From aa6fec0532a9dd48d4e35831c1b1c9785c124dd7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= Date: Tue, 7 Dec 2010 12:19:07 +0100 Subject: [PATCH] Remove error.php Redirecting to other script introduces possibility of inject custom messages to it. Though there is no clear security issue in this, it might confuse users and mistake them to go to external site as it allows to include links. --- libraries/common.inc.php | 1 - libraries/core.lib.php | 15 ++++----- error.php => libraries/error.inc.php | 46 +++++----------------------- 3 files changed, 13 insertions(+), 49 deletions(-) rename error.php => libraries/error.inc.php (53%) diff --git a/libraries/common.inc.php b/libraries/common.inc.php index 1a140bba9..4a67cbc80 100644 --- a/libraries/common.inc.php +++ b/libraries/common.inc.php @@ -372,7 +372,6 @@ $goto_whitelist = array( 'db_printview.php', 'db_search.php', //'Documentation.html', - //'error.php', 'export.php', 'import.php', //'index.php', diff --git a/libraries/core.lib.php b/libraries/core.lib.php index 97d443af1..54da58c47 100644 --- a/libraries/core.lib.php +++ b/libraries/core.lib.php @@ -235,21 +235,18 @@ function PMA_fatalError($error_message, $message_args = null) } // Displays the error message - // (do not use & for parameters sent by header) - $query_params = array( - 'lang' => $GLOBALS['available_languages'][$GLOBALS['lang']][1], - 'dir' => $GLOBALS['text_dir'], - 'type' => $error_header, - 'error' => $error_message, - ); - header('Location: ' . (defined('PMA_SETUP') ? '../' : '') . 'error.php?' - . http_build_query($query_params, null, '&')); + $lang = $GLOBALS['available_languages'][$GLOBALS['lang']][1]; + $dir = $GLOBALS['text_dir']; + $type = $error_header; + $error = $error_message; // on fatal errors it cannot hurt to always delete the current session if (isset($GLOBALS['session_name']) && isset($_COOKIE[$GLOBALS['session_name']])) { $GLOBALS['PMA_Config']->removeCookie($GLOBALS['session_name']); } + require('./libraries/error.inc.php'); + exit; } diff --git a/error.php b/libraries/error.inc.php similarity index 53% rename from error.php rename to libraries/error.inc.php index b1d47e245..95d884792 100644 --- a/error.php +++ b/libraries/error.inc.php @@ -6,34 +6,11 @@ * @package phpMyAdmin */ -/** - * Input sanitizing. - */ -require './libraries/sanitizing.lib.php'; - -/* Get variables */ -if (! empty($_REQUEST['lang']) && is_string($_REQUEST['lang'])) { - $lang = htmlspecialchars($_REQUEST['lang']); -} else { - $lang = 'en'; +if (! defined('PHPMYADMIN')) { + exit; } -if (! empty($_REQUEST['dir']) && is_string($_REQUEST['dir'])) { - $dir = htmlspecialchars($_REQUEST['dir']); -} else { - $dir = 'ltr'; -} - -if (! empty($_REQUEST['type']) && is_string($_REQUEST['type'])) { - $type = htmlspecialchars($_REQUEST['type']); -} else { - $type = 'error'; -} - -// force utf-8 to avoid XSS with crafted URL and utf-7 in charset parameter -$charset = 'utf-8'; - -header('Content-Type: text/html; charset=' . $charset); +header('Content-Type: text/html; charset=utf-8'); ?> @@ -41,7 +18,7 @@ header('Content-Type: text/html; charset=' . $charset); phpMyAdmin - + -

phpMyAdmin -

-

+

phpMyAdmin -

+

+