path disclosure

2003-07-19 15:29:53 +00:00
parent 204d9669af
commit 9439bd3780
4 changed files with 18 additions and 9 deletions
--- a/db_details_importdocsql.php3
+++ b/db_details_importdocsql.php3
@@ -174,9 +174,11 @@ if (isset($do) && $do == 'import') {
    
                // function is_writeable() is valid on PHP3 and 4
                if (!is_writeable($tmp_subdir)) {
-                    // if we cannot move the file, let PHP report the error
-                    error_reporting(E_ALL);
                    $docsql_text = PMA_readFile($sql_file, $sql_file_compression);
+                    if ($docsql_text == FALSE) {
+                        echo $strFileCouldNotBeRead;
+                        exit();
+                    }
                }
                else {
                    $sql_file_new = $tmp_subdir . basename($sql_file);
--- a/ldi_check.php3
+++ b/ldi_check.php3
@@ -71,8 +71,9 @@ if (isset($btnLDI) && isset($local_textfile) && $local_textfile != '') {

            // function is_writeable() is valid on PHP3 and 4
            if (!is_writeable($tmp_subdir)) {
-                // if we cannot move the file, let PHP report the error
-                error_reporting(E_ALL);
+                echo $strWebServerUploadDirectoryError . ': ' . $tmp_subdir
+                 . '<br />';
+                exit();
            } else {
                $textfile_new = $tmp_subdir . basename($textfile);
                if (PMA_PHP_INT_VERSION < 40003) {
@@ -100,8 +101,11 @@ if (isset($btnLDI) && empty($textfile)) {
        $replace = '';
    }

-    error_reporting(E_ALL);
-    chmod($textfile, 0644);
+    // the error message does not correspond exactly to the error...
+    if (!@chmod($textfile, 0644)) {
+       echo $strFileCouldNotBeRead . ' ' . $textfile . '<br />';
+       exit();
+    }

    // Kanji encoding convert appended by Y.Kawada
    if (function_exists('PMA_kanji_file_conv')) {
--- a/read_dump.php3
+++ b/read_dump.php3
@@ -100,9 +100,11 @@ if ($sql_file != 'none') {

            // function is_writeable() is valid on PHP3 and 4
            if (!is_writeable($tmp_subdir)) {
-                // if we cannot move the file, let PHP report the error
-                error_reporting(E_ALL);
                $sql_query = PMA_readFile($sql_file, $sql_file_compression);
+                if ($sql_query == FALSE) {
+                    echo $strFileCouldNotBeRead;
+                    exit();
+                }
            }
            else {
                $sql_file_new = $tmp_subdir . basename($sql_file);
--- a/tbl_properties_links.php3
+++ b/tbl_properties_links.php3
@@ -6,7 +6,8 @@
 /**
 * Sets error reporting level
 */
-error_reporting(E_ALL);
+// (removed to avoid path disclosure, not sure about why this was here)
+// error_reporting(E_ALL);


 // Check parameters