nettika/phpmyadmin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Better handle other URL separator than & (bug #1487365).

Browse Source
This commit is contained in:
Michal Čihař
2006-05-12 15:39:33 +00:00
parent 79f778db99
commit d90fbbf27c
3 changed files with 29 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
ChangeLog
View File

@@ -7,6 +7,8 @@ $Source$
2006-05-12 Michal Čihař <michal@cihar.com> 2006-05-12 Michal Čihař <michal@cihar.com>
* libraries/footer.inc.php: Escape user input to avoid XSS. * libraries/footer.inc.php: Escape user input to avoid XSS.
* libraries/common.lib.php, libraries/url_generating.lib.php: Better
handle other URL separator than & (bug #1487365).
2006-05-06 Michal Čihař <michal@cihar.com> 2006-05-06 Michal Čihař <michal@cihar.com>
* Documentation.html: Describe better regullar expressions in hide_db * Documentation.html: Describe better regullar expressions in hide_db

16
libraries/common.lib.php
View File

@@ -1088,16 +1088,7 @@ if (!defined('PMA_MINIMUM_COMMON')) {
if (strpos($uri, '?') === false) { if (strpos($uri, '?') === false) {
header('Location: ' . $uri . '?' . SID); header('Location: ' . $uri . '?' . SID);
} else { } else {
// use seperators defined by php, but prefer ';' $separator = PMA_get_arg_separator();
// as recommended by W3C
$php_arg_separator_input = ini_get('arg_separator.input');
if (strpos($php_arg_separator_input, ';') !== false) {
$separator = ';';
} elseif (strlen($php_arg_separator_input) > 0) {
$separator = $php_arg_separator_input{0};
} else {
$separator = '&';
}
header('Location: ' . $uri . $separator . SID); header('Location: ' . $uri . $separator . SID);
} }
} else { } else {
@@ -2060,9 +2051,10 @@ window.parent.updateTableTitle('<?php echo $uni_tbl; ?>', '<?php echo PMA_jsForm
if (empty($tag_params['class'])) { if (empty($tag_params['class'])) {
$tag_params['class'] = 'link'; $tag_params['class'] = 'link';
} }
$url = str_replace('&amp;', '&', $url); $separator = PMA_get_arg_separator();
$url = str_replace(htmlentities($separator), $separator, $url);
$url_parts = parse_url($url); $url_parts = parse_url($url);
$query_parts = explode('&', $url_parts['query']); $query_parts = explode($separator, $url_parts['query']);
if ($new_form) { if ($new_form) {
$ret = '<form action="' . $url_parts['path'] . '" class="link"' $ret = '<form action="' . $url_parts['path'] . '" class="link"'
. ' method="post"' . $target . ' style="display: inline;">'; . ' method="post"' . $target . ' style="display: inline;">';

31
libraries/url_generating.lib.php
View File

@@ -155,14 +155,7 @@ function PMA_generate_common_url ($db = '', $table = '', $delim = '&amp;')
// use seperators defined by php, but prefer ';' // use seperators defined by php, but prefer ';'
// as recommended by W3C // as recommended by W3C
$php_arg_separator_input = ini_get('arg_separator.input'); $separator = PMA_get_arg_separator();
if (strpos($php_arg_separator_input, ';') !== false) {
$separator = ';';
} elseif (strlen($php_arg_separator_input) > 0) {
$separator = $php_arg_separator_input{0};
} else {
$separator = '&';
}
// check wether to htmlentity the separator or not // check wether to htmlentity the separator or not
if ($delim === '&amp;') { if ($delim === '&amp;') {
@@ -203,4 +196,26 @@ function PMA_generate_common_url ($db = '', $table = '', $delim = '&amp;')
return $questionmark . implode($delim, $param_strings); return $questionmark . implode($delim, $param_strings);
} }
/**
* Returns url separator
*
* @return string character used for separating url parts
*
* @access public
*
* @author nijel
*/
function PMA_get_arg_separator() {
// use seperators defined by php, but prefer ';'
// as recommended by W3C
$php_arg_separator_input = ini_get('arg_separator.input');
if (strpos($php_arg_separator_input, ';') !== false) {
return ';';
} elseif (strlen($php_arg_separator_input) > 0) {
return $php_arg_separator_input{0};
} else {
return '&';
}
}
?> ?>