Skip to content

Commit 240b833

Browse files
committed
Readd AllowThirdPartyFraming option
We want by default no framing of phpMyAdmin, but still some sites might need to embed it, so configuration option (with appropriate security warning) is there. This basically reverts d7e0bed.
1 parent 52b9b6c commit 240b833

7 files changed

+48
-1
lines changed

Diff for: doc/config.rst

+9
Original file line numberDiff line numberDiff line change
@@ -119,6 +119,15 @@ Basic settings
119119

120120
Show warning about incomplete translations on certain threshold.
121121

122+
.. config:option:: $cfg['AllowThirdPartyFraming']
123+
124+
:type: boolean
125+
:default: false
126+
127+
Setting this to ``true`` allows phpMyAdmin to be included inside a frame,
128+
and is a potential security hole allowing cross-frame scripting attacks or
129+
clickjacking.
130+
122131
Server connection settings
123132
--------------------------
124133

Diff for: js/cross_framing_protection.js

+14
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
/* vim: set expandtab sw=4 ts=4 sts=4: */
2+
/**
3+
* Conditionally included if third-party framing is not allowed
4+
*
5+
*/
6+
7+
try {
8+
if (top != self) {
9+
top.location.href = self.location.href;
10+
}
11+
} catch(e) {
12+
alert("Redirecting... (error: " + e);
13+
top.location.href = self.location.href;
14+
}

Diff for: libraries/Header.class.php

+12
Original file line numberDiff line numberDiff line change
@@ -158,6 +158,12 @@ private function _addDefaultScripts()
158158
$this->_scripts->addFile('jquery/jquery.ba-hashchange-1.3.js');
159159
$this->_scripts->addFile('jquery/jquery.debounce-1.0.5.js');
160160
$this->_scripts->addFile('jquery/jquery.menuResizer-1.0.js');
161+
162+
// Cross-framing protection
163+
if ($GLOBALS['cfg']['AllowThirdPartyFraming'] === false) {
164+
$this->_scripts->addFile('cross_framing_protection.js');
165+
}
166+
161167
$this->_scripts->addFile('rte.js');
162168

163169
// Here would not be a good place to add CodeMirror because
@@ -449,6 +455,12 @@ public function sendHttpHeaders()
449455
*/
450456
$GLOBALS['now'] = gmdate('D, d M Y H:i:s') . ' GMT';
451457
if (! defined('TESTSUITE')) {
458+
/* Prevent against ClickJacking by disabling framing */
459+
if (! $GLOBALS['cfg']['AllowThirdPartyFraming']) {
460+
header(
461+
'X-Frame-Options: DENY'
462+
);
463+
}
452464
header(
453465
"X-Content-Security-Policy: default-src 'self' "
454466
. $GLOBALS['cfg']['CSPAllow'] . ';'

Diff for: libraries/Scripts.class.php

+1
Original file line numberDiff line numberDiff line change
@@ -129,6 +129,7 @@ private function _eventBlacklist($filename)
129129
|| strpos($filename, 'ajax.js') !== false
130130
|| strpos($filename, 'navigation.js') !== false
131131
|| strpos($filename, 'get_image.js.php') !== false
132+
|| strpos($filename, 'cross_framing_protection.js') !== false
132133
) {
133134
return 0;
134135
} else {

Diff for: libraries/config.default.php

+8
Original file line numberDiff line numberDiff line change
@@ -83,6 +83,14 @@
8383
*/
8484
$cfg['TranslationWarningThreshold'] = 80;
8585

86+
/**
87+
* Allows phpMyAdmin to be included from a other document in a frame;
88+
* setting this to true is a potential security hole
89+
*
90+
* @global boolean $cfg['AllowThirdPartyFraming']
91+
*/
92+
$cfg['AllowThirdPartyFraming'] = false;
93+
8694
/**
8795
* The 'cookie' auth_type uses blowfish algorithm to encrypt the password. If
8896
* at least one server configuration uses 'cookie' auth_type, enter here a

Diff for: libraries/config/messages.inc.php

+2
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,8 @@
1616

1717
$strConfigAllowArbitraryServer_desc = __('If enabled user can enter any MySQL server in login form for cookie auth');
1818
$strConfigAllowArbitraryServer_name = __('Allow login to any MySQL server');
19+
$strConfigAllowThirdPartyFraming_desc = __('Enabling this allows a page located on a different domain to call phpMyAdmin inside a frame, and is a potential [strong]security hole[/strong] allowing cross-frame scripting attacks');
20+
$strConfigAllowThirdPartyFraming_name = __('Allow third party framing');
1921
$strConfigAllowUserDropDatabase_name = __('Show "Drop database" link to normal users');
2022
$strConfigblowfish_secret_desc = __('Secret passphrase used for encrypting cookies in [kbd]cookie[/kbd] authentication');
2123
$strConfigblowfish_secret_name = __('Blowfish secret');

Diff for: libraries/config/setup.forms.php

+2-1
Original file line numberDiff line numberDiff line change
@@ -136,7 +136,8 @@
136136
'MemoryLimit',
137137
'SkipLockedTables',
138138
'DisableMultiTableMaintenance',
139-
'UseDbSearch');
139+
'UseDbSearch',
140+
'AllowThirdPartyFraming');
140141
$forms['Sql_queries']['Sql_queries'] = array(
141142
'ShowSQL',
142143
'Confirm',

0 commit comments

Comments
 (0)