security fixes
This commit is contained in:
@@ -5,6 +5,14 @@ phpMyAdmin - ChangeLog
|
|||||||
$Id$
|
$Id$
|
||||||
$HeadURL$
|
$HeadURL$
|
||||||
|
|
||||||
|
2007-01-09 Michal Čihař <michal@cihar.com>
|
||||||
|
* index.php: Properly escape strings written in JS code.
|
||||||
|
* libraries/Theme_Manager.class.php: Avoid trigger error here, parameter
|
||||||
|
comes from user and it might lead to path disclossure.
|
||||||
|
* libraries/common.lib.php:
|
||||||
|
- Properly escape </script> in JS code.
|
||||||
|
- Check db, table and sql_query params to be string.
|
||||||
|
|
||||||
2007-01-08 Marc Delisle <lem9@users.sourceforge.net>
|
2007-01-08 Marc Delisle <lem9@users.sourceforge.net>
|
||||||
* libraries/session.inc.php: prevent attack on session name cookie
|
* libraries/session.inc.php: prevent attack on session name cookie
|
||||||
|
|
||||||
|
22
index.php
22
index.php
@@ -116,18 +116,18 @@ header('Content-Type: text/html; charset=' . $GLOBALS['charset']);
|
|||||||
<script type="text/javascript" language="javascript">
|
<script type="text/javascript" language="javascript">
|
||||||
// <![CDATA[
|
// <![CDATA[
|
||||||
// definitions used in querywindow.js
|
// definitions used in querywindow.js
|
||||||
var common_query = '<?php echo PMA_generate_common_url('', '', '&');?>';
|
var common_query = '<?php echo PMA_escapeJsString(PMA_generate_common_url('', '', '&'));?>';
|
||||||
var opendb_url = '<?php echo $GLOBALS['cfg']['DefaultTabDatabase']; ?>';
|
var opendb_url = '<?php echo PMA_escapeJsString($GLOBALS['cfg']['DefaultTabDatabase']); ?>';
|
||||||
var safari_browser = <?php echo PMA_USR_BROWSER_AGENT == 'SAFARI' ? 'true' : 'false' ?>;
|
var safari_browser = <?php echo PMA_USR_BROWSER_AGENT == 'SAFARI' ? 'true' : 'false' ?>;
|
||||||
var querywindow_height = <?php echo $GLOBALS['cfg']['QueryWindowHeight']; ?>;
|
var querywindow_height = <?php echo PMA_escapeJsString($GLOBALS['cfg']['QueryWindowHeight']); ?>;
|
||||||
var querywindow_width = <?php echo $GLOBALS['cfg']['QueryWindowWidth']; ?>;
|
var querywindow_width = <?php echo PMA_escapeJsString($GLOBALS['cfg']['QueryWindowWidth']); ?>;
|
||||||
var collation_connection = '<?php echo $GLOBALS['collation_connection']; ?>';
|
var collation_connection = '<?php echo PMA_escapeJsString($GLOBALS['collation_connection']); ?>';
|
||||||
var lang = '<?php echo $GLOBALS['lang']; ?>';
|
var lang = '<?php echo PMA_escapeJsString($GLOBALS['lang']); ?>';
|
||||||
var server = '<?php echo $GLOBALS['server']; ?>';
|
var server = '<?php echo PMA_escapeJsString($GLOBALS['server']); ?>';
|
||||||
var table = '<?php echo $GLOBALS['table']; ?>';
|
var table = '<?php echo PMA_escapeJsString($GLOBALS['table']); ?>';
|
||||||
var db = '<?php echo $GLOBALS['db']; ?>';
|
var db = '<?php echo PMA_escapeJsString($GLOBALS['db']); ?>';
|
||||||
var text_dir = '<?php echo $GLOBALS['text_dir']; ?>';
|
var text_dir = '<?php echo PMA_escapeJsString($GLOBALS['text_dir']); ?>';
|
||||||
var pma_absolute_uri = '<?php echo $GLOBALS['cfg']['PmaAbsoluteUri']; ?>';
|
var pma_absolute_uri = '<?php echo PMA_escapeJsString($GLOBALS['cfg']['PmaAbsoluteUri']); ?>';
|
||||||
// ]]>
|
// ]]>
|
||||||
</script>
|
</script>
|
||||||
<script src="./js/querywindow.js" type="text/javascript" language="javascript">
|
<script src="./js/querywindow.js" type="text/javascript" language="javascript">
|
||||||
|
@@ -142,9 +142,10 @@ class PMA_Theme_Manager {
|
|||||||
if ( ! $this->checkTheme($theme)) {
|
if ( ! $this->checkTheme($theme)) {
|
||||||
$GLOBALS['PMA_errors'][] = sprintf($GLOBALS['strThemeNotFound'],
|
$GLOBALS['PMA_errors'][] = sprintf($GLOBALS['strThemeNotFound'],
|
||||||
htmlspecialchars($theme));
|
htmlspecialchars($theme));
|
||||||
trigger_error(
|
/* Following code can lead to path disclossure, because headers will be sent later */
|
||||||
|
/* trigger_error(
|
||||||
sprintf($GLOBALS['strThemeNotFound'], htmlspecialchars($theme)),
|
sprintf($GLOBALS['strThemeNotFound'], htmlspecialchars($theme)),
|
||||||
E_USER_WARNING);
|
E_USER_WARNING);*/
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@@ -1156,7 +1156,7 @@ if (!defined('PMA_MINIMUM_COMMON')) {
|
|||||||
'\'' => '\\\'',
|
'\'' => '\\\'',
|
||||||
"\n" => '\n',
|
"\n" => '\n',
|
||||||
"\r" => '\r',
|
"\r" => '\r',
|
||||||
'</script' => '<\' + \'script'));
|
'</script' => '</\' + \'script'));
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -2746,7 +2746,7 @@ if (isset($_REQUEST['convcharset'])) {
|
|||||||
* @global string $GLOBALS['db']
|
* @global string $GLOBALS['db']
|
||||||
*/
|
*/
|
||||||
$GLOBALS['db'] = '';
|
$GLOBALS['db'] = '';
|
||||||
if (isset($_REQUEST['db'])) {
|
if (isset($_REQUEST['db']) && is_string($_REQUEST['db'])) {
|
||||||
// can we strip tags from this?
|
// can we strip tags from this?
|
||||||
// only \ and / is not allowed in db names for MySQL
|
// only \ and / is not allowed in db names for MySQL
|
||||||
$GLOBALS['db'] = $_REQUEST['db'];
|
$GLOBALS['db'] = $_REQUEST['db'];
|
||||||
@@ -2758,7 +2758,7 @@ if (isset($_REQUEST['db'])) {
|
|||||||
* @global string $GLOBALS['table']
|
* @global string $GLOBALS['table']
|
||||||
*/
|
*/
|
||||||
$GLOBALS['table'] = '';
|
$GLOBALS['table'] = '';
|
||||||
if (isset($_REQUEST['table'])) {
|
if (isset($_REQUEST['table']) && is_string($_REQUEST['table'])) {
|
||||||
// can we strip tags from this?
|
// can we strip tags from this?
|
||||||
// only \ and / is not allowed in table names for MySQL
|
// only \ and / is not allowed in table names for MySQL
|
||||||
$GLOBALS['table'] = $_REQUEST['table'];
|
$GLOBALS['table'] = $_REQUEST['table'];
|
||||||
@@ -2769,7 +2769,7 @@ if (isset($_REQUEST['table'])) {
|
|||||||
* sql query to be executed
|
* sql query to be executed
|
||||||
* @global string $GLOBALS['sql_query']
|
* @global string $GLOBALS['sql_query']
|
||||||
*/
|
*/
|
||||||
if (isset($_REQUEST['sql_query'])) {
|
if (isset($_REQUEST['sql_query']) && is_string($_REQUEST['sql_query'])) {
|
||||||
$GLOBALS['sql_query'] = $_REQUEST['sql_query'];
|
$GLOBALS['sql_query'] = $_REQUEST['sql_query'];
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Reference in New Issue
Block a user