nettika/phpmyadmin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security fixes

Browse Source
This commit is contained in:
Michal Čihař
2007-01-09 09:49:30 +00:00
parent c9d93f6394
commit 8fe835ac06
4 changed files with 26 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
ChangeLog
View File

@@ -5,6 +5,14 @@ phpMyAdmin - ChangeLog
$Id$ $Id$
$Source$ $Source$
2007-01-09 Michal Čihař <michal@cihar.com>
* index.php: Properly escape strings written in JS code.
* libraries/Theme_Manager.class.php: Avoid trigger error here, parameter
comes from user and it might lead to path disclossure.
* libraries/common.lib.php:
- Properly escape </script> in JS code.
- Check db, table and sql_query params to be string.
2007-01-08 Marc Delisle <lem9@users.sourceforge.net> 2007-01-08 Marc Delisle <lem9@users.sourceforge.net>
* libraries/session.inc.php: prevent attack on session name cookie * libraries/session.inc.php: prevent attack on session name cookie

22
index.php
View File

@@ -116,18 +116,18 @@ header('Content-Type: text/html; charset=' . $GLOBALS['charset']);
<script type="text/javascript" language="javascript"> <script type="text/javascript" language="javascript">
// <![CDATA[ // <![CDATA[
// definitions used in querywindow.js // definitions used in querywindow.js
var common_query = '<?php echo PMA_generate_common_url('', '', '&');?>'; var common_query = '<?php echo PMA_escapeJsString(PMA_generate_common_url('', '', '&'));?>';
var opendb_url = '<?php echo $GLOBALS['cfg']['DefaultTabDatabase']; ?>'; var opendb_url = '<?php echo PMA_escapeJsString($GLOBALS['cfg']['DefaultTabDatabase']); ?>';
var safari_browser = <?php echo PMA_USR_BROWSER_AGENT == 'SAFARI' ? 'true' : 'false' ?>; var safari_browser = <?php echo PMA_USR_BROWSER_AGENT == 'SAFARI' ? 'true' : 'false' ?>;
var querywindow_height = <?php echo $GLOBALS['cfg']['QueryWindowHeight']; ?>; var querywindow_height = <?php echo PMA_escapeJsString($GLOBALS['cfg']['QueryWindowHeight']); ?>;
var querywindow_width = <?php echo $GLOBALS['cfg']['QueryWindowWidth']; ?>; var querywindow_width = <?php echo PMA_escapeJsString($GLOBALS['cfg']['QueryWindowWidth']); ?>;
var collation_connection = '<?php echo $GLOBALS['collation_connection']; ?>'; var collation_connection = '<?php echo PMA_escapeJsString($GLOBALS['collation_connection']); ?>';
var lang = '<?php echo $GLOBALS['lang']; ?>'; var lang = '<?php echo PMA_escapeJsString($GLOBALS['lang']); ?>';
var server = '<?php echo $GLOBALS['server']; ?>'; var server = '<?php echo PMA_escapeJsString($GLOBALS['server']); ?>';
var table = '<?php echo $GLOBALS['table']; ?>'; var table = '<?php echo PMA_escapeJsString($GLOBALS['table']); ?>';
var db = '<?php echo $GLOBALS['db']; ?>'; var db = '<?php echo PMA_escapeJsString($GLOBALS['db']); ?>';
var text_dir = '<?php echo $GLOBALS['text_dir']; ?>'; var text_dir = '<?php echo PMA_escapeJsString($GLOBALS['text_dir']); ?>';
var pma_absolute_uri = '<?php echo $GLOBALS['cfg']['PmaAbsoluteUri']; ?>'; var pma_absolute_uri = '<?php echo PMA_escapeJsString($GLOBALS['cfg']['PmaAbsoluteUri']); ?>';
// ]]> // ]]>
</script> </script>
<script src="./js/querywindow.js" type="text/javascript" language="javascript"> <script src="./js/querywindow.js" type="text/javascript" language="javascript">

5
libraries/Theme_Manager.class.php
View File

@@ -142,9 +142,10 @@ class PMA_Theme_Manager {
if ( ! $this->checkTheme($theme)) { if ( ! $this->checkTheme($theme)) {
$GLOBALS['PMA_errors'][] = sprintf($GLOBALS['strThemeNotFound'], $GLOBALS['PMA_errors'][] = sprintf($GLOBALS['strThemeNotFound'],
htmlspecialchars($theme)); htmlspecialchars($theme));
trigger_error( /* Following code can lead to path disclossure, because headers will be sent later */
/* trigger_error(
sprintf($GLOBALS['strThemeNotFound'], htmlspecialchars($theme)), sprintf($GLOBALS['strThemeNotFound'], htmlspecialchars($theme)),
E_USER_WARNING); E_USER_WARNING);*/
return false; return false;
} }

8
libraries/common.lib.php
View File

@@ -1408,7 +1408,7 @@ if (!defined('PMA_MINIMUM_COMMON')) {
'\'' => '\\\'', '\'' => '\\\'',
"\n" => '\n', "\n" => '\n',
"\r" => '\r', "\r" => '\r',
'</script' => '<\' + \'script')); '</script' => '</\' + \'script'));
} }
/** /**
@@ -2946,7 +2946,7 @@ if (isset($_REQUEST['convcharset'])) {
/** /**
* @var string $db current selected database * @var string $db current selected database
*/ */
if (isset($_REQUEST['db'])) { if (isset($_REQUEST['db']) && is_string($_REQUEST['db'])) {
// can we strip tags from this? // can we strip tags from this?
// only \ and / is not allowed in db names for MySQL // only \ and / is not allowed in db names for MySQL
$GLOBALS['db'] = $_REQUEST['db']; $GLOBALS['db'] = $_REQUEST['db'];
@@ -2958,7 +2958,7 @@ if (isset($_REQUEST['db'])) {
/** /**
* @var string $db current selected database * @var string $db current selected database
*/ */
if (isset($_REQUEST['table'])) { if (isset($_REQUEST['table']) && is_string($_REQUEST['table'])) {
// can we strip tags from this? // can we strip tags from this?
// only \ and / is not allowed in table names for MySQL // only \ and / is not allowed in table names for MySQL
$GLOBALS['table'] = $_REQUEST['table']; $GLOBALS['table'] = $_REQUEST['table'];
@@ -2970,7 +2970,7 @@ if (isset($_REQUEST['table'])) {
/** /**
* @var string $sql_query sql query to be executed * @var string $sql_query sql query to be executed
*/ */
if (isset($_REQUEST['sql_query'])) { if (isset($_REQUEST['sql_query']) && is_string($_REQUEST['sql_query'])) {
$GLOBALS['sql_query'] = $_REQUEST['sql_query']; $GLOBALS['sql_query'] = $_REQUEST['sql_query'];
} }