security fixes

ChangeLog

@@ -5,6 +5,14 @@ phpMyAdmin - ChangeLog
 $Id$
 $HeadURL$
 
+2007-01-09 Michal Čihař  <michal@cihar.com>
+    * index.php: Properly escape strings written in JS code.
+    * libraries/Theme_Manager.class.php: Avoid trigger error here, parameter
+      comes from user and it might lead to path disclossure.
+    * libraries/common.lib.php:
+        - Properly escape </script> in JS code.
+        - Check db, table and sql_query params to be string.
+
 2007-01-08 Marc Delisle  <lem9@users.sourceforge.net>
     * libraries/session.inc.php: prevent attack on session name cookie
 

index.php

@@ -116,18 +116,18 @@ header('Content-Type: text/html; charset=' . $GLOBALS['charset']);
 <script type="text/javascript" language="javascript">
 // <![CDATA[
     // definitions used in querywindow.js
-    var common_query = '<?php echo PMA_generate_common_url('', '', '&');?>';
-    var opendb_url = '<?php echo $GLOBALS['cfg']['DefaultTabDatabase']; ?>';
+    var common_query = '<?php echo PMA_escapeJsString(PMA_generate_common_url('', '', '&'));?>';
+    var opendb_url = '<?php echo PMA_escapeJsString($GLOBALS['cfg']['DefaultTabDatabase']); ?>';
     var safari_browser = <?php echo PMA_USR_BROWSER_AGENT == 'SAFARI' ? 'true' : 'false' ?>;
-    var querywindow_height = <?php echo $GLOBALS['cfg']['QueryWindowHeight']; ?>;
-    var querywindow_width = <?php echo $GLOBALS['cfg']['QueryWindowWidth']; ?>;
-    var collation_connection = '<?php echo $GLOBALS['collation_connection']; ?>';
-    var lang = '<?php echo $GLOBALS['lang']; ?>';
-    var server = '<?php echo $GLOBALS['server']; ?>';
-    var table = '<?php echo $GLOBALS['table']; ?>';
-    var db    = '<?php echo $GLOBALS['db']; ?>';
-    var text_dir = '<?php echo $GLOBALS['text_dir']; ?>';
-    var pma_absolute_uri = '<?php echo $GLOBALS['cfg']['PmaAbsoluteUri']; ?>';
+    var querywindow_height = <?php echo PMA_escapeJsString($GLOBALS['cfg']['QueryWindowHeight']); ?>;
+    var querywindow_width = <?php echo PMA_escapeJsString($GLOBALS['cfg']['QueryWindowWidth']); ?>;
+    var collation_connection = '<?php echo PMA_escapeJsString($GLOBALS['collation_connection']); ?>';
+    var lang = '<?php echo PMA_escapeJsString($GLOBALS['lang']); ?>';
+    var server = '<?php echo PMA_escapeJsString($GLOBALS['server']); ?>';
+    var table = '<?php echo PMA_escapeJsString($GLOBALS['table']); ?>';
+    var db    = '<?php echo PMA_escapeJsString($GLOBALS['db']); ?>';
+    var text_dir = '<?php echo PMA_escapeJsString($GLOBALS['text_dir']); ?>';
+    var pma_absolute_uri = '<?php echo PMA_escapeJsString($GLOBALS['cfg']['PmaAbsoluteUri']); ?>';
 // ]]>
 </script>
 <script src="./js/querywindow.js" type="text/javascript" language="javascript">

libraries/Theme_Manager.class.php

@@ -142,9 +142,10 @@ class PMA_Theme_Manager {
         if ( ! $this->checkTheme($theme)) {
             $GLOBALS['PMA_errors'][] = sprintf($GLOBALS['strThemeNotFound'],
                 htmlspecialchars($theme));
-            trigger_error(
+            /* Following code can lead to path disclossure, because headers will be sent later */
+/*          trigger_error(
                 sprintf($GLOBALS['strThemeNotFound'], htmlspecialchars($theme)),
-                E_USER_WARNING);
+                E_USER_WARNING);*/
             return false;
         }
 

libraries/common.lib.php

@@ -1156,7 +1156,7 @@ if (!defined('PMA_MINIMUM_COMMON')) {
                             '\'' => '\\\'',
                             "\n" => '\n',
                             "\r" => '\r',
-                            '</script' => '<\' + \'script'));
+                            '</script' => '</\' + \'script'));
     }
 
     /**
@@ -2746,7 +2746,7 @@ if (isset($_REQUEST['convcharset'])) {
  * @global string $GLOBALS['db']
  */
 $GLOBALS['db'] = '';
-if (isset($_REQUEST['db'])) {
+if (isset($_REQUEST['db']) && is_string($_REQUEST['db'])) {
     // can we strip tags from this?
     // only \ and / is not allowed in db names for MySQL
     $GLOBALS['db'] = $_REQUEST['db'];
@@ -2758,7 +2758,7 @@ if (isset($_REQUEST['db'])) {
  * @global string $GLOBALS['table']
  */
 $GLOBALS['table'] = '';
-if (isset($_REQUEST['table'])) {
+if (isset($_REQUEST['table']) && is_string($_REQUEST['table'])) {
     // can we strip tags from this?
     // only \ and / is not allowed in table names for MySQL
     $GLOBALS['table'] = $_REQUEST['table'];
@@ -2769,7 +2769,7 @@ if (isset($_REQUEST['table'])) {
  * sql query to be executed
  * @global string $GLOBALS['sql_query']
  */
-if (isset($_REQUEST['sql_query'])) {
+if (isset($_REQUEST['sql_query']) && is_string($_REQUEST['sql_query'])) {
     $GLOBALS['sql_query'] = $_REQUEST['sql_query'];
 }