From 8fe835ac06183c021aac960bbda52737b4bf8461 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= <michal@cihar.com>
Date: Tue, 9 Jan 2007 09:49:30 +0000
Subject: [PATCH] security fixes

---
 ChangeLog                         |  8 ++++++++
 index.php                         | 22 +++++++++++-----------
 libraries/Theme_Manager.class.php |  5 +++--
 libraries/common.lib.php          |  8 ++++----
 4 files changed, 26 insertions(+), 17 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 10f9b600b..a9f528491 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,6 +5,14 @@ phpMyAdmin - ChangeLog
 $Id$
 $Source$
 
+2007-01-09 Michal Čihař  <michal@cihar.com>
+    * index.php: Properly escape strings written in JS code.
+    * libraries/Theme_Manager.class.php: Avoid trigger error here, parameter
+      comes from user and it might lead to path disclossure.
+    * libraries/common.lib.php:
+        - Properly escape </script> in JS code.
+        - Check db, table and sql_query params to be string.
+
 2007-01-08 Marc Delisle  <lem9@users.sourceforge.net>
     * libraries/session.inc.php: prevent attack on session name cookie
 
diff --git a/index.php b/index.php
index f30ebaf88..79159a3e5 100644
--- a/index.php
+++ b/index.php
@@ -116,18 +116,18 @@ header('Content-Type: text/html; charset=' . $GLOBALS['charset']);
 <script type="text/javascript" language="javascript">
 // <![CDATA[
     // definitions used in querywindow.js
-    var common_query = '<?php echo PMA_generate_common_url('', '', '&');?>';
-    var opendb_url = '<?php echo $GLOBALS['cfg']['DefaultTabDatabase']; ?>';
+    var common_query = '<?php echo PMA_escapeJsString(PMA_generate_common_url('', '', '&'));?>';
+    var opendb_url = '<?php echo PMA_escapeJsString($GLOBALS['cfg']['DefaultTabDatabase']); ?>';
     var safari_browser = <?php echo PMA_USR_BROWSER_AGENT == 'SAFARI' ? 'true' : 'false' ?>;
-    var querywindow_height = <?php echo $GLOBALS['cfg']['QueryWindowHeight']; ?>;
-    var querywindow_width = <?php echo $GLOBALS['cfg']['QueryWindowWidth']; ?>;
-    var collation_connection = '<?php echo $GLOBALS['collation_connection']; ?>';
-    var lang = '<?php echo $GLOBALS['lang']; ?>';
-    var server = '<?php echo $GLOBALS['server']; ?>';
-    var table = '<?php echo $GLOBALS['table']; ?>';
-    var db    = '<?php echo $GLOBALS['db']; ?>';
-    var text_dir = '<?php echo $GLOBALS['text_dir']; ?>';
-    var pma_absolute_uri = '<?php echo $GLOBALS['cfg']['PmaAbsoluteUri']; ?>';
+    var querywindow_height = <?php echo PMA_escapeJsString($GLOBALS['cfg']['QueryWindowHeight']); ?>;
+    var querywindow_width = <?php echo PMA_escapeJsString($GLOBALS['cfg']['QueryWindowWidth']); ?>;
+    var collation_connection = '<?php echo PMA_escapeJsString($GLOBALS['collation_connection']); ?>';
+    var lang = '<?php echo PMA_escapeJsString($GLOBALS['lang']); ?>';
+    var server = '<?php echo PMA_escapeJsString($GLOBALS['server']); ?>';
+    var table = '<?php echo PMA_escapeJsString($GLOBALS['table']); ?>';
+    var db    = '<?php echo PMA_escapeJsString($GLOBALS['db']); ?>';
+    var text_dir = '<?php echo PMA_escapeJsString($GLOBALS['text_dir']); ?>';
+    var pma_absolute_uri = '<?php echo PMA_escapeJsString($GLOBALS['cfg']['PmaAbsoluteUri']); ?>';
 // ]]>
 </script>
 <script src="./js/querywindow.js" type="text/javascript" language="javascript">
diff --git a/libraries/Theme_Manager.class.php b/libraries/Theme_Manager.class.php
index bebf69016..7df805a8f 100644
--- a/libraries/Theme_Manager.class.php
+++ b/libraries/Theme_Manager.class.php
@@ -142,9 +142,10 @@ class PMA_Theme_Manager {
         if ( ! $this->checkTheme($theme)) {
             $GLOBALS['PMA_errors'][] = sprintf($GLOBALS['strThemeNotFound'],
                 htmlspecialchars($theme));
-            trigger_error(
+            /* Following code can lead to path disclossure, because headers will be sent later */
+/*          trigger_error(
                 sprintf($GLOBALS['strThemeNotFound'], htmlspecialchars($theme)),
-                E_USER_WARNING);
+                E_USER_WARNING);*/
             return false;
         }
 
diff --git a/libraries/common.lib.php b/libraries/common.lib.php
index 59fa7095c..e910f2743 100644
--- a/libraries/common.lib.php
+++ b/libraries/common.lib.php
@@ -1408,7 +1408,7 @@ if (!defined('PMA_MINIMUM_COMMON')) {
                             '\'' => '\\\'',
                             "\n" => '\n',
                             "\r" => '\r',
-                            '</script' => '<\' + \'script'));
+                            '</script' => '</\' + \'script'));
     }
 
     /**
@@ -2946,7 +2946,7 @@ if (isset($_REQUEST['convcharset'])) {
 /**
  * @var string $db current selected database
  */
-if (isset($_REQUEST['db'])) {
+if (isset($_REQUEST['db']) && is_string($_REQUEST['db'])) {
     // can we strip tags from this?
     // only \ and / is not allowed in db names for MySQL
     $GLOBALS['db'] = $_REQUEST['db'];
@@ -2958,7 +2958,7 @@ if (isset($_REQUEST['db'])) {
 /**
  * @var string $db current selected database
  */
-if (isset($_REQUEST['table'])) {
+if (isset($_REQUEST['table']) && is_string($_REQUEST['table'])) {
     // can we strip tags from this?
     // only \ and / is not allowed in table names for MySQL
     $GLOBALS['table'] = $_REQUEST['table'];
@@ -2970,7 +2970,7 @@ if (isset($_REQUEST['table'])) {
 /**
  * @var string $sql_query sql query to be executed
  */
-if (isset($_REQUEST['sql_query'])) {
+if (isset($_REQUEST['sql_query']) && is_string($_REQUEST['sql_query'])) {
     $GLOBALS['sql_query'] = $_REQUEST['sql_query'];
 }