . dirname($PHP_SELF) . '/' . preg_replace('@^./@s', '', $cfg['UploadDir']) . PMA_securePath($local_textfile);
    if (file_exists($textfile)) {
        $open_basedir = @ini_get('open_basedir');

--- a/libraries/transformations.lib.php
+++ b/libraries/transformations.lib.php
@@ -186,7 +186,7 @@ function PMA_setMIME($db, $table, $key, $mimetype, $transformation, $transformat
 function PMA_sanitizeTransformationFile(&$filename) {
    // garvin: for security, never allow to break out from transformations directory

-    $include_file = preg_replace('@\.\.*@', '.', $filename);
+    $include_file = PMA_securePath($filename);

    // This value can also contain a 'php3' value, in which case we map this filename to our new 'php' variant
    $testfile = preg_replace('@\.inc\.php3$@', '.inc.php', $include_file);
--- a/sql.php
+++ b/sql.php
@@ -165,7 +165,7 @@ if (isset($btnDrop) && $btnDrop == $strNo) {
            unset($table);
        }
        $active_page = $goto;
-        require('./' . preg_replace('@\.\.*@', '.', $goto));
+        require('./' . PMA_securePath($goto));
    } else {
        PMA_sendHeaderLocation($cfg['PmaAbsoluteUri'] . str_replace('&amp;', '&', $goto));
    }
@@ -580,7 +580,7 @@ else {
        $message .= ' ' . (isset($GLOBALS['querytime']) ? '(' . sprintf($strQueryTime, $GLOBALS['querytime']) . ')' : '');

        if ($is_gotofile) {
-            $goto = preg_replace('@\.\.*@', '.', $goto);
+            $goto = PMA_securePath($goto);
            // Checks for a valid target script
            if (isset($table) && $table == '') {
                unset($table);
--- a/tbl_replace.php
+++ b/tbl_replace.php
@@ -183,7 +183,7 @@ if (empty($valuelist) && empty($query)) {
    if ($is_gotofile) {
        $js_to_run = 'functions.js';
        require_once('./header.inc.php');
-        require('./' . preg_replace('@\.\.*@', '.', $goto));
+        require('./' . PMA_securePath($goto));
    } else {
        PMA_sendHeaderLocation($cfg['PmaAbsoluteUri'] . $goto . '&disp_message=' . urlencode($message) . '&disp_query=');

@@ -235,7 +235,7 @@ if ($is_gotofile) {
    $js_to_run = 'functions.js';
    $active_page = $goto;
    require_once('./header.inc.php');
-    require('./' . preg_replace('@\.\.*@', '.', $goto));
+    require('./' . PMA_securePath($goto));
 } else {
    // I don't understand this one:
    //$add_query = (strpos(' ' . $goto, 'tbl_change') ? '&disp_query=' . urlencode($sql_query) : '');