allow scripts to bypass importing vars

2005-11-26 06:08:07 +00:00
parent 2be427840f
commit 9ec71beedf
2 changed files with 142 additions and 109 deletions
--- a/3
+++ b/3
@@ -5,6 +5,9 @@ phpMyAdmin - Changelog
 $Id$
 $Source$

+2005-11-24 Sebastian Mendel <cybot_tm@users.sourceforge.net>
+    * libraries/grab_globals.lib.php: allow scripts to bypass importing vars
+    
 2005-11-25 Marc Delisle  <lem9@users.sourceforge.net>
    * main.php: move server choice into MySQL container
    * libraries/select_server.lib.php: show currently selected server
--- a/libraries/grab_globals.lib.php
+++ b/libraries/grab_globals.lib.php
@@ -12,7 +12,10 @@
 * loic1 - 2001/25/11: use the new globals arrays defined with php 4.1+
 */

-// just to be sure there was no import (registering) before here
+/**
+ * just to be sure there was no import (registering) before here
+ * we empty the global space
+ */
 $variables_whitelist = array (
    'GLOBALS',
    '_SERVER',
@@ -22,6 +25,7 @@ $variables_whitelist = array (
    '_FILES',
    '_ENV',
    '_COOKIE',
+    '_SESSION',
 );

 foreach ( get_defined_vars() as $key => $value ) {
@@ -31,32 +35,43 @@ foreach ( get_defined_vars() as $key => $value ) {
 }
 unset( $key, $value );

-// protect against older PHP versions' bug about GLOBALS overwrite
-// (no need to translate this one :) )
-// but what if script.php?GLOABLS[admin]=1&GLOBALS[_REQUEST]=1 ???
+
+/**
+ * protect against older PHP versions' bug about GLOBALS overwrite
+ * (no need to translate this one :) )
+ * but what if script.php?GLOBALS[admin]=1&GLOBALS[_REQUEST]=1 ???
+ */
 if ( isset( $_REQUEST['GLOBALS'] ) || isset( $_FILES['GLOBALS'] )
  || isset( $_SERVER['GLOBALS'] ) || isset( $_COOKIE['GLOBALS'] )
  || isset( $_ENV['GLOBALS'] ) ) {
    die( 'GLOBALS overwrite attempt' );
 }

+
 require_once './libraries/session.inc.php';

-/**
- * @var array $import_blacklist variable names that should NEVER be imported
- *                              from superglobals
- */
-$import_blacklist = array(
-    '/^cfg$/i',      // PMA configuration
-    '/^GLOBALS$/i',  // the global scope
-    '/^str.*$/i',    // PMA strings
-    '/^_.*$/i',      // PMA does not use variables starting with _ from extern
-    '/^.*\s+.*$/i',  // no whitespaces anywhere
-    '/^[0-9]+.*$/i', // numeric variable names
-    //'/^PMA_.*$/i',   // other PMA variables
-);

 /**
+ * check if a subform is submitted
+ */
+$__redirect = NULL;
+if ( isset( $_POST['usesubform'] ) ) {
+    // if a subform is present and should be used
+    // the rest of the form is deprecated
+    $subform_id = key( $_POST['usesubform'] );
+    $subform    = $_POST['subform'][$subform_id];
+    $_POST      = $subform;
+    if ( isset( $_POST['redirect'] )
+      && $_POST['redirect'] != basename( $_SERVER['PHP_SELF'] ) ) {
+        $__redirect = $_POST['redirect'];
+        unset( $_POST['redirect'] );
+    } // end if ( isset( $_POST['redirect'] ) )
+    unset( $subform_id, $subform );
+} // end if ( isset( $_POST['usesubform'] ) )
+// end check if a subform is submitted
+
+if ( $__redirect || ! defined( 'PMA_NO_VARIABLES_IMPORT' ) ) {
+    /**
     * copy values from one array to another, usally from a superglobal into $GLOBALS
     *
     * @uses    $GLOBALS['import_blacklist']
@@ -69,7 +84,7 @@ $import_blacklist = array(
     * @param   array   $target     values to
     * @param   boolean $sanitize   prevent importing key names in $import_blacklist
     */
-function PMA_gpc_extract($array, &$target, $sanitize = TRUE) {
+    function PMA_gpc_extract($array, &$target, $sanitize = TRUE) {
        if (!is_array($array)) {
            return FALSE;
        }
@@ -103,43 +118,40 @@ function PMA_gpc_extract($array, &$target, $sanitize = TRUE) {
            }
        }
        return TRUE;
-}
+    }
    
    
-// check if a subform is submitted
-$__redirect = NULL;
-if ( isset( $_POST['usesubform'] ) ) {
-    // if a subform is present and should be used
-    // the rest of the form is deprecated
-    $subform_id = key( $_POST['usesubform'] );
-    $subform    = $_POST['subform'][$subform_id];
-    $_POST      = $subform;
-    if ( isset( $_POST['redirect'] )
-      && $_POST['redirect'] != basename( $_SERVER['PHP_SELF'] ) ) {
-        $__redirect = $_POST['redirect'];
-        unset( $_POST['redirect'] );
-    } // end if ( isset( $_POST['redirect'] ) )
-    unset( $subform_id, $subform );
-} // end if ( isset( $_POST['usesubform'] ) )
-// end check if a subform is submitted
+    /**
+     * @var array $import_blacklist variable names that should NEVER be imported
+     *                              from superglobals
+     */
+    $import_blacklist = array(
+        '/^cfg$/i',      // PMA configuration
+        '/^GLOBALS$/i',  // the global scope
+        '/^str.*$/i',    // PMA strings
+        '/^_.*$/i',      // PMA does not use variables starting with _ from extern
+        '/^.*\s+.*$/i',  // no whitespaces anywhere
+        '/^[0-9]+.*$/i', // numeric variable names
+        //'/^PMA_.*$/i',   // other PMA variables
+    );
    
-if (!empty($_GET)) {
+    if (!empty($_GET)) {
        PMA_gpc_extract($_GET, $GLOBALS);
-} // end if
+    } // end if
    
-if (!empty($_POST)) {
+    if (!empty($_POST)) {
        PMA_gpc_extract($_POST, $GLOBALS);
-} // end if (!empty($_POST))
+    } // end if (!empty($_POST))
    
-if (!empty($_FILES)) {
+    if (!empty($_FILES)) {
        foreach ($_FILES AS $name => $value) {
            $$name = $value['tmp_name'];
            ${$name . '_name'} = $value['name'];
        }
-} // end if
-unset( $name, $value );
+        unset( $name, $value );
+    } // end if
    
-if (!empty($_SERVER)) {
+    if (!empty($_SERVER)) {
        $server_vars = array('PHP_SELF', 'HTTP_ACCEPT_LANGUAGE', 'HTTP_AUTHORIZATION');
        foreach ( $server_vars as $current ) {
            // its not important HOW we detect html tags
@@ -154,19 +166,37 @@ if (!empty($_SERVER)) {
            }
        }
        unset( $server_vars, $current );
-} // end if
+    } // end if
    
-// Security fix: disallow accessing serious server files via "?goto="
-if (isset($goto) && strpos(' ' . $goto, '/') > 0 && substr($goto, 0, 2) != './') {
+    // Security fix: disallow accessing serious server files via "?goto="
+    if (isset($goto) && strpos(' ' . $goto, '/') > 0 && substr($goto, 0, 2) != './') {
        unset($goto);
-} // end if
+    } // end if
    
-unset( $import_blacklist );
+    unset( $import_blacklist );
    
-if ( ! empty( $__redirect ) ) {
+    if ( ! empty( $__redirect ) ) {
        // TODO: ensure that PMA_securePath() is defined and available
        // for this script. Meanwhile we duplicate what this function does:
        require('./' . preg_replace('@\.\.*@','.',$__redirect));
        exit();
-} // end if ( ! empty( $__redirect ) )
+    } // end if ( ! empty( $__redirect ) )
+
+} else {
+    
+    echo $goto . "-<br />\n";
+    echo $_REQUEST['goto'] . "-<br />\n";
+    echo $_GET['goto'] . "-<br />\n";
+    echo $_POST['goto'] . "-<br />\n";
+    
+    // Security fix: disallow accessing serious server files via "?goto="
+    if ( isset( $_REQUEST['goto'] )
+      && strpos( $_REQUEST['goto'], '\\' ) !== false
+      && strpos( $_REQUEST['goto'], '/' ) !== false ) {
+        unset( $_REQUEST['goto'], $_GET['goto'], $_POST['goto'] );
+    } // end if
+    echo $_REQUEST['goto'] . "-<br />\n";
+    echo $_GET['goto'] . "-<br />\n";
+    echo $_POST['goto'] . "-<br />\n";
+}
 ?>