nettika/phpmyadmin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fixed transformation system now accepting '.php3' files and using the '.php' pendants. Make use of 's' RegEx pattern modifier. Fixed small (but impacting) typo.

Browse Source
This commit is contained in:
Garvin Hicking
2003-11-25 20:30:12 +00:00
parent 8d1bfe6f3b
commit ca7836a684
12 changed files with 59 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
ChangeLog
View File

@@ -5,7 +5,7 @@ phpMyAdmin - Changelog
$Id$ $Id$
$Source$ $Source$
2003-11-24 Garvin Hicking <phpmyadminismyaeroplane@supergarv.de> 2003-11-25 Garvin Hicking <phpmyadminismyaeroplane@supergarv.de>
* db_details_qbe.php, left.php, main.php, pdf_pages.php, server_collations.php, * db_details_qbe.php, left.php, main.php, pdf_pages.php, server_collations.php,
tbl_change.php, tbl_indexes.php, tbl_move_copy.php, tbl_relation.php, tbl_change.php, tbl_indexes.php, tbl_move_copy.php, tbl_relation.php,
tbl_replace.php, libraries/common.lib.php, libraries/db_config.lib.php, tbl_replace.php, libraries/common.lib.php, libraries/db_config.lib.php,
@@ -15,7 +15,15 @@ $Source$
Reverted some obfuscated regular expressions to their working eregi-versions Reverted some obfuscated regular expressions to their working eregi-versions
to not break stuff. Removed unneccessary reset() calls, replaced some more to not break stuff. Removed unneccessary reset() calls, replaced some more
while(list()) constructs. while(list()) constructs.
* libraries/transformations/overview.php, libraries/transformations/global.inc.php,
libraries/common.lib.php, libraries/display_tbl.lib.php,
libraries/transformations.lib.php3, user_password.php, tbl_change.php, sql.php,
ldi_check.php, tbl_properties.inc.php, db_details_importdocsql.php:
- When stored transformations have '.php3' ending, automagically assume '.php' now.
- Use 's' RegEx Pattern modifier for certain situations where '.' should also include
linebreaks.
2003-11-24 Alexander M. Turek <bloodsugarsexmagik@derrabus.de> 2003-11-24 Alexander M. Turek <bloodsugarsexmagik@derrabus.de>
* lang/german-*.inc.php: Updates. * lang/german-*.inc.php: Updates.
* lang/english-*.inc.php: Sortation. * lang/english-*.inc.php: Sortation.

2
db_details_importdocsql.php
View File

@@ -47,7 +47,7 @@ if (isset($cfg['docSQLDir']) && !empty($cfg['docSQLDir'])) {
global $GLOBALS; global $GLOBALS;
if (preg_match('@^(.*)_field_comment\.(txt|zip|bz2|bzip).*$@i', $filename)) { if (preg_match('@^(.*)_field_comment\.(txt|zip|bz2|bzip).*$@i', $filename)) {
$tab = preg_replace('@^(.*)_field_comment\.(txt|zip|bz2|bzip).*@i', '\1', $filename); $tab = preg_replace('@^(.*)_field_comment\.(txt|zip|bz2|bzip).*@si', '\1', $filename);
//echo '<h1>Working on Table ' . $_tab . '</h1>'; //echo '<h1>Working on Table ' . $_tab . '</h1>';
if ($content == 'none') { if ($content == 'none') {
$lines = array(); $lines = array();

2
ldi_check.php
View File

@@ -48,7 +48,7 @@ if (isset($btnLDI) && isset($local_textfile) && $local_textfile != '') {
if (substr($cfg['UploadDir'], -1) != '/') { if (substr($cfg['UploadDir'], -1) != '/') {
$cfg['UploadDir'] .= '/'; $cfg['UploadDir'] .= '/';
} }
$textfile = $DOCUMENT_ROOT . dirname($PHP_SELF) . '/' . preg_replace('@^./@', '', $cfg['UploadDir']) . preg_replace('@\.\.*@', '.', $local_textfile); $textfile = $DOCUMENT_ROOT . dirname($PHP_SELF) . '/' . preg_replace('@^./@s', '', $cfg['UploadDir']) . preg_replace('@\.\.*@', '.', $local_textfile);
if (file_exists($textfile)) { if (file_exists($textfile)) {
$open_basedir = @ini_get('open_basedir'); $open_basedir = @ini_get('open_basedir');

4
libraries/common.lib.php
View File

@@ -1799,8 +1799,8 @@ h1 {font-family: sans-serif; font-size: large; font-weight: bold}
} // end while } // end while
if (stristr($message, '<img')) { if (stristr($message, '<img')) {
$link_or_button .= ' <input type="image" src="' . preg_replace('@^.*src="(.*)".*$@i', '\1', $message) . '" value="' $link_or_button .= ' <input type="image" src="' . preg_replace('@^.*src="(.*)".*$@si', '\1', $message) . '" value="'
. htmlspecialchars(preg_replace('@^.*alt="(.*)".*$@i', '\1', $message)) . '" />' . "\n" . '</form>' . "\n"; . htmlspecialchars(preg_replace('@^.*alt="(.*)".*$@si', '\1', $message)) . '" />' . "\n" . '</form>' . "\n";
} else { } else {
$link_or_button .= ' <input type="submit" value="' $link_or_button .= ' <input type="submit" value="'
. htmlspecialchars($message) . '" />' . "\n" . '</form>' . "\n"; . htmlspecialchars($message) . '" />' . "\n" . '</form>' . "\n";

18
libraries/display_tbl.lib.php
View File

@@ -460,22 +460,22 @@ if (!defined('PMA_DISPLAY_TBL_LIB_INCLUDED')) {
// Defines the url used to append/modify a sorting order // Defines the url used to append/modify a sorting order
// Nijel: This was originally done inside loop below, but I see // Nijel: This was originally done inside loop below, but I see
// no reason to do this for each column. // no reason to do this for each column.
if (preg_match('@(.*)([[:space:]]ORDER[[:space:]]*BY[[:space:]](.*))@i', $sql_query, $regs1)) { if (preg_match('@(.*)([[:space:]]ORDER[[:space:]]*BY[[:space:]](.*))@si', $sql_query, $regs1)) {
if (preg_match('@((.*)([[:space:]]ASC|[[:space:]]DESC)([[:space:]]|$))(.*)@i', $regs1[2], $regs2)) { if (preg_match('@((.*)([[:space:]]ASC|[[:space:]]DESC)([[:space:]]|$))(.*)@si', $regs1[2], $regs2)) {
$unsorted_sql_query = trim($regs1[1] . ' ' . $regs2[5]); $unsorted_sql_query = trim($regs1[1] . ' ' . $regs2[5]);
$sql_order = trim($regs2[1]); $sql_order = trim($regs2[1]);
preg_match('@(ORDER[[:space:]]*BY[[:space:]]*)(.*)([[:space:]]*ASC|[[:space:]]*DESC)@i',$sql_order,$after_order); preg_match('@(ORDER[[:space:]]*BY[[:space:]]*)(.*)([[:space:]]*ASC|[[:space:]]*DESC)@si',$sql_order,$after_order);
$sort_expression = trim($after_order[2]); $sort_expression = trim($after_order[2]);
} }
else if (preg_match('@((.*))[[:space:]]+(LIMIT (.*)|PROCEDURE (.*)|FOR UPDATE|LOCK IN SHARE MODE)@i', $regs1[2], $regs3)) { else if (preg_match('@((.*))[[:space:]]+(LIMIT (.*)|PROCEDURE (.*)|FOR UPDATE|LOCK IN SHARE MODE)@si', $regs1[2], $regs3)) {
$unsorted_sql_query = trim($regs1[1] . ' ' . $regs3[3]); $unsorted_sql_query = trim($regs1[1] . ' ' . $regs3[3]);
$sql_order = trim($regs3[1]) . ' ASC'; $sql_order = trim($regs3[1]) . ' ASC';
preg_match('@(ORDER[[:space:]]*BY[[:space:]]*)(.*)([[:space:]]*ASC|[[:space:]]*DESC)@i',$sql_order,$after_order); preg_match('@(ORDER[[:space:]]*BY[[:space:]]*)(.*)([[:space:]]*ASC|[[:space:]]*DESC)@si',$sql_order,$after_order);
$sort_expression = trim($after_order[2]); $sort_expression = trim($after_order[2]);
} else { } else {
$unsorted_sql_query = trim($regs1[1]); $unsorted_sql_query = trim($regs1[1]);
$sql_order = trim($regs1[2]) . ' ASC'; $sql_order = trim($regs1[2]) . ' ASC';
preg_match('@(ORDER[[:space:]]*BY[[:space:]]*)(.*)([[:space:]]*ASC|[[:space:]]*DESC)@i',$sql_order,$after_order); preg_match('@(ORDER[[:space:]]*BY[[:space:]]*)(.*)([[:space:]]*ASC|[[:space:]]*DESC)@si',$sql_order,$after_order);
$sort_expression = trim($after_order[2]); $sort_expression = trim($after_order[2]);
} }
} else { } else {
@@ -1237,10 +1237,10 @@ if (!defined('PMA_DISPLAY_TBL_LIB_INCLUDED')) {
if ($GLOBALS['cfgRelation']['mimework'] && $GLOBALS['cfg']['BrowseMIME']) { if ($GLOBALS['cfgRelation']['mimework'] && $GLOBALS['cfg']['BrowseMIME']) {
if (isset($GLOBALS['mime_map'][$meta->name]['mimetype']) && isset($GLOBALS['mime_map'][$meta->name]['transformation']) && !empty($GLOBALS['mime_map'][$meta->name]['transformation'])) { if (isset($GLOBALS['mime_map'][$meta->name]['mimetype']) && isset($GLOBALS['mime_map'][$meta->name]['transformation']) && !empty($GLOBALS['mime_map'][$meta->name]['transformation'])) {
// garvin: for security, never allow to break out from transformations directory $include_file = PMA_sanitizeTransformationFile($GLOBALS['mime_map'][$meta->name]['transformation']);
$include_file = preg_replace('@\.\.*@', '.', $GLOBALS['mime_map'][$meta->name]['transformation']);
if (file_exists('./libraries/transformations/' . $include_file)) { if (file_exists('./libraries/transformations/' . $include_file)) {
$transformfunction_name = str_replace('.inc.php', '', $GLOBALS['mime_map'][$meta->name]['transformation']); $transformfunction_name = preg_replace('@(\.inc\.php3?)$@i', '', $GLOBALS['mime_map'][$meta->name]['transformation']);
include('./libraries/transformations/' . $include_file); include('./libraries/transformations/' . $include_file);

32
libraries/transformations.lib.php
View File

@@ -49,9 +49,9 @@ if (!defined('PMA_TRANSFORMATION_LIB_INCLUDED')){
@ksort($filestack); @ksort($filestack);
foreach($filestack AS $key => $file) { foreach($filestack AS $key => $file) {
if (preg_match('|^.*__.*\.inc\.php$|', trim($file))) { if (preg_match('|^.*__.*\.inc\.php(3?)$|', trim($file), $match)) {
// File contains transformation functions. // File contains transformation functions.
$base = explode('__', str_replace('.inc.php', '', $file)); $base = explode('__', str_replace('.inc.php' . $match[1], '', $file));
$mimetype = str_replace('_', '/', $base[0]); $mimetype = str_replace('_', '/', $base[0]);
$stack['mimetype'][$mimetype] = $mimetype; $stack['mimetype'][$mimetype] = $mimetype;
@@ -59,9 +59,9 @@ if (!defined('PMA_TRANSFORMATION_LIB_INCLUDED')){
$stack['transformation'][] = $mimetype . ': ' . $base[1]; $stack['transformation'][] = $mimetype . ': ' . $base[1];
$stack['transformation_file'][] = $file; $stack['transformation_file'][] = $file;
} else if (preg_match('|^.*\.inc\.php$|', trim($file))) { } else if (preg_match('|^.*\.inc\.php(3?)$|', trim($file), $match)) {
// File is a plain mimetype, no functions. // File is a plain mimetype, no functions.
$base = str_replace('.inc.php', '', $file); $base = str_replace('.inc.php' . $match[1], '', $file);
if ($base != 'global') { if ($base != 'global') {
$mimetype = str_replace('_', '/', $base); $mimetype = str_replace('_', '/', $base);
@@ -177,5 +177,29 @@ if (!defined('PMA_TRANSFORMATION_LIB_INCLUDED')){
return false; return false;
} }
} // end of 'PMA_setMIME()' function } // end of 'PMA_setMIME()' function
/**
* Returns the real filename of a configured transformation
*
* @param string the current filename
*
* @return string the new filename
*
* @access public
*/
function PMA_sanitizeTransformationFile(&$filename) {
// garvin: for security, never allow to break out from transformations directory
$include_file = preg_replace('@\.\.*@', '.', $filename);
// This value can also contain a 'php3' value, in which case we map this filename to our new 'php' variant
$testfile = preg_replace('@\.inc\.php3$@', '.inc.php', $include_file);
if ($include_file{strlen($include_file)-1} == '3' && file_exists('./libraries/transformations/' . $testfile)) {
$include_file = $testfile;
$filename = $testfile; // Corrects the referenced variable for further actions on the filename;
}
return $include_file;
} // end of 'PMA_sanitizeTransformationFile()' function
} // $__PMA_TRANSFORMATION_LIB__ } // $__PMA_TRANSFORMATION_LIB__
?> ?>

2
libraries/transformations/global.inc.php
View File

@@ -40,7 +40,7 @@ if (!defined('PMA_TRANSFORMATION_LIB_GLOBAL')){
} }
if (isset($options['regex']) && isset($options['regex_replace'])) { if (isset($options['regex']) && isset($options['regex_replace'])) {
$buffer = preg_replace('@' . str_replace('@', '\@', $options['regex']) . '@i', $options['regex_replace'], $buffer); $buffer = preg_replace('@' . str_replace('@', '\@', $options['regex']) . '@si', $options['regex_replace'], $buffer);
} }
// Replace occurences of [__BUFFER__] with actual text // Replace occurences of [__BUFFER__] with actual text

2
libraries/transformations/overview.php
View File

@@ -62,7 +62,7 @@ foreach($types['mimetype'] AS $key => $mimetype) {
$i = 0; $i = 0;
foreach($types['transformation'] AS $key => $transform) { foreach($types['transformation'] AS $key => $transform) {
$i++; $i++;
$func = strtolower(str_replace('.inc.php', '', $types['transformation_file'][$key])); $func = strtolower(preg_replace('@(\.inc\.php3?)$@i', '', $types['transformation_file'][$key]));
$desc = 'strTransformation_' . $func; $desc = 'strTransformation_' . $func;
?> ?>
<tr bgcolor="<?php echo ($i % 2 ? $cfg['BgcolorOne'] : $cfg['BgcolorTwo']); ?>"> <tr bgcolor="<?php echo ($i % 2 ? $cfg['BgcolorOne'] : $cfg['BgcolorTwo']); ?>">

2
sql.php
View File

@@ -14,7 +14,7 @@ require('./libraries/common.lib.php');
*/ */
// Security checkings // Security checkings
if (!empty($goto)) { if (!empty($goto)) {
$is_gotofile = preg_replace('@^([^?]+).*$@', '\\1', $goto); $is_gotofile = preg_replace('@^([^?]+).*$@s', '\\1', $goto);
if (!@file_exists('./' . $is_gotofile)) { if (!@file_exists('./' . $is_gotofile)) {
unset($goto); unset($goto);
} else { } else {

4
tbl_change.php
View File

@@ -220,7 +220,7 @@ for ($i = 0; $i < $fields_cnt; $i++) {
echo "\n"; echo "\n";
$row_table_def = PMA_mysql_fetch_array($table_def); $row_table_def = PMA_mysql_fetch_array($table_def);
$row_table_def['True_Type'] = preg_replace('@\(.*@', '', $row_table_def['Type']); $row_table_def['True_Type'] = preg_replace('@\(.*@s', '', $row_table_def['Type']);
$field = $row_table_def['Field']; $field = $row_table_def['Field'];
@@ -266,7 +266,7 @@ for ($i = 0; $i < $fields_cnt; $i++) {
// The type column // The type column
$is_binary = stristr($row_table_def['Type'], ' binary'); $is_binary = stristr($row_table_def['Type'], ' binary');
$is_blob = stristr($row_table_def['Type'], 'blob'); $is_blob = stristr($row_table_def['Type'], 'blob');
$is_char = stristr($row_table_def['Type'], 'car'); $is_char = stristr($row_table_def['Type'], 'char');
switch ($row_table_def['True_Type']) { switch ($row_table_def['True_Type']) {
case 'set': case 'set':
$type = 'set'; $type = 'set';

6
tbl_properties.inc.php
View File

@@ -404,10 +404,10 @@ for ($i = 0 ; $i < $num_fields; $i++) {
$content_cells[$i][$ci] .= ' <option value="" title="' . $strNone . '"></option>' . "\n"; $content_cells[$i][$ci] .= ' <option value="" title="' . $strNone . '"></option>' . "\n";
if (is_array($available_mime['transformation'])) { if (is_array($available_mime['transformation'])) {
foreach($available_mime['transformation'] AS $mimekey => $transform) { foreach($available_mime['transformation'] AS $mimekey => $transform) {
$checked = (isset($row) && isset($row['Field']) && isset($mime_map[$row['Field']]['transformation']) && ($mime_map[$row['Field']]['transformation'] == $available_mime['transformation_file'][$mimekey]) ? 'selected ' : ''); $checked = (isset($row) && isset($row['Field']) && isset($mime_map[$row['Field']]['transformation']) && (preg_match('@' . preg_quote($available_mime['transformation_file'][$mimekey]) . '3?@i', $mime_map[$row['Field']]['transformation'])) ? 'selected ' : '');
$tooltip = 'strTransformation_' . strtolower(str_replace('.inc.php', '', $available_mime['transformation_file'][$mimekey])); $tooltip = 'strTransformation_' . strtolower(preg_replace('@(\.inc\.php3?)$@', '', $available_mime['transformation_file'][$mimekey]));
$tooltip = isset($$tooltip) ? $$tooltip : sprintf(str_replace('<br />', ' ', $strMIME_nodescription), 'PMA_transformation_' . $tooltip . '()'); $tooltip = isset($$tooltip) ? $$tooltip : sprintf(str_replace('<br />', ' ', $strMIME_nodescription), 'PMA_transformation_' . $tooltip . '()');
$content_cells[$i][$ci] .= '<option value="' . $available_mime['transformation_file'][$mimekey] . '" ' . $checked . ' title="' . $tooltip . '">' . htmlspecialchars($transform) . '</option>' . "\n"; $content_cells[$i][$ci] .= '<option value="' . $available_mime['transformation_file'][$mimekey] . '" ' . $checked . ' title="' . htmlspecialchars($tooltip) . '">' . htmlspecialchars($transform) . '</option>' . "\n";
} }
} }

2
user_password.php
View File

@@ -49,7 +49,7 @@ if (isset($nopass)) {
$err_url = 'user_password.php?' . $common_url_query; $err_url = 'user_password.php?' . $common_url_query;
$sql_query = 'SET password = ' . (($pma_pw == '') ? '\'\'' : 'PASSWORD(\'' . preg_replace('@.@', '*', $pma_pw) . '\')'); $sql_query = 'SET password = ' . (($pma_pw == '') ? '\'\'' : 'PASSWORD(\'' . preg_replace('@.@s', '*', $pma_pw) . '\')');
$local_query = 'SET password = ' . (($pma_pw == '') ? '\'\'' : 'PASSWORD(\'' . PMA_sqlAddslashes($pma_pw) . '\')'); $local_query = 'SET password = ' . (($pma_pw == '') ? '\'\'' : 'PASSWORD(\'' . PMA_sqlAddslashes($pma_pw) . '\')');
$result = @PMA_mysql_query($local_query) or PMA_mysqlDie('', '', FALSE, $err_url); $result = @PMA_mysql_query($local_query) or PMA_mysqlDie('', '', FALSE, $err_url);