From b01a58118f973f98ab99a4bb28d340af49fa251f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= Date: Thu, 6 Jan 2011 09:39:23 +0100 Subject: [PATCH] Remove error.php Redirecting to other script introduces possibility of inject custom messages to it. Though there is no clear security issue in this, it might confuse users and mistake them to go to external site as it allows to include links. Conflicts: error.php libraries/core.lib.php --- libraries/common.inc.php | 1 - libraries/core.lib.php | 12 ++++---- error.php => libraries/error.inc.php | 46 +++++----------------------- 3 files changed, 14 insertions(+), 45 deletions(-) rename error.php => libraries/error.inc.php (52%) diff --git a/libraries/common.inc.php b/libraries/common.inc.php index 4cb469247..ea9f2d828 100644 --- a/libraries/common.inc.php +++ b/libraries/common.inc.php @@ -305,7 +305,6 @@ $goto_whitelist = array( 'db_printview.php', 'db_search.php', //'Documentation.html', - //'error.php', 'export.php', 'import.php', //'index.php', diff --git a/libraries/core.lib.php b/libraries/core.lib.php index 669efec49..a84e05666 100644 --- a/libraries/core.lib.php +++ b/libraries/core.lib.php @@ -241,18 +241,18 @@ function PMA_fatalError($error_message, $message_args = null) $error_message = strtr($error_message, array('
' => '[br]')); // Displays the error message - // (do not use & for parameters sent by header) - header('Location: ' . (defined('PMA_SETUP') ? '../' : '') . 'error.php' - . '?lang=' . urlencode($GLOBALS['available_languages'][$GLOBALS['lang']][2]) - . '&dir=' . urlencode($GLOBALS['text_dir']) - . '&type=' . urlencode($GLOBALS['strError']) - . '&error=' . urlencode($error_message)); + $lang = $GLOBALS['available_languages'][$GLOBALS['lang']][2]; + $dir = $GLOBALS['text_dir']; + $type = $GLOBALS['strError']; + $error = $error_message; // on fatal errors it cannot hurt to always delete the current session if (isset($GLOBALS['session_name']) && isset($_COOKIE[$GLOBALS['session_name']])) { PMA_removeCookie($GLOBALS['session_name']); } + require('./libraries/error.inc.php'); + exit; } diff --git a/error.php b/libraries/error.inc.php similarity index 52% rename from error.php rename to libraries/error.inc.php index 750ac60e3..95d884792 100644 --- a/error.php +++ b/libraries/error.inc.php @@ -3,35 +3,14 @@ /** * phpMyAdmin fatal error display page * - * @version $Id$ + * @package phpMyAdmin */ -/* Input sanitizing */ -require_once './libraries/sanitizing.lib.php'; - -/* Get variables */ -if (! empty($_REQUEST['lang']) && is_string($_REQUEST['lang'])) { - $lang = htmlspecialchars($_REQUEST['lang']); -} else { - $lang = 'en'; +if (! defined('PHPMYADMIN')) { + exit; } -if (! empty($_REQUEST['dir']) && is_string($_REQUEST['dir'])) { - $dir = htmlspecialchars($_REQUEST['dir']); -} else { - $dir = 'ltr'; -} - -if (! empty($_REQUEST['type']) && is_string($_REQUEST['type'])) { - $type = htmlspecialchars($_REQUEST['type']); -} else { - $type = 'error'; -} - -// force utf-8 to avoid XSS with crafted URL and utf-7 in charset parameter -$charset = 'utf-8'; - -header('Content-Type: text/html; charset=' . $charset); +header('Content-Type: text/html; charset=utf-8'); ?> @@ -39,7 +18,7 @@ header('Content-Type: text/html; charset=' . $charset); phpMyAdmin - + -

phpMyAdmin -

-

+

phpMyAdmin -

+

+