From c83c4d06a14458cf9c49c84d607391a4b05e235f Mon Sep 17 00:00:00 2001 From: Marc Delisle Date: Sat, 19 Jul 2003 10:43:59 +0000 Subject: [PATCH] path disclosure --- db_create.php3 | 5 +++++ db_details_common.php3 | 1 + libraries/common.lib.php3 | 41 ++++++++++++++++++++++++++++++++++++--- sql.php3 | 2 ++ 4 files changed, 46 insertions(+), 3 deletions(-) diff --git a/db_create.php3 b/db_create.php3 index df98837e4..c9ec99c89 100755 --- a/db_create.php3 +++ b/db_create.php3 @@ -10,6 +10,11 @@ require('./libraries/grab_globals.lib.php3'); $js_to_run = 'functions.js'; require('./header.inc.php3'); +if (!defined('PMA_COMMON_LIB_INCLUDED')) { + include('./libraries/common.lib.php3'); +} + +PMA_checkParameters(array('db')); /** * Defines the url to return to in case of error in a sql statement diff --git a/db_details_common.php3 b/db_details_common.php3 index 5cdbb1ba8..d850e4a04 100644 --- a/db_details_common.php3 +++ b/db_details_common.php3 @@ -15,6 +15,7 @@ if (!defined('PMA_BOOKMARK_LIB_INCLUDED')) { include('./libraries/bookmark.lib.php3'); } +PMA_checkParameters(array('db')); /** * Defines the urls to return to in case of error in a sql statement diff --git a/libraries/common.lib.php3 b/libraries/common.lib.php3 index f4758adf9..b3c7fc952 100644 --- a/libraries/common.lib.php3 +++ b/libraries/common.lib.php3 @@ -2,14 +2,11 @@ /* $Id$ */ // vim: expandtab sw=4 ts=4 sts=4: -error_reporting(E_ALL); /** * Misc stuff and functions used by almost all the scripts. * Among other things, it contains the advanced authentification work. */ - - if (!defined('PMA_COMMON_LIB_INCLUDED')) { define('PMA_COMMON_LIB_INCLUDED', 1); @@ -1873,6 +1870,44 @@ h1 {font-family: sans-serif; font-size: large; font-weight: bold} return $format_string; } + + /** + * Function added to avoid path disclosures. + * Called by each script that needs parameters, it displays + * an error message and, by defaults, stops the execution. + * + * @param array The names of the parameters needed by the calling + * script. + * @param boolean Stop the execution? + * (Set this manually to FALSE in the calling script + * until you know all needed parameters to check). + * + * @access public + * @author Marc Delisle (lem9@users.sourceforge.net) + */ + function PMA_checkParameters($params, $die = TRUE) { + global $PHP_SELF; + + $reported_script_name = basename($PHP_SELF); + $found_error = FALSE; + $error_message = ''; + + while (list(, $param) = each($params)) { + if (!isset($GLOBALS[$param])) { + $error_message .= $reported_script_name . ': Missing ' . $param . '
'; + $found_error = TRUE; + } + } + if ($found_error) { + include('./libraries/header_meta_style.inc.php3'); + echo '

' . $error_message . '

'; + if ($die) { + exit(); + } + } + } // end function + + // Kanji encoding convert feature appended by Y.Kawada (2002/2/20) if (PMA_PHP_INT_VERSION >= 40006 && @function_exists('mb_convert_encoding') diff --git a/sql.php3 b/sql.php3 index d5dd3dffd..d3a5ea42a 100755 --- a/sql.php3 +++ b/sql.php3 @@ -8,6 +8,8 @@ require('./libraries/grab_globals.lib.php3'); require('./libraries/common.lib.php3'); +PMA_checkParameters(array('sql_query', 'db')); + /** * Defines the url to return to in case of error in a sql statement */