Improve functionality of limiting DROP DATABASE (bug #1456082).

This commit is contained in:
Michal Čihař
2006-04-27 11:35:54 +00:00
parent 4a4baf3a88
commit bfec931486
7 changed files with 88 additions and 78 deletions

View File

@@ -24,6 +24,9 @@ $Source$
* Documentation.html: Various fixes in documentation, mostly grammmar * Documentation.html: Various fixes in documentation, mostly grammmar
(patch #1453198, thanks to Isaac Bennetch - ibennetch). (patch #1453198, thanks to Isaac Bennetch - ibennetch).
* lang/*: Remove *font_family. * lang/*: Remove *font_family.
* Documentation.html, import.php, querywindow.php, js/functions.js,
libraries/header.inc.php, libraries/import.lib.php: Improve
functionality of limiting DROP DATABASE (bug #1456082).
2006-04-26 Michal Čihař <michal@cihar.com> 2006-04-26 Michal Čihař <michal@cihar.com>
* libraries/plugin_interface.lib.php: * libraries/plugin_interface.lib.php:

View File

@@ -1028,7 +1028,13 @@ ALTER TABLE `pma_column_comments`
delete their own database or not. If set as FALSE, the link &quot;Drop delete their own database or not. If set as FALSE, the link &quot;Drop
Database&quot; will not be shown, and even a &quot;DROP DATABASE Database&quot; will not be shown, and even a &quot;DROP DATABASE
mydatabase&quot; will be rejected. Quite practical for mydatabase&quot; will be rejected. Quite practical for
<abbr title="Internet service provider">ISP</abbr>'s with many customers.</dd> <abbr title="Internet service provider">ISP</abbr>'s with many
customers.<br />
Please note that this limitation of SQL queries is not as strict as
when using MySQL privileges. This is due to nature of SQL queries
which might be quite complicated. So this choice should be viewed as
help to avoid accidental dropping rather than strict privilege
limitation.</dd>
<dt id="cfg_Confirm">$cfg[Confirm] boolean</dt> <dt id="cfg_Confirm">$cfg[Confirm] boolean</dt>
<dd>Whether a warning (&quot;Are your really sure...&quot;) should be <dd>Whether a warning (&quot;Are your really sure...&quot;) should be

View File

@@ -19,12 +19,12 @@ if (!empty($sql_query)) {
$import_text = $sql_query; $import_text = $sql_query;
$import_type = 'query'; $import_type = 'query';
$format = 'sql'; $format = 'sql';
// refresh left frame on changes in table or db structure // refresh left frame on changes in table or db structure
if (preg_match('/^(CREATE|ALTER|DROP)\s+(VIEW|TABLE|DATABASE|SCHEMA)\s+/i', $sql_query)) { if (preg_match('/^(CREATE|ALTER|DROP)\s+(VIEW|TABLE|DATABASE|SCHEMA)\s+/i', $sql_query)) {
$GLOBALS['reload'] = true; $GLOBALS['reload'] = true;
} }
unset($sql_query); unset($sql_query);
} elseif (!empty($sql_localfile)) { } elseif (!empty($sql_localfile)) {
// run SQL file on server // run SQL file on server
@@ -44,7 +44,7 @@ if (!empty($sql_query)) {
$format = 'sql'; $format = 'sql';
} }
// If we didn't get any parameters, either user called this directly, or // If we didn't get any parameters, either user called this directly, or
// upload limit has been reached, let's assume the second possibility. // upload limit has been reached, let's assume the second possibility.
if ($_POST == array() && $_GET == array()) { if ($_POST == array() && $_GET == array()) {
require_once('./libraries/header.inc.php'); require_once('./libraries/header.inc.php');
@@ -137,12 +137,12 @@ if (!empty($id_bookmark)) {
if (isset($bookmark_variable) && !empty($bookmark_variable)) { if (isset($bookmark_variable) && !empty($bookmark_variable)) {
$import_text = preg_replace('|/\*(.*)\[VARIABLE\](.*)\*/|imsU', '${1}' . PMA_sqlAddslashes($bookmark_variable) . '${2}', $import_text); $import_text = preg_replace('|/\*(.*)\[VARIABLE\](.*)\*/|imsU', '${1}' . PMA_sqlAddslashes($bookmark_variable) . '${2}', $import_text);
} }
// refresh left frame on changes in table or db structure // refresh left frame on changes in table or db structure
if (preg_match('/^(CREATE|ALTER|DROP)\s+(VIEW|TABLE|DATABASE|SCHEMA)\s+/i', $import_text)) { if (preg_match('/^(CREATE|ALTER|DROP)\s+(VIEW|TABLE|DATABASE|SCHEMA)\s+/i', $import_text)) {
$GLOBALS['reload'] = true; $GLOBALS['reload'] = true;
} }
break; break;
case 1: // bookmarked query that have to be displayed case 1: // bookmarked query that have to be displayed
$import_text = PMA_queryBookmarks($db, $cfg['Bookmark'], $id_bookmark); $import_text = PMA_queryBookmarks($db, $cfg['Bookmark'], $id_bookmark);
@@ -178,7 +178,7 @@ if (!empty($bkm_label) && !empty($import_text)) {
} }
PMA_addBookmarks($bfields, $cfg['Bookmark'], isset($bkm_all_users)); PMA_addBookmarks($bfields, $cfg['Bookmark'], isset($bkm_all_users));
$bookmark_created = TRUE; $bookmark_created = TRUE;
} // end store bookmarks } // end store bookmarks
@@ -239,7 +239,7 @@ if ($import_file != 'none' && !$error) {
} }
} }
} }
// Handle file compression // Handle file compression
$compression = PMA_detectCompression($import_file); $compression = PMA_detectCompression($import_file);
if ($compression === FALSE) { if ($compression === FALSE) {

View File

@@ -138,7 +138,7 @@ function confirmQuery(theForm1, sqlQuery1)
else { else {
// "DROP DATABASE" statement isn't allowed // "DROP DATABASE" statement isn't allowed
if (noDropDbMsg != '') { if (noDropDbMsg != '') {
var drop_re = new RegExp('DROP\\s+(IF EXISTS\\s+)?DATABASE\\s', 'i'); var drop_re = new RegExp('(^|;)\\s*DROP\\s+(IF EXISTS\\s+)?DATABASE\\s', 'i');
if (drop_re.test(sqlQuery1.value)) { if (drop_re.test(sqlQuery1.value)) {
alert(noDropDbMsg); alert(noDropDbMsg);
theForm1.reset(); theForm1.reset();

View File

@@ -66,7 +66,8 @@ if (empty($GLOBALS['is_header_sent'])) {
// js form validation stuff // js form validation stuff
var errorMsg0 = '<?php echo str_replace('\'', '\\\'', $GLOBALS['strFormEmpty']); ?>'; var errorMsg0 = '<?php echo str_replace('\'', '\\\'', $GLOBALS['strFormEmpty']); ?>';
var errorMsg1 = '<?php echo str_replace('\'', '\\\'', $GLOBALS['strNotNumber']); ?>'; var errorMsg1 = '<?php echo str_replace('\'', '\\\'', $GLOBALS['strNotNumber']); ?>';
var noDropDbMsg = '<?php echo((!$GLOBALS['cfg']['AllowUserDropDatabase']) ? str_replace('\'', '\\\'', $GLOBALS['strNoDropDatabases']) : ''); ?>'; var noDropDbMsg = '<?php echo (!$is_superuser && !$GLOBALS['cfg']['AllowUserDropDatabase'])
? str_replace('\'', '\\\'', $GLOBALS['strNoDropDatabases']) : ''; ?>';
var confirmMsg = '<?php echo(($GLOBALS['cfg']['Confirm']) ? str_replace('\'', '\\\'', $GLOBALS['strDoYouReally']) : ''); ?>'; var confirmMsg = '<?php echo(($GLOBALS['cfg']['Confirm']) ? str_replace('\'', '\\\'', $GLOBALS['strDoYouReally']) : ''); ?>';
var confirmMsgDropDB = '<?php echo(($GLOBALS['cfg']['Confirm']) ? str_replace('\'', '\\\'', $GLOBALS['strDropDatabaseStrongWarning']) : ''); ?>'; var confirmMsgDropDB = '<?php echo(($GLOBALS['cfg']['Confirm']) ? str_replace('\'', '\\\'', $GLOBALS['strDropDatabaseStrongWarning']) : ''); ?>';
//--> //-->

View File

@@ -68,7 +68,7 @@ function PMA_detectCompression($filepath)
*/ */
function PMA_importRunQuery($sql = '', $full = '') function PMA_importRunQuery($sql = '', $full = '')
{ {
global $import_run_buffer, $go_sql, $complete_query, $display_query, $sql_query, $cfg, $my_die, $error, $reload, $finished, $timeout_passed, $skip_queries, $executed_queries, $max_sql_len, $read_multiply, $cfg, $sql_query_disabled, $db, $run_query, $is_superuser; global $import_run_buffer, $go_sql, $complete_query, $display_query, $sql_query, $cfg, $my_die, $error, $reload, $finished, $timeout_passed, $skip_queries, $executed_queries, $max_sql_len, $read_multiply, $cfg, $sql_query_disabled, $db, $run_query, $is_superuser, $message, $show_error_header;
$read_multiply = 1; $read_multiply = 1;
if (isset($import_run_buffer)) { if (isset($import_run_buffer)) {
// Should we skip something? // Should we skip something?
@@ -76,75 +76,75 @@ function PMA_importRunQuery($sql = '', $full = '')
$skip_queries--; $skip_queries--;
} else { } else {
if (!empty($import_run_buffer['sql']) && trim($import_run_buffer['sql']) != '') { if (!empty($import_run_buffer['sql']) && trim($import_run_buffer['sql']) != '') {
if (!$cfg['AllowUserDropDatabase']
&& !$is_superuser
&& preg_match('@DROP[[:space:]]+(IF EXISTS[[:space:]]+)?DATABASE @i', $import_run_buffer['sql'])) {
$message = $GLOBALS['strNoDropDatabases'];
$show_error_header = TRUE;
$error = TRUE;
return;
}
$max_sql_len = max($max_sql_len, strlen($import_run_buffer['sql'])); $max_sql_len = max($max_sql_len, strlen($import_run_buffer['sql']));
if (!$sql_query_disabled) { if (!$sql_query_disabled) {
$sql_query .= $import_run_buffer['full']; $sql_query .= $import_run_buffer['full'];
} }
$executed_queries++; if (!$cfg['AllowUserDropDatabase']
if ($run_query && $finished && empty($sql) && !$error && ( && !$is_superuser
(!empty($import_run_buffer['sql']) && preg_match('/^[\s]*(SELECT|SHOW)/i', $import_run_buffer['sql'])) || && preg_match('@^[[:space:]]*DROP[[:space:]]+(IF EXISTS[[:space:]]+)?DATABASE @i', $import_run_buffer['sql'])) {
($executed_queries == 1) $message = $GLOBALS['strNoDropDatabases'];
)) { $show_error_header = TRUE;
$go_sql = TRUE; $error = TRUE;
if (!$sql_query_disabled) { } else {
$complete_query = $sql_query; $executed_queries++;
$display_query = $sql_query; if ($run_query && $finished && empty($sql) && !$error && (
} else { (!empty($import_run_buffer['sql']) && preg_match('/^[\s]*(SELECT|SHOW)/i', $import_run_buffer['sql'])) ||
$complete_query = ''; ($executed_queries == 1)
$display_query = ''; )) {
} $go_sql = TRUE;
$sql_query = $import_run_buffer['sql']; if (!$sql_query_disabled) {
} elseif ($run_query) { $complete_query = $sql_query;
$result = PMA_DBI_try_query($import_run_buffer['sql']); $display_query = $sql_query;
$msg = '# ';
if ($result === FALSE) { // execution failed
if (!isset($my_die)) {
$my_die = array();
}
$my_die[] = array('sql' => $import_run_buffer['full'], 'error' => PMA_DBI_getError());
if ($cfg['VerboseMultiSubmit']) {
$msg .= $GLOBALS['strError'];
}
if (!$cfg['IgnoreMultiSubmitErrors']) {
$error = TRUE;
return;
}
} elseif ($cfg['VerboseMultiSubmit']) {
$a_num_rows = (int)@PMA_DBI_num_rows($result);
$a_aff_rows = (int)@PMA_DBI_affected_rows();
if ($a_num_rows > 0) {
$msg .= $GLOBALS['strRows'] . ': ' . $a_num_rows;
} elseif ($a_aff_rows > 0) {
$a_rows =
$msg .= $GLOBALS['strAffectedRows'] . ' ' . $a_aff_rows;
} else { } else {
$msg .= $GLOBALS['strEmptyResultSet']; $complete_query = '';
$display_query = '';
} }
} $sql_query = $import_run_buffer['sql'];
if (!$sql_query_disabled) { } elseif ($run_query) {
$sql_query .= $msg . "\n"; $result = PMA_DBI_try_query($import_run_buffer['sql']);
} $msg = '# ';
if ($result === FALSE) { // execution failed
if (!isset($my_die)) {
$my_die = array();
}
$my_die[] = array('sql' => $import_run_buffer['full'], 'error' => PMA_DBI_getError());
// If a 'USE <db>' SQL-clause was found and the query succeeded, set our current $db to the new one if ($cfg['VerboseMultiSubmit']) {
if ($result != FALSE && preg_match('@^[\s]*USE[[:space:]]*([\S]+)@i', $import_run_buffer['sql'], $match)) { $msg .= $GLOBALS['strError'];
$db = trim($match[1]); }
$reload = TRUE;
}
if ($result != FALSE && preg_match('@^[\s]*(DROP|CREATE)[\s]+(IF EXISTS[[:space:]]+)?(TABLE|DATABASE)[[:space:]]+(.+)@im', $import_run_buffer['sql'])) { if (!$cfg['IgnoreMultiSubmitErrors']) {
$reload = TRUE; $error = TRUE;
} return;
} // end run query }
} elseif ($cfg['VerboseMultiSubmit']) {
$a_num_rows = (int)@PMA_DBI_num_rows($result);
$a_aff_rows = (int)@PMA_DBI_affected_rows();
if ($a_num_rows > 0) {
$msg .= $GLOBALS['strRows'] . ': ' . $a_num_rows;
} elseif ($a_aff_rows > 0) {
$a_rows =
$msg .= $GLOBALS['strAffectedRows'] . ' ' . $a_aff_rows;
} else {
$msg .= $GLOBALS['strEmptyResultSet'];
}
}
if (!$sql_query_disabled) {
$sql_query .= $msg . "\n";
}
// If a 'USE <db>' SQL-clause was found and the query succeeded, set our current $db to the new one
if ($result != FALSE && preg_match('@^[\s]*USE[[:space:]]*([\S]+)@i', $import_run_buffer['sql'], $match)) {
$db = trim($match[1]);
$reload = TRUE;
}
if ($result != FALSE && preg_match('@^[\s]*(DROP|CREATE)[\s]+(IF EXISTS[[:space:]]+)?(TABLE|DATABASE)[[:space:]]+(.+)@im', $import_run_buffer['sql'])) {
$reload = TRUE;
}
} // end run query
} // end if not DROP DATABASE
} // end non empty query } // end non empty query
elseif (!empty($import_run_buffer['full'])) { elseif (!empty($import_run_buffer['full'])) {
if ($go_sql) { if ($go_sql) {
@@ -172,7 +172,7 @@ function PMA_importRunQuery($sql = '', $full = '')
} }
} // end do query (no skip) } // end do query (no skip)
} // end buffer exists } // end buffer exists
// Do we have something to push into buffer? // Do we have something to push into buffer?
if (!empty($sql) || !empty($full)) { if (!empty($sql) || !empty($full)) {
$import_run_buffer = array('sql' => $sql, 'full' => $full); $import_run_buffer = array('sql' => $sql, 'full' => $full);
@@ -193,7 +193,7 @@ function PMA_importRunQuery($sql = '', $full = '')
function PMA_importGetNextChunk($size = 32768) function PMA_importGetNextChunk($size = 32768)
{ {
global $import_file, $import_text, $finished, $compression, $import_handle, $offset, $charset_conversion, $charset_of_file, $charset, $read_multiply, $read_limit; global $import_file, $import_text, $finished, $compression, $import_handle, $offset, $charset_conversion, $charset_of_file, $charset, $read_multiply, $read_limit;
// Add some progression while reading large amount of data // Add some progression while reading large amount of data
if ($read_multiply <= 8) { if ($read_multiply <= 8) {
$size *= $read_multiply; $size *= $read_multiply;
@@ -226,7 +226,7 @@ function PMA_importGetNextChunk($size = 32768)
return $r; return $r;
} }
} }
switch ($compression) { switch ($compression) {
case 'application/bzip2': case 'application/bzip2':
$result = bzread($import_handle, $size); $result = bzread($import_handle, $size);
@@ -247,7 +247,7 @@ function PMA_importGetNextChunk($size = 32768)
break; break;
} }
$offset += $size; $offset += $size;
if ($charset_conversion) { if ($charset_conversion) {
return PMA_convert_string($charset_of_file, $charset, $result); return PMA_convert_string($charset_of_file, $charset, $result);
} else { } else {
@@ -264,7 +264,7 @@ function PMA_importGetNextChunk($size = 32768)
$result = substr($result, 2); $result = substr($result, 2);
} }
} }
return $result; return $result;
} }
} }

View File

@@ -69,7 +69,7 @@ function query_tab_commit(tab) {
/**/ /**/
var errorMsg0 = '<?php echo str_replace('\'', '\\\'', $GLOBALS['strFormEmpty']); ?>'; var errorMsg0 = '<?php echo str_replace('\'', '\\\'', $GLOBALS['strFormEmpty']); ?>';
var errorMsg1 = '<?php echo str_replace('\'', '\\\'', $GLOBALS['strNotNumber']); ?>'; var errorMsg1 = '<?php echo str_replace('\'', '\\\'', $GLOBALS['strNotNumber']); ?>';
var noDropDbMsg = '<?php echo !$GLOBALS['cfg']['AllowUserDropDatabase'] var noDropDbMsg = '<?php echo (!$is_superuser && !$GLOBALS['cfg']['AllowUserDropDatabase'])
? str_replace('\'', '\\\'', $GLOBALS['strNoDropDatabases']) : ''; ?>'; ? str_replace('\'', '\\\'', $GLOBALS['strNoDropDatabases']) : ''; ?>';
var confirmMsg = '<?php echo $GLOBALS['cfg']['Confirm'] var confirmMsg = '<?php echo $GLOBALS['cfg']['Confirm']
? str_replace('\'', '\\\'', $GLOBALS['strDoYouReally']) : ''; ?>'; ? str_replace('\'', '\\\'', $GLOBALS['strDoYouReally']) : ''; ?>';