nettika/phpmyadmin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

protection against XSS when register_globals is on and .htaccess has no effect

Browse Source
This commit is contained in:
Marc Delisle
2008-06-17 21:32:48 +00:00
parent 4df2b7d333
commit aa2076eedc
72 changed files with 220 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
ChangeLog
View File

@@ -24,6 +24,8 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA
- bug #1981043 [export] HTML in exports getting corrupted, - bug #1981043 [export] HTML in exports getting corrupted,
thanks to Jason Judge - jasonjudge thanks to Jason Judge - jasonjudge
- bug #1936761 [interface] BINARY not treated as BLOB: update/delete issues - bug #1936761 [interface] BINARY not treated as BLOB: update/delete issues
- protection against XSS when register_globals is on and .htaccess has
no effect, thanks to Tim Starling
2.11.6.0 (2008-04-29) 2.11.6.0 (2008-04-29)
- bug #1903724 [interface] Displaying of very large queries in error message - bug #1903724 [interface] Displaying of very large queries in error message

6
libraries/auth/cookie.auth.lib.php
View File

@@ -8,11 +8,7 @@
* @version $Id$ * @version $Id$
*/ */
/** if (! defined('PHPMYADMIN')) {
* @todo replace by constant
* $coming_from_common can be set from outside with register_globals on
*/
if (!isset($coming_from_common)) {
exit; exit;
} }

4
libraries/charset_conversion.lib.php
View File

@@ -5,7 +5,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* Loads the recode or iconv extensions if any of it is not loaded yet * Loads the recode or iconv extensions if any of it is not loaded yet

3
libraries/check_user_privileges.lib.php
View File

@@ -7,6 +7,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* *

8
libraries/common.inc.php
View File

@@ -52,6 +52,11 @@ if (version_compare(phpversion(), '6', 'lt')) {
@ini_set('magic_quotes_runtime', false); @ini_set('magic_quotes_runtime', false);
} }
/**
* for verification in all procedural scripts under libraries
*/
define('PHPMYADMIN', true);
/** /**
* core functions * core functions
*/ */
@@ -730,9 +735,6 @@ if (! defined('PMA_MINIMUM_COMMON')) {
// Gets the authentication library that fits the $cfg['Server'] settings // Gets the authentication library that fits the $cfg['Server'] settings
// and run authentication // and run authentication
// (for a quick check of path disclosure in auth/cookies:)
$coming_from_common = true;
// to allow HTTP or http // to allow HTTP or http
$cfg['Server']['auth_type'] = strtolower($cfg['Server']['auth_type']); $cfg['Server']['auth_type'] = strtolower($cfg['Server']['auth_type']);
if (! file_exists('./libraries/auth/' . $cfg['Server']['auth_type'] . '.auth.lib.php')) { if (! file_exists('./libraries/auth/' . $cfg['Server']['auth_type'] . '.auth.lib.php')) {

3
libraries/database_interface.lib.php
View File

@@ -5,6 +5,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* *

3
libraries/db_common.inc.php
View File

@@ -4,6 +4,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* Gets some core libraries * Gets some core libraries

3
libraries/db_info.inc.php
View File

@@ -34,6 +34,9 @@
* @uses addslashes() * @uses addslashes()
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* requirements * requirements

3
libraries/db_links.inc.php
View File

@@ -4,6 +4,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* *

3
libraries/db_routines.inc.php
View File

@@ -4,6 +4,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* @todo Support seeing the "results" of the called procedure or * @todo Support seeing the "results" of the called procedure or

3
libraries/db_table_exists.lib.php
View File

@@ -6,6 +6,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* *

3
libraries/dbg/setup.php
View File

@@ -3,6 +3,9 @@
/** /**
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* checks for DBG extension and trys to load if not loaded * checks for DBG extension and trys to load if not loaded

3
libraries/dbi/mysql.dbi.lib.php
View File

@@ -5,6 +5,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* *

3
libraries/dbi/mysqli.dbi.lib.php
View File

@@ -5,6 +5,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
// MySQL client API // MySQL client API
if (!defined('PMA_MYSQL_CLIENT_API')) { if (!defined('PMA_MYSQL_CLIENT_API')) {

3
libraries/display_change_password.lib.php
View File

@@ -5,6 +5,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
// loic1: autocomplete feature of IE kills the "onchange" event handler and it // loic1: autocomplete feature of IE kills the "onchange" event handler and it
// must be replaced by the "onpropertychange" one in this case // must be replaced by the "onpropertychange" one in this case

3
libraries/display_create_database.lib.php
View File

@@ -5,6 +5,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* *

3
libraries/display_create_table.lib.php
View File

@@ -5,6 +5,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* *

3
libraries/display_export.lib.php
View File

@@ -4,6 +4,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* *

3
libraries/display_import.lib.php
View File

@@ -4,6 +4,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* *

3
libraries/display_select_lang.lib.php
View File

@@ -5,6 +5,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* Sorts available languages by their true english names * Sorts available languages by their true english names

3
libraries/display_tbl_links.lib.php
View File

@@ -9,6 +9,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* *

3
libraries/export/csv.php
View File

@@ -3,6 +3,9 @@
/** /**
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* Set of functions used to build CSV dumps of tables * Set of functions used to build CSV dumps of tables

3
libraries/export/excel.php
View File

@@ -5,6 +5,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* *

3
libraries/export/htmlexcel.php
View File

@@ -5,6 +5,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* *

3
libraries/export/htmlword.php
View File

@@ -5,6 +5,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* *

3
libraries/export/latex.php
View File

@@ -5,6 +5,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* *

3
libraries/export/ods.php
View File

@@ -5,6 +5,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* *

3
libraries/export/odt.php
View File

@@ -5,6 +5,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* *

3
libraries/export/pdf.php
View File

@@ -5,6 +5,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* *

3
libraries/export/sql.php
View File

@@ -5,6 +5,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* *

3
libraries/export/xls.php
View File

@@ -5,6 +5,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* *

3
libraries/export/xml.php
View File

@@ -5,6 +5,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* *

3
libraries/export/yaml.php
View File

@@ -5,6 +5,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* *

5
libraries/footer.inc.php
View File

@@ -1,7 +1,7 @@
<?php <?php
/* vim: set expandtab sw=4 ts=4 sts=4: */ /* vim: set expandtab sw=4 ts=4 sts=4: */
/** /**
* finishs HTML output * finishes HTML output
* *
* updates javascript variables in index.php for coorect working with querywindow * updates javascript variables in index.php for coorect working with querywindow
* and navigation frame refreshing * and navigation frame refreshing
@@ -44,6 +44,9 @@
* @uses file_exists() * @uses file_exists()
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* for PMA_setHistory() * for PMA_setHistory()

3
libraries/get_foreign.lib.php
View File

@@ -4,6 +4,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* *

3
libraries/grab_globals.lib.php
View File

@@ -8,6 +8,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* copy values from one array to another, usally from a superglobal into $GLOBALS * copy values from one array to another, usally from a superglobal into $GLOBALS

3
libraries/header.inc.php
View File

@@ -4,6 +4,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* *

3
libraries/header_http.inc.php
View File

@@ -4,6 +4,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* *

3
libraries/header_meta_style.inc.php
View File

@@ -4,6 +4,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* *

3
libraries/header_printview.inc.php
View File

@@ -4,6 +4,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* Gets a core script and starts output buffering work * Gets a core script and starts output buffering work

3
libraries/iconv_wrapper.lib.php
View File

@@ -4,6 +4,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* *

3
libraries/import.lib.php
View File

@@ -5,6 +5,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* We need to know something about user * We need to know something about user

3
libraries/import/csv.php
View File

@@ -6,6 +6,9 @@
* @todo add an option for handling NULL values * @todo add an option for handling NULL values
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* *

3
libraries/import/docsql.php
View File

@@ -5,6 +5,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
require_once './libraries/relation.lib.php'; require_once './libraries/relation.lib.php';
$cfgRelation = PMA_getRelationsParam(); $cfgRelation = PMA_getRelationsParam();

3
libraries/import/ldi.php
View File

@@ -5,6 +5,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* *

3
libraries/import/sql.php
View File

@@ -5,6 +5,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* *

3
libraries/kanji-encoding.lib.php
View File

@@ -11,6 +11,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* Gets the php internal encoding codes and sets the available encoding * Gets the php internal encoding codes and sets the available encoding

3
libraries/language.lib.php
View File

@@ -5,6 +5,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* lang detection is done here * lang detection is done here

3
libraries/mcrypt.lib.php
View File

@@ -4,6 +4,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* Initialization * Initialization

3
libraries/mult_submits.inc.php
View File

@@ -4,6 +4,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* Prepares the work and runs some other scripts if required * Prepares the work and runs some other scripts if required

3
libraries/mysql_charsets.lib.php
View File

@@ -4,6 +4,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* *

4
libraries/navigation_header.inc.php
View File

@@ -6,6 +6,10 @@
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* *
*/ */

3
libraries/opendocument.lib.php
View File

@@ -5,6 +5,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* *

3
libraries/parse_analyze.lib.php
View File

@@ -4,6 +4,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* *

3
libraries/relation.lib.php
View File

@@ -5,6 +5,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* *

3
libraries/relation_cleanup.lib.php
View File

@@ -5,6 +5,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* *

5
libraries/select_lang.lib.php
View File

@@ -5,9 +5,12 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* trys to find the language to use * tries to find the language to use
* *
* @uses $GLOBALS['cfg']['lang'] * @uses $GLOBALS['cfg']['lang']
* @uses $GLOBALS['cfg']['DefaultLang'] * @uses $GLOBALS['cfg']['DefaultLang']

3
libraries/server_common.inc.php
View File

@@ -9,6 +9,9 @@
* @uses $userlink * @uses $userlink
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* Gets some core libraries * Gets some core libraries

3
libraries/server_links.inc.php
View File

@@ -4,6 +4,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* Check parameters * Check parameters

3
libraries/session.inc.php
View File

@@ -13,6 +13,9 @@
* @uses version_compare() * @uses version_compare()
* @uses PHP_VERSION * @uses PHP_VERSION
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
// verify if PHP supports session, die if it does not // verify if PHP supports session, die if it does not

3
libraries/sql_query_form.lib.php
View File

@@ -10,6 +10,9 @@
* @usedby tbl_structure.php * @usedby tbl_structure.php
* @usedby querywindow.php * @usedby querywindow.php
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* *

3
libraries/sqlparser.data.php
View File

@@ -21,6 +21,9 @@
* *
* @version$Id$ * @version$Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* @global array MySQL function names * @global array MySQL function names

3
libraries/sqlparser.lib.php
View File

@@ -29,6 +29,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**

3
libraries/sqlvalidator.class.php
View File

@@ -27,6 +27,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
@include_once 'SOAP/Client.php'; @include_once 'SOAP/Client.php';

3
libraries/sqlvalidator.lib.php
View File

@@ -29,6 +29,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* We need the PEAR libraries, so do a minimum version check first * We need the PEAR libraries, so do a minimum version check first

3
libraries/string.lib.php
View File

@@ -22,6 +22,9 @@
* @uses defined() * @uses defined()
* @todo a .lib filename should not have code in main(), split or rename file * @todo a .lib filename should not have code in main(), split or rename file
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/* Try to load mbstring, unless we're using buggy php version */ /* Try to load mbstring, unless we're using buggy php version */
if (PMA_PHP_INT_VERSION != 40203) { if (PMA_PHP_INT_VERSION != 40203) {

3
libraries/tbl_common.php
View File

@@ -4,6 +4,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* Gets some core libraries * Gets some core libraries

3
libraries/tbl_info.inc.php
View File

@@ -4,6 +4,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* *

3
libraries/tbl_links.inc.php
View File

@@ -4,6 +4,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* Check parameters * Check parameters

3
libraries/tbl_properties.inc.php
View File

@@ -4,6 +4,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* Check parameters * Check parameters

3
libraries/tbl_replace_fields.inc.php
View File

@@ -29,6 +29,9 @@
* @uses PMA_NO_VARIABLES_IMPORT * @uses PMA_NO_VARIABLES_IMPORT
* @uses PMA_sqlAddslashes() * @uses PMA_sqlAddslashes()
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
/** /**
* do not import request variable into global scope * do not import request variable into global scope

3
libraries/tbl_triggers.lib.php
View File

@@ -4,6 +4,9 @@
* *
* @version $Id$ * @version $Id$
*/ */
if (! defined('PHPMYADMIN')) {
exit;
}
$url_query .= '&amp;goto=tbl_structure.php'; $url_query .= '&amp;goto=tbl_structure.php';