From 9ebd401b0ea4efea8ddc8cd846da559bf420ccaa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= Date: Thu, 6 Jan 2011 09:36:30 +0100 Subject: [PATCH] Remove error.php Redirecting to other script introduces possibility of inject custom messages to it. Though there is no clear security issue in this, it might confuse users and mistake them to go to external site as it allows to include links. Conflicts: error.php libraries/core.lib.php --- libraries/common.inc.php | 1 - libraries/core.lib.php | 15 ++++----- error.php => libraries/error.inc.php | 47 +++++----------------------- 3 files changed, 13 insertions(+), 50 deletions(-) rename error.php => libraries/error.inc.php (52%) diff --git a/libraries/common.inc.php b/libraries/common.inc.php index 86416a576..dd51900f9 100644 --- a/libraries/common.inc.php +++ b/libraries/common.inc.php @@ -325,7 +325,6 @@ $goto_whitelist = array( 'db_printview.php', 'db_search.php', //'Documentation.html', - //'error.php', 'export.php', 'import.php', //'index.php', diff --git a/libraries/core.lib.php b/libraries/core.lib.php index f7f9da4d7..fa4f00719 100644 --- a/libraries/core.lib.php +++ b/libraries/core.lib.php @@ -261,21 +261,18 @@ function PMA_fatalError($error_message, $message_args = null) $error_message = strtr($error_message, array('
' => '[br]')); // Displays the error message - // (do not use & for parameters sent by header) - $query_params = array( - 'lang' => $GLOBALS['available_languages'][$GLOBALS['lang']][2], - 'dir' => $GLOBALS['text_dir'], - 'type' => $GLOBALS['strError'], - 'error' => $error_message, - ); - header('Location: ' . (defined('PMA_SETUP') ? '../' : '') . 'error.php?' - . http_build_query($query_params, null, '&')); + $lang = $GLOBALS['available_languages'][$GLOBALS['lang']][2]; + $dir = $GLOBALS['text_dir']; + $type = $GLOBALS['strError']; + $error = $error_message; // on fatal errors it cannot hurt to always delete the current session if (isset($GLOBALS['session_name']) && isset($_COOKIE[$GLOBALS['session_name']])) { PMA_removeCookie($GLOBALS['session_name']); } + require('./libraries/error.inc.php'); + exit; } diff --git a/error.php b/libraries/error.inc.php similarity index 52% rename from error.php rename to libraries/error.inc.php index 7e86ffb95..95d884792 100644 --- a/error.php +++ b/libraries/error.inc.php @@ -3,38 +3,14 @@ /** * phpMyAdmin fatal error display page * - * @version $Id$ * @package phpMyAdmin */ -/** - * Input sanitizing. - */ -require_once './libraries/sanitizing.lib.php'; - -/* Get variables */ -if (! empty($_REQUEST['lang']) && is_string($_REQUEST['lang'])) { - $lang = htmlspecialchars($_REQUEST['lang']); -} else { - $lang = 'en'; +if (! defined('PHPMYADMIN')) { + exit; } -if (! empty($_REQUEST['dir']) && is_string($_REQUEST['dir'])) { - $dir = htmlspecialchars($_REQUEST['dir']); -} else { - $dir = 'ltr'; -} - -if (! empty($_REQUEST['type']) && is_string($_REQUEST['type'])) { - $type = htmlspecialchars($_REQUEST['type']); -} else { - $type = 'error'; -} - -// force utf-8 to avoid XSS with crafted URL and utf-7 in charset parameter -$charset = 'utf-8'; - -header('Content-Type: text/html; charset=' . $charset); +header('Content-Type: text/html; charset=utf-8'); ?> @@ -42,7 +18,7 @@ header('Content-Type: text/html; charset=' . $charset); phpMyAdmin - + -

phpMyAdmin -

-

+

phpMyAdmin -

+

+