From bd59eb6f3c3ab32d323383a710598a42228854dc Mon Sep 17 00:00:00 2001
From: Marc Delisle <marc@infomarc.info>
Date: Wed, 5 Oct 2005 19:40:12 +0000
Subject: [PATCH] bug #1311384, Create table dialog on escaped wildcard
 privileges

---
 ChangeLog                              |  2 +
 libraries/display_create_table.lib.php | 60 ++++++++++++++++++++++----
 2 files changed, 53 insertions(+), 9 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index e177451f3..62b9b178d 100755
--- a/ChangeLog
+++ b/ChangeLog
@@ -12,6 +12,8 @@ $Source$
       thanks to Vernon Lyon - vlyon
     * libraries/charset_conversion.lib.php: PMA_MYSQL_INT_VERSION is not
       defined at login time but what tested
+    * libraries/display_create_table.lib.php, bug #1311384, Create table 
+      dialog on escaped wildcard privileges
 
 2005-10-04 Sebastian Mendel <cybot_tm@users.sourceforge.net>
     * libraries/functions.js, libraries/sql_query_form.lib.php:
diff --git a/libraries/display_create_table.lib.php b/libraries/display_create_table.lib.php
index 44d6a3fcb..08a5d51e3 100644
--- a/libraries/display_create_table.lib.php
+++ b/libraries/display_create_table.lib.php
@@ -7,24 +7,66 @@
 require_once('./libraries/check_user_privileges.lib.php');
 
 $is_create_table_priv = FALSE;
-// TODO: escaped wildcard patterns
-$mysql_wildcards = array('%','_');
-$preg_patterns = array('(.*)', '.');
 
 foreach($dbs_where_create_table_allowed as $allowed_db) {
+
+    // if we find the exact db name, we stop here
+    if ($allowed_db == $db) {
+        $is_create_table_priv = TRUE;
+        break;
+    }
+
     // '*' indicates a global CREATE priv
     if ($allowed_db == '*') {
         $is_create_table_priv = TRUE;
         break;
     }
-    $matches = '';
-    if (preg_match('@' .str_replace($mysql_wildcards, $preg_patterns, $allowed_db) . '@i', $db, $matches)) {
-        if ($matches[0] == $db) {
-            $is_create_table_priv = TRUE;
-            break;
+
+    if (ereg('%|_', $allowed_db)) {
+        // take care of wildcards and escaped wildcards,
+        // transforming them into regexp patterns
+        $max_position = strlen($allowed_db) - 1;
+        $i = 0;
+        $pattern = '';
+        while ($i <= $max_position) {
+            if ($allowed_db[$i] == '\\'){
+                if ($i < $max_position - 1 && $allowed_db[$i+1] == '_'){
+                    $chunk = '_';
+                    $i++;
+                } elseif ($i < $max_position - 1 && $allowed_db[$i+1] == '%'){
+                    $chunk = '%';
+                    $i++;
+                } else {
+                    $chunk = $allowed_db[$i];
+                }
+            } elseif ($allowed_db[$i] == '_'){
+                $chunk = '.';
+            } elseif ($allowed_db[$i] == '%'){
+                $chunk = '(.)*';
+            } else {
+                $chunk = $allowed_db[$i];
+            }
+            $pattern .= $chunk;
+            $i++;
+        } // end while
+        unset($i, $max_position, $chunk);
+
+        $matches = '';
+        if (preg_match('@' .$pattern . '@i', $db, $matches)) {
+            if ($matches[0] == $db) {
+                $is_create_table_priv = TRUE;
+                break;
+                //TODO: maybe receive in $allowed_db also the db names
+                // on which we cannot CREATE, and check them
+                // in this foreach, because if a user is allowed to CREATE
+                // on db foo% but forbidden on db foobar, he should not
+                // see the Create table dialog
+            }
         }
     }
-}
+} // end foreach
+unset($i, $max_position, $chunk, $pattern);
+
 if ($is_create_table_priv) {
 ?>
     <!-- Create a new table -->