security fixes
This commit is contained in:
Michal Čihař
@@ -5,6 +5,14 @@ phpMyAdmin - ChangeLog
|
||||
$Id$
|
||||
$Source$
|
||||
|
||||
2007-01-09 Michal Čihař <michal@cihar.com>
|
||||
* index.php: Properly escape strings written in JS code.
|
||||
* libraries/Theme_Manager.class.php: Avoid trigger error here, parameter
|
||||
comes from user and it might lead to path disclossure.
|
||||
* libraries/common.lib.php:
|
||||
- Properly escape </script> in JS code.
|
||||
- Check db, table and sql_query params to be string.
|
||||
|
||||
2007-01-08 Marc Delisle <lem9@users.sourceforge.net>
|
||||
* libraries/session.inc.php: prevent attack on session name cookie
|
||||
|
||||
|
||||
22
index.php
22
index.php
@@ -116,18 +116,18 @@ header('Content-Type: text/html; charset=' . $GLOBALS['charset']);
|
||||
<script type="text/javascript" language="javascript">
|
||||
// <![CDATA[
|
||||
// definitions used in querywindow.js
|
||||
var common_query = '<?php echo PMA_generate_common_url('', '', '&');?>';
|
||||
var opendb_url = '<?php echo $GLOBALS['cfg']['DefaultTabDatabase']; ?>';
|
||||
var common_query = '<?php echo PMA_escapeJsString(PMA_generate_common_url('', '', '&'));?>';
|
||||
var opendb_url = '<?php echo PMA_escapeJsString($GLOBALS['cfg']['DefaultTabDatabase']); ?>';
|
||||
var safari_browser = <?php echo PMA_USR_BROWSER_AGENT == 'SAFARI' ? 'true' : 'false' ?>;
|
||||
var querywindow_height = <?php echo $GLOBALS['cfg']['QueryWindowHeight']; ?>;
|
||||
var querywindow_width = <?php echo $GLOBALS['cfg']['QueryWindowWidth']; ?>;
|
||||
var collation_connection = '<?php echo $GLOBALS['collation_connection']; ?>';
|
||||
var lang = '<?php echo $GLOBALS['lang']; ?>';
|
||||
var server = '<?php echo $GLOBALS['server']; ?>';
|
||||
var table = '<?php echo $GLOBALS['table']; ?>';
|
||||
var db = '<?php echo $GLOBALS['db']; ?>';
|
||||
var text_dir = '<?php echo $GLOBALS['text_dir']; ?>';
|
||||
var pma_absolute_uri = '<?php echo $GLOBALS['cfg']['PmaAbsoluteUri']; ?>';
|
||||
var querywindow_height = <?php echo PMA_escapeJsString($GLOBALS['cfg']['QueryWindowHeight']); ?>;
|
||||
var querywindow_width = <?php echo PMA_escapeJsString($GLOBALS['cfg']['QueryWindowWidth']); ?>;
|
||||
var collation_connection = '<?php echo PMA_escapeJsString($GLOBALS['collation_connection']); ?>';
|
||||
var lang = '<?php echo PMA_escapeJsString($GLOBALS['lang']); ?>';
|
||||
var server = '<?php echo PMA_escapeJsString($GLOBALS['server']); ?>';
|
||||
var table = '<?php echo PMA_escapeJsString($GLOBALS['table']); ?>';
|
||||
var db = '<?php echo PMA_escapeJsString($GLOBALS['db']); ?>';
|
||||
var text_dir = '<?php echo PMA_escapeJsString($GLOBALS['text_dir']); ?>';
|
||||
var pma_absolute_uri = '<?php echo PMA_escapeJsString($GLOBALS['cfg']['PmaAbsoluteUri']); ?>';
|
||||
// ]]>
|
||||
</script>
|
||||
<script src="./js/querywindow.js" type="text/javascript" language="javascript">
|
||||
|
||||
@@ -142,9 +142,10 @@ class PMA_Theme_Manager {
|
||||
if ( ! $this->checkTheme($theme)) {
|
||||
$GLOBALS['PMA_errors'][] = sprintf($GLOBALS['strThemeNotFound'],
|
||||
htmlspecialchars($theme));
|
||||
trigger_error(
|
||||
/* Following code can lead to path disclossure, because headers will be sent later */
|
||||
/* trigger_error(
|
||||
sprintf($GLOBALS['strThemeNotFound'], htmlspecialchars($theme)),
|
||||
E_USER_WARNING);
|
||||
E_USER_WARNING);*/
|
||||
return false;
|
||||
}
|
||||
|
||||
|
||||
@@ -1408,7 +1408,7 @@ if (!defined('PMA_MINIMUM_COMMON')) {
|
||||
'\'' => '\\\'',
|
||||
"\n" => '\n',
|
||||
"\r" => '\r',
|
||||
'</script' => '<\' + \'script'));
|
||||
'</script' => '</\' + \'script'));
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -2946,7 +2946,7 @@ if (isset($_REQUEST['convcharset'])) {
|
||||
/**
|
||||
* @var string $db current selected database
|
||||
*/
|
||||
if (isset($_REQUEST['db'])) {
|
||||
if (isset($_REQUEST['db']) && is_string($_REQUEST['db'])) {
|
||||
// can we strip tags from this?
|
||||
// only \ and / is not allowed in db names for MySQL
|
||||
$GLOBALS['db'] = $_REQUEST['db'];
|
||||
@@ -2958,7 +2958,7 @@ if (isset($_REQUEST['db'])) {
|
||||
/**
|
||||
* @var string $db current selected database
|
||||
*/
|
||||
if (isset($_REQUEST['table'])) {
|
||||
if (isset($_REQUEST['table']) && is_string($_REQUEST['table'])) {
|
||||
// can we strip tags from this?
|
||||
// only \ and / is not allowed in table names for MySQL
|
||||
$GLOBALS['table'] = $_REQUEST['table'];
|
||||
@@ -2970,7 +2970,7 @@ if (isset($_REQUEST['table'])) {
|
||||
/**
|
||||
* @var string $sql_query sql query to be executed
|
||||
*/
|
||||
if (isset($_REQUEST['sql_query'])) {
|
||||
if (isset($_REQUEST['sql_query']) && is_string($_REQUEST['sql_query'])) {
|
||||
$GLOBALS['sql_query'] = $_REQUEST['sql_query'];
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user