Permalink
Browse files

Readd AllowThirdPartyFraming option

We want by default no framing of phpMyAdmin, but still some sites might
need to embed it, so configuration option (with appropriate security
warning) is there.

This basically reverts d7e0bed.
  • Loading branch information...
1 parent 52b9b6c commit 240b8332db53dedc27baeec5306dabad3bdece3b @nijel nijel committed Jul 29, 2013
View
9 doc/config.rst
@@ -119,6 +119,15 @@ Basic settings
Show warning about incomplete translations on certain threshold.
+.. config:option:: $cfg['AllowThirdPartyFraming']
+
+ :type: boolean
+ :default: false
+
+ Setting this to ``true`` allows phpMyAdmin to be included inside a frame,
+ and is a potential security hole allowing cross-frame scripting attacks or
+ clickjacking.
+
Server connection settings
--------------------------
View
14 js/cross_framing_protection.js
@@ -0,0 +1,14 @@
+/* vim: set expandtab sw=4 ts=4 sts=4: */
+/**
+ * Conditionally included if third-party framing is not allowed
+ *
+ */
+
+try {
+ if (top != self) {
+ top.location.href = self.location.href;
+ }
+} catch(e) {
+ alert("Redirecting... (error: " + e);
+ top.location.href = self.location.href;
+}
View
12 libraries/Header.class.php
@@ -158,6 +158,12 @@ private function _addDefaultScripts()
$this->_scripts->addFile('jquery/jquery.ba-hashchange-1.3.js');
$this->_scripts->addFile('jquery/jquery.debounce-1.0.5.js');
$this->_scripts->addFile('jquery/jquery.menuResizer-1.0.js');
+
+ // Cross-framing protection
+ if ($GLOBALS['cfg']['AllowThirdPartyFraming'] === false) {
+ $this->_scripts->addFile('cross_framing_protection.js');
+ }
+
$this->_scripts->addFile('rte.js');
// Here would not be a good place to add CodeMirror because
@@ -449,6 +455,12 @@ public function sendHttpHeaders()
*/
$GLOBALS['now'] = gmdate('D, d M Y H:i:s') . ' GMT';
if (! defined('TESTSUITE')) {
+ /* Prevent against ClickJacking by disabling framing */
+ if (! $GLOBALS['cfg']['AllowThirdPartyFraming']) {
+ header(
+ 'X-Frame-Options: DENY'
+ );
+ }
header(
"X-Content-Security-Policy: default-src 'self' "
. $GLOBALS['cfg']['CSPAllow'] . ';'
View
1 libraries/Scripts.class.php
@@ -129,6 +129,7 @@ private function _eventBlacklist($filename)
|| strpos($filename, 'ajax.js') !== false
|| strpos($filename, 'navigation.js') !== false
|| strpos($filename, 'get_image.js.php') !== false
+ || strpos($filename, 'cross_framing_protection.js') !== false
) {
return 0;
} else {
View
8 libraries/config.default.php
@@ -84,6 +84,14 @@
$cfg['TranslationWarningThreshold'] = 80;
/**
+ * Allows phpMyAdmin to be included from a other document in a frame;
+ * setting this to true is a potential security hole
+ *
+ * @global boolean $cfg['AllowThirdPartyFraming']
+ */
+$cfg['AllowThirdPartyFraming'] = false;
+
+/**
* The 'cookie' auth_type uses blowfish algorithm to encrypt the password. If
* at least one server configuration uses 'cookie' auth_type, enter here a
* pass phrase that will be used by blowfish. The maximum length seems to be 46
View
2 libraries/config/messages.inc.php
@@ -16,6 +16,8 @@
$strConfigAllowArbitraryServer_desc = __('If enabled user can enter any MySQL server in login form for cookie auth');
$strConfigAllowArbitraryServer_name = __('Allow login to any MySQL server');
+$strConfigAllowThirdPartyFraming_desc = __('Enabling this allows a page located on a different domain to call phpMyAdmin inside a frame, and is a potential [strong]security hole[/strong] allowing cross-frame scripting attacks');
+$strConfigAllowThirdPartyFraming_name = __('Allow third party framing');
$strConfigAllowUserDropDatabase_name = __('Show "Drop database" link to normal users');
$strConfigblowfish_secret_desc = __('Secret passphrase used for encrypting cookies in [kbd]cookie[/kbd] authentication');
$strConfigblowfish_secret_name = __('Blowfish secret');
View
3 libraries/config/setup.forms.php
@@ -136,7 +136,8 @@
'MemoryLimit',
'SkipLockedTables',
'DisableMultiTableMaintenance',
- 'UseDbSearch');
+ 'UseDbSearch',
+ 'AllowThirdPartyFraming');
$forms['Sql_queries']['Sql_queries'] = array(
'ShowSQL',
'Confirm',

0 comments on commit 240b833

Please sign in to comment.