Fix path disclossure while passing array as some params.

ChangeLog

@@ -9,6 +9,9 @@ $HeadURL$
     * sql.php, libraries/display_tbl.lib.php: Force pos to be integer to avoid
       XSS.
     * navigation.php: Fix XSS on table comment.
+    * index.php, libraries/cleanup.lib.php, libraries/url_generating.lib.php,
+      libraries/common.lib.php, libraries/select_lang.lib.php: Fix path
+      disclossure while passing array as some params.
 
 2006-11-16 Marc Delisle  <lem9@users.sourceforge.net>
     * pmd_pdf.php: export coordinates to PDF page even if the tables

index.php

@@ -88,7 +88,7 @@ if (! isset($GLOBALS['db']) || ! strlen($GLOBALS['db'])) {
 
 $url_query = PMA_generate_common_url($_GET);
 
-if (!empty($GLOBALS['target']) && in_array($GLOBALS['target'], $goto_whitelist)) {
+if (is_string($GLOBALS['target']) && !empty($GLOBALS['target']) && in_array($GLOBALS['target'], $goto_whitelist)) {
     $main_target = $GLOBALS['target'];
 }
 

libraries/cleanup.lib.php

@@ -16,7 +16,7 @@
  */
 function PMA_remove_request_vars(&$whitelist) {
     // do not check only $_REQUEST because it could have been overwritten
-    // and use type casting because the variables could have become 
+    // and use type casting because the variables could have become
     // strings
     $keys = array_keys(array_merge((array)$_REQUEST, (array)$_GET, (array)$_POST, (array)$_COOKIE));
 
@@ -25,7 +25,27 @@ function PMA_remove_request_vars(&$whitelist) {
             unset($_REQUEST[$key], $_GET[$key], $_POST[$key], $GLOBALS[$key]);
         } else {
             // allowed stuff could be compromised so escape it
-            $_REQUEST[$key] = htmlspecialchars($_REQUEST[$key], ENT_QUOTES);
+            // we require it to be a string
+            if (is_string($_REQUEST[$key])) {
+                $_REQUEST[$key] = htmlspecialchars($_REQUEST[$key], ENT_QUOTES);
+            } else {
+                unset($_REQUEST[$key]);
+            }
+            if (is_string($_POST[$key])) {
+                $_POST[$key] = htmlspecialchars($_POST[$key], ENT_QUOTES);
+            } else {
+                unset($_POST[$key]);
+            }
+            if (is_string($_COOKIE[$key])) {
+                $_COOKIE[$key] = htmlspecialchars($_COOKIE[$key], ENT_QUOTES);
+            } else {
+                unset($_COOKIE[$key]);
+            }
+            if (is_string($_GET[$key])) {
+                $_GET[$key] = htmlspecialchars($_GET[$key], ENT_QUOTES);
+            } else {
+                unset($_GET[$key]);
+            }
         }
     }
 }

libraries/common.lib.php

@@ -304,7 +304,7 @@ function PMA_arrayWalkRecursive(&$array, $function, $apply_to_keys_also = false)
  */
 function PMA_checkPageValidity(&$page, $whitelist)
 {
-    if (! isset($page)) {
+    if (! isset($page) || !is_string($page)) {
         return false;
     }
 
@@ -2697,7 +2697,7 @@ if (PMA_checkPageValidity($_REQUEST['back'], $goto_whitelist)) {
  * @todo variables should be handled by their respective owners (objects)
  * f.e. lang, server, convcharset, collation_connection in PMA_Config
  */
-if (empty($_REQUEST['token']) || $_SESSION[' PMA_token '] != $_REQUEST['token']) {
+if (!is_string($_REQUEST['token']) || empty($_REQUEST['token']) || $_SESSION[' PMA_token '] != $_REQUEST['token']) {
     /**
      *  List of parameters which are allowed from unsafe source
      */
@@ -3003,7 +3003,7 @@ if (! defined('PMA_MINIMUM_COMMON')) {
      * present a choice of servers in the case that there are multiple servers
      * and '$cfg['ServerDefault'] = 0' is set.
      */
-    if (! empty($_REQUEST['server']) && ! empty($cfg['Servers'][$_REQUEST['server']])) {
+    if (is_string($_REQUEST['sever']) && ! empty($_REQUEST['server']) && ! empty($cfg['Servers'][$_REQUEST['server']])) {
         $GLOBALS['server'] = $_REQUEST['server'];
         $cfg['Server'] = $cfg['Servers'][$GLOBALS['server']];
     } else {

libraries/select_lang.lib.php

@@ -39,6 +39,9 @@ function PMA_langCheck()
     if (! empty($_POST['lang'])) {
         if (PMA_langSet($_POST['lang'])) {
             return true;
+        } elseif (!is_string($_POST['lang'])) {
+            /* Faked request, don't care on localisation */
+            $GLOBALS['lang_failed_request'] = 'Yes';
         } else {
             $GLOBALS['lang_failed_request'] = $_POST['lang'];
         }
@@ -48,6 +51,9 @@ function PMA_langCheck()
     if (! empty($_GET['lang'])) {
         if (PMA_langSet($_GET['lang'])) {
             return true;
+        } elseif (!is_string($_GET['lang'])) {
+            /* Faked request, don't care on localisation */
+            $GLOBALS['lang_failed_request'] = 'Yes';
         } else {
             $GLOBALS['lang_failed_request'] = $_GET['lang'];
         }
@@ -57,6 +63,9 @@ function PMA_langCheck()
     if (! empty($_COOKIE['pma_lang'])) {
         if (PMA_langSet($_COOKIE['pma_lang'])) {
             return true;
+        } elseif (!is_string($_COOKIE['lang'])) {
+            /* Faked request, don't care on localisation */
+            $GLOBALS['lang_failed_request'] = 'Yes';
         } else {
             $GLOBALS['lang_failed_cookie'] = $_COOKIE['pma_lang'];
         }
@@ -95,7 +104,7 @@ function PMA_langCheck()
  */
 function PMA_langSet(&$lang)
 {
-    if (empty($lang) || empty($GLOBALS['available_languages'][$lang])) {
+    if (!is_string($lang) || empty($lang) || empty($GLOBALS['available_languages'][$lang])) {
         return false;
     }
     $GLOBALS['lang'] = $lang;

libraries/url_generating.lib.php

@@ -186,7 +186,10 @@ function PMA_generate_common_url ($db = '', $table = '', $delim = '&')
 
     $param_strings = array();
     foreach ($params as $key => $val) {
-        $param_strings[] = urlencode($key) . '=' . urlencode($val);
+        /* We ignore arrays as we don't use them! */
+        if (!is_array($val)) {
+            $param_strings[] = urlencode($key) . '=' . urlencode($val);
+        }
     }
 
     if (empty($param_strings)) {