path disclosure

2003-07-19 10:43:59 +00:00
parent ca08adc0ac
commit c83c4d06a1
4 changed files with 46 additions and 3 deletions
--- a/db_create.php3
+++ b/db_create.php3
@@ -10,6 +10,11 @@ require('./libraries/grab_globals.lib.php3');
 $js_to_run = 'functions.js';
 require('./header.inc.php3');

+if (!defined('PMA_COMMON_LIB_INCLUDED')) {
+    include('./libraries/common.lib.php3');
+}
+
+PMA_checkParameters(array('db'));

 /**
 * Defines the url to return to in case of error in a sql statement
--- a/db_details_common.php3
+++ b/db_details_common.php3
@@ -15,6 +15,7 @@ if (!defined('PMA_BOOKMARK_LIB_INCLUDED')) {
    include('./libraries/bookmark.lib.php3');
 }

+PMA_checkParameters(array('db'));

 /**
 * Defines the urls to return to in case of error in a sql statement
--- a/libraries/common.lib.php3
+++ b/libraries/common.lib.php3
@@ -2,14 +2,11 @@
 /* $Id$ */
 // vim: expandtab sw=4 ts=4 sts=4:

-error_reporting(E_ALL);
 /**
 * Misc stuff and functions used by almost all the scripts.
 * Among other things, it contains the advanced authentification work.
 */

-
-
 if (!defined('PMA_COMMON_LIB_INCLUDED')) {
    define('PMA_COMMON_LIB_INCLUDED', 1);

@@ -1873,6 +1870,44 @@ h1    {font-family: sans-serif; font-size: large; font-weight: bold}
            return $format_string;
        }

+
+        /**
+         * Function added to avoid path disclosures.
+         * Called by each script that needs parameters, it displays
+         * an error message and, by defaults, stops the execution. 
+         *
+         * @param   array   The names of the parameters needed by the calling
+         *                  script.
+         * @param   boolean Stop the execution?
+         *                  (Set this manually to FALSE in the calling script
+         *                   until you know all needed parameters to check).
+         *
+         * @access  public
+         * @author  Marc Delisle (lem9@users.sourceforge.net)
+         */
+        function PMA_checkParameters($params, $die = TRUE) {
+            global $PHP_SELF;
+
+            $reported_script_name = basename($PHP_SELF);
+            $found_error = FALSE;
+            $error_message = '';
+
+            while (list(, $param) = each($params)) {
+                if (!isset($GLOBALS[$param])) {
+                    $error_message .= $reported_script_name . ': Missing ' . $param . '<br />';
+                    $found_error = TRUE;
+                }
+            }
+            if ($found_error) {
+                include('./libraries/header_meta_style.inc.php3');
+                echo '</head><body><p>' . $error_message . '</p></body></html>';
+                if ($die) {
+                    exit();
+                }
+            }
+        } // end function
+
+
        // Kanji encoding convert feature appended by Y.Kawada (2002/2/20)
        if (PMA_PHP_INT_VERSION >= 40006
            && @function_exists('mb_convert_encoding')
--- a/sql.php3
+++ b/sql.php3
@@ -8,6 +8,8 @@
 require('./libraries/grab_globals.lib.php3');
 require('./libraries/common.lib.php3');

+PMA_checkParameters(array('sql_query', 'db'));
+
 /**
 * Defines the url to return to in case of error in a sql statement
 */