Skip to content

Commit

Permalink
Readd AllowThirdPartyFraming option
Browse files Browse the repository at this point in the history
We want by default no framing of phpMyAdmin, but still some sites might
need to embed it, so configuration option (with appropriate security
warning) is there.

This basically reverts d7e0bed.
  • Loading branch information
nijel committed Jul 29, 2013
1 parent 52b9b6c commit 240b833
Show file tree
Hide file tree
Showing 7 changed files with 48 additions and 1 deletion.
9 changes: 9 additions & 0 deletions doc/config.rst
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,15 @@ Basic settings

Show warning about incomplete translations on certain threshold.

.. config:option:: $cfg['AllowThirdPartyFraming']
:type: boolean
:default: false

Setting this to ``true`` allows phpMyAdmin to be included inside a frame,
and is a potential security hole allowing cross-frame scripting attacks or
clickjacking.

Server connection settings
--------------------------

Expand Down
14 changes: 14 additions & 0 deletions js/cross_framing_protection.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
/* vim: set expandtab sw=4 ts=4 sts=4: */
/**
* Conditionally included if third-party framing is not allowed
*
*/

try {
if (top != self) {
top.location.href = self.location.href;
}
} catch(e) {
alert("Redirecting... (error: " + e);
top.location.href = self.location.href;
}
12 changes: 12 additions & 0 deletions libraries/Header.class.php
Original file line number Diff line number Diff line change
Expand Up @@ -158,6 +158,12 @@ private function _addDefaultScripts()
$this->_scripts->addFile('jquery/jquery.ba-hashchange-1.3.js');
$this->_scripts->addFile('jquery/jquery.debounce-1.0.5.js');
$this->_scripts->addFile('jquery/jquery.menuResizer-1.0.js');

// Cross-framing protection
if ($GLOBALS['cfg']['AllowThirdPartyFraming'] === false) {
$this->_scripts->addFile('cross_framing_protection.js');
}

$this->_scripts->addFile('rte.js');

// Here would not be a good place to add CodeMirror because
Expand Down Expand Up @@ -449,6 +455,12 @@ public function sendHttpHeaders()
*/
$GLOBALS['now'] = gmdate('D, d M Y H:i:s') . ' GMT';
if (! defined('TESTSUITE')) {
/* Prevent against ClickJacking by disabling framing */
if (! $GLOBALS['cfg']['AllowThirdPartyFraming']) {
header(
'X-Frame-Options: DENY'
);
}
header(
"X-Content-Security-Policy: default-src 'self' "
. $GLOBALS['cfg']['CSPAllow'] . ';'
Expand Down
1 change: 1 addition & 0 deletions libraries/Scripts.class.php
Original file line number Diff line number Diff line change
Expand Up @@ -129,6 +129,7 @@ private function _eventBlacklist($filename)
|| strpos($filename, 'ajax.js') !== false
|| strpos($filename, 'navigation.js') !== false
|| strpos($filename, 'get_image.js.php') !== false
|| strpos($filename, 'cross_framing_protection.js') !== false
) {
return 0;
} else {
Expand Down
8 changes: 8 additions & 0 deletions libraries/config.default.php
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,14 @@
*/
$cfg['TranslationWarningThreshold'] = 80;

/**
* Allows phpMyAdmin to be included from a other document in a frame;
* setting this to true is a potential security hole
*
* @global boolean $cfg['AllowThirdPartyFraming']
*/
$cfg['AllowThirdPartyFraming'] = false;

/**
* The 'cookie' auth_type uses blowfish algorithm to encrypt the password. If
* at least one server configuration uses 'cookie' auth_type, enter here a
Expand Down
2 changes: 2 additions & 0 deletions libraries/config/messages.inc.php
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@

$strConfigAllowArbitraryServer_desc = __('If enabled user can enter any MySQL server in login form for cookie auth');
$strConfigAllowArbitraryServer_name = __('Allow login to any MySQL server');
$strConfigAllowThirdPartyFraming_desc = __('Enabling this allows a page located on a different domain to call phpMyAdmin inside a frame, and is a potential [strong]security hole[/strong] allowing cross-frame scripting attacks');
$strConfigAllowThirdPartyFraming_name = __('Allow third party framing');
$strConfigAllowUserDropDatabase_name = __('Show "Drop database" link to normal users');
$strConfigblowfish_secret_desc = __('Secret passphrase used for encrypting cookies in [kbd]cookie[/kbd] authentication');
$strConfigblowfish_secret_name = __('Blowfish secret');
Expand Down
3 changes: 2 additions & 1 deletion libraries/config/setup.forms.php
Original file line number Diff line number Diff line change
Expand Up @@ -136,7 +136,8 @@
'MemoryLimit',
'SkipLockedTables',
'DisableMultiTableMaintenance',
'UseDbSearch');
'UseDbSearch',
'AllowThirdPartyFraming');
$forms['Sql_queries']['Sql_queries'] = array(
'ShowSQL',
'Confirm',
Expand Down

0 comments on commit 240b833

Please sign in to comment.