Skip to content

Commit

Permalink
Merge remote-tracking branch 'security/QA_4_7-security' into QA_4_7-s…
Browse files Browse the repository at this point in the history 
…ecurity
  • Loading branch information
@nijel
nijel committed Dec 18, 2017
2 parents 44df4a3 + 5d71c39 commit 5503abe
Show file tree
Hide file tree
Showing 37 changed files with 177 additions and 103 deletions.
4 changes: 4 additions & 0 deletions libraries/URL.php
View file
Expand Up @@ -223,6 +223,10 @@ public static function getCommonRaw($params = array(), $divider = '?')
$params['collation_connection'] = $GLOBALS['collation_connection'];
}

if (isset($_SESSION[' PMA_token '])) {
$params['token'] = $_SESSION[' PMA_token '];
}

$query = http_build_query($params, null, $separator);

if ($divider != '?' || strlen($query) > 0) {
Expand Down
59 changes: 42 additions & 17 deletions libraries/common.inc.php
View file
Expand Up @@ -361,31 +361,56 @@
* could access this variables before we reach this point
* f.e. PMA\libraries\Config: fontsize
*
* Check for token mismatch only if the Request method is POST
* GET Requests would never have token and therefore checking
* mis-match does not make sense
*
* @todo variables should be handled by their respective owners (objects)
* f.e. lang, server, collation_connection in PMA\libraries\Config
*/

$token_mismatch = true;
$token_provided = false;
if (PMA_isValid($_REQUEST['token'])) {
$token_provided = true;
$token_mismatch = ! hash_equals($_SESSION[' PMA_token '], $_REQUEST['token']);
}

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
if (PMA_isValid($_POST['token'])) {
$token_provided = true;
$token_mismatch = ! @hash_equals($_SESSION[' PMA_token '], $_POST['token']);
}

if ($token_mismatch) {
/**
* We don't allow any POST operation parameters if the token is mismatched
* or is not provided
if ($token_mismatch) {
/**
* List of parameters which are allowed from unsafe source
*/
$allow_list = array(
/* needed for direct access, see FAQ 1.34
* also, server needed for cookie login screen (multi-server)
*/
$whitelist = array('ajax_request');
PMA\libraries\Sanitize::removeRequestVars($whitelist);
'server', 'db', 'table', 'target', 'lang',
/* Session ID */
'phpMyAdmin',
/* Cookie preferences */
'pma_lang', 'pma_collation_connection',
/* Possible login form */
'pma_servername', 'pma_username', 'pma_password',
'g-recaptcha-response',
/* Needed to send the correct reply */
'ajax_request',
/* Permit to log out even if there is a token mismatch */
'old_usr',
/* Permit redirection with token-mismatch in url.php */
'url',
/* Permit session expiry flag */
'session_expired',
/* JS loading */
'scripts', 'call_done',
/* Navigation panel */
'aPath', 'vPath', 'pos', 'pos2_name', 'pos2_value', 'searchClause', 'searchClause2'
);
/**
* Allow changing themes in test/theme.php
*/
if (defined('PMA_TEST_THEME')) {
$allow_list[] = 'set_theme';
}
/**
* Do actual cleanup
*/
PMA\libraries\Sanitize::removeRequestVars($allow_list);

}


Expand Down
1 change: 1 addition & 0 deletions libraries/navigation/NavigationTree.php
View file
Expand Up @@ -1264,6 +1264,7 @@ public function renderDbSelect()
);
$children = $this->_tree->children;
$url_params = array(
'token' => $_SESSION[' PMA_token '],
'server' => $GLOBALS['server'],
);
$retval .= '<div id="pma_navigation_db_select">';
Expand Down
6 changes: 4 additions & 2 deletions libraries/navigation/nodes/NodeColumn.php
View file
Expand Up @@ -31,10 +31,12 @@ public function __construct($name, $type = Node::OBJECT, $is_group = false)
$this->links = array(
'text' => 'tbl_structure.php?server=' . $GLOBALS['server']
. '&amp;db=%3$s&amp;table=%2$s&amp;field=%1$s'
. '&amp;change_column=1',
. '&amp;change_column=1'
. '&amp;token=' . $_SESSION[' PMA_token '],
'icon' => 'tbl_structure.php?server=' . $GLOBALS['server']
. '&amp;db=%3$s&amp;table=%2$s&amp;field=%1$s'
. '&amp;change_column=1',
. '&amp;change_column=1'
. '&amp;token=' . $_SESSION[' PMA_token '],
'title' => __('Structure'),
);
}
Expand Down
12 changes: 8 additions & 4 deletions libraries/navigation/nodes/NodeColumnContainer.php
View file
Expand Up @@ -27,9 +27,11 @@ public function __construct()
$this->icon = Util::getImage('pause.png', __('Columns'));
$this->links = array(
'text' => 'tbl_structure.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s&amp;table=%1$s',
. '&amp;db=%2$s&amp;table=%1$s'
. '&amp;token=' . $_SESSION[' PMA_token '],
'icon' => 'tbl_structure.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s&amp;table=%1$s',
. '&amp;db=%2$s&amp;table=%1$s'
. '&amp;token=' . $_SESSION[' PMA_token '],
);
$this->real_name = 'columns';

Expand All @@ -43,10 +45,12 @@ public function __construct()
$new->links = array(
'text' => 'tbl_addfield.php?server=' . $GLOBALS['server']
. '&amp;db=%3$s&amp;table=%2$s'
. '&amp;field_where=last&after_field=',
. '&amp;field_where=last&after_field='
. '&amp;token=' . $_SESSION[' PMA_token '],
'icon' => 'tbl_addfield.php?server=' . $GLOBALS['server']
. '&amp;db=%3$s&amp;table=%2$s'
. '&amp;field_where=last&after_field=',
. '&amp;field_where=last&after_field='
. '&amp;token=' . $_SESSION[' PMA_token '],
);
$new->classes = 'new_column italics';
$this->addChild($new);
Expand Down
4 changes: 2 additions & 2 deletions libraries/navigation/nodes/NodeDatabase.php
View file
Expand Up @@ -47,9 +47,9 @@ public function __construct($name, $type = Node::OBJECT, $is_group = false)
$this->links = array(
'text' => $script_name
. '?server=' . $GLOBALS['server']
. '&amp;db=%1$s',
. '&amp;db=%1$s&amp;token=' . $_SESSION[' PMA_token '],
'icon' => 'db_operations.php?server=' . $GLOBALS['server']
. '&amp;db=%1$s&amp;',
. '&amp;db=%1$s&amp;token=' . $_SESSION[' PMA_token '],
'title' => __('Structure'),
);
$this->classes = 'database';
Expand Down
6 changes: 4 additions & 2 deletions libraries/navigation/nodes/NodeDatabaseContainer.php
View file
Expand Up @@ -38,8 +38,10 @@ public function __construct($name)
$new->isNew = true;
$new->icon = PMA\libraries\Util::getImage('b_newdb.png', '');
$new->links = array(
'text' => 'server_databases.php?server=' . $GLOBALS['server'],
'icon' => 'server_databases.php?server=' . $GLOBALS['server'],
'text' => 'server_databases.php?server=' . $GLOBALS['server']
. '&amp;token=' . $_SESSION[' PMA_token '],
'icon' => 'server_databases.php?server=' . $GLOBALS['server']
. '&amp;token=' . $_SESSION[' PMA_token '],
);
$new->classes = 'new_database italics';
$this->addChild($new);
Expand Down
6 changes: 4 additions & 2 deletions libraries/navigation/nodes/NodeEvent.php
View file
Expand Up @@ -30,9 +30,11 @@ public function __construct($name, $type = Node::OBJECT, $is_group = false)
$this->icon = PMA\libraries\Util::getImage('b_events.png');
$this->links = array(
'text' => 'db_events.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s&amp;item_name=%1$s&amp;edit_item=1',
. '&amp;db=%2$s&amp;item_name=%1$s&amp;edit_item=1'
. '&amp;token=' . $_SESSION[' PMA_token '],
'icon' => 'db_events.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s&amp;item_name=%1$s&amp;export_item=1',
. '&amp;db=%2$s&amp;item_name=%1$s&amp;export_item=1'
. '&amp;token=' . $_SESSION[' PMA_token '],
);
$this->classes = 'event';
}
Expand Down
10 changes: 6 additions & 4 deletions libraries/navigation/nodes/NodeEventContainer.php
View file
Expand Up @@ -26,9 +26,9 @@ public function __construct()
$this->icon = PMA\libraries\Util::getImage('b_events.png', '');
$this->links = array(
'text' => 'db_events.php?server=' . $GLOBALS['server']
. '&amp;db=%1$s',
. '&amp;db=%1$s&amp;token=' . $_SESSION[' PMA_token '],
'icon' => 'db_events.php?server=' . $GLOBALS['server']
. '&amp;db=%1$s',
. '&amp;db=%1$s&amp;token=' . $_SESSION[' PMA_token '],
);
$this->real_name = 'events';

Expand All @@ -40,9 +40,11 @@ public function __construct()
$new->icon = PMA\libraries\Util::getImage('b_event_add.png', '');
$new->links = array(
'text' => 'db_events.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s&add_item=1',
. '&amp;db=%2$s&amp;token=' . $_SESSION[' PMA_token ']
. '&add_item=1',
'icon' => 'db_events.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s&add_item=1',
. '&amp;db=%2$s&amp;token=' . $_SESSION[' PMA_token ']
. '&add_item=1',
);
$new->classes = 'new_event italics';
$this->addChild($new);
Expand Down
4 changes: 2 additions & 2 deletions libraries/navigation/nodes/NodeFunction.php
View file
Expand Up @@ -31,10 +31,10 @@ public function __construct($name, $type = Node::OBJECT, $is_group = false)
$this->links = array(
'text' => 'db_routines.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s&amp;item_name=%1$s&amp;item_type=FUNCTION'
. '&amp;edit_item=1',
. '&amp;edit_item=1&amp;token=' . $_SESSION[' PMA_token '],
'icon' => 'db_routines.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s&amp;item_name=%1$s&amp;item_type=FUNCTION'
. '&amp;execute_dialog=1',
. '&amp;execute_dialog=1&amp;token=' . $_SESSION[' PMA_token '],
);
$this->classes = 'function';
}
Expand Down
12 changes: 8 additions & 4 deletions libraries/navigation/nodes/NodeFunctionContainer.php
View file
Expand Up @@ -29,9 +29,11 @@ public function __construct()
);
$this->links = array(
'text' => 'db_routines.php?server=' . $GLOBALS['server']
. '&amp;db=%1$s&amp;type=FUNCTION',
. '&amp;db=%1$s&amp;token=' . $_SESSION[' PMA_token ']
. '&amp;type=FUNCTION',
'icon' => 'db_routines.php?server=' . $GLOBALS['server']
. '&amp;db=%1$s&amp;type=FUNCTION',
. '&amp;db=%1$s&amp;token=' . $_SESSION[' PMA_token ']
. '&amp;type=FUNCTION',
);
$this->real_name = 'functions';

Expand All @@ -44,9 +46,11 @@ public function __construct()
$new->icon = PMA\libraries\Util::getImage('b_routine_add.png', $new_label);
$new->links = array(
'text' => 'db_routines.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s&add_item=1&amp;item_type=FUNCTION',
. '&amp;db=%2$s&amp;token=' . $_SESSION[' PMA_token ']
. '&add_item=1&amp;item_type=FUNCTION',
'icon' => 'db_routines.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s&add_item=1&amp;item_type=FUNCTION',
. '&amp;db=%2$s&amp;token=' . $_SESSION[' PMA_token ']
. '&add_item=1&amp;item_type=FUNCTION',
);
$new->classes = 'new_function italics';
$this->addChild($new);
Expand Down
6 changes: 4 additions & 2 deletions libraries/navigation/nodes/NodeIndex.php
View file
Expand Up @@ -30,9 +30,11 @@ public function __construct($name, $type = Node::OBJECT, $is_group = false)
$this->icon = PMA\libraries\Util::getImage('b_index.png', __('Index'));
$this->links = array(
'text' => 'tbl_indexes.php?server=' . $GLOBALS['server']
. '&amp;db=%3$s&amp;table=%2$s&amp;index=%1$s',
. '&amp;db=%3$s&amp;table=%2$s&amp;index=%1$s'
. '&amp;token=' . $_SESSION[' PMA_token '],
'icon' => 'tbl_indexes.php?server=' . $GLOBALS['server']
. '&amp;db=%3$s&amp;table=%2$s&amp;index=%1$s',
. '&amp;db=%3$s&amp;table=%2$s&amp;index=%1$s'
. '&amp;token=' . $_SESSION[' PMA_token '],
);
$this->classes = 'index';
}
Expand Down
12 changes: 8 additions & 4 deletions libraries/navigation/nodes/NodeIndexContainer.php
View file
Expand Up @@ -26,9 +26,11 @@ public function __construct()
$this->icon = PMA\libraries\Util::getImage('b_index.png', __('Indexes'));
$this->links = array(
'text' => 'tbl_structure.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s&amp;table=%1$s',
. '&amp;db=%2$s&amp;table=%1$s'
. '&amp;token=' . $_SESSION[' PMA_token '],
'icon' => 'tbl_structure.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s&amp;table=%1$s',
. '&amp;db=%2$s&amp;table=%1$s'
. '&amp;token=' . $_SESSION[' PMA_token '],
);
$this->real_name = 'indexes';

Expand All @@ -42,10 +44,12 @@ public function __construct()
$new->links = array(
'text' => 'tbl_indexes.php?server=' . $GLOBALS['server']
. '&amp;create_index=1&amp;added_fields=2'
. '&amp;db=%3$s&amp;table=%2$s',
. '&amp;db=%3$s&amp;table=%2$s&amp;token='
. $_SESSION[' PMA_token '],
'icon' => 'tbl_indexes.php?server=' . $GLOBALS['server']
. '&amp;create_index=1&amp;added_fields=2'
. '&amp;db=%3$s&amp;table=%2$s',
. '&amp;db=%3$s&amp;table=%2$s&amp;token='
. $_SESSION[' PMA_token '],
);
$new->classes = 'new_index italics';
$this->addChild($new);
Expand Down
4 changes: 2 additions & 2 deletions libraries/navigation/nodes/NodeProcedure.php
View file
Expand Up @@ -34,10 +34,10 @@ public function __construct($name, $type = Node::OBJECT, $is_group = false)
$this->links = array(
'text' => 'db_routines.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s&amp;item_name=%1$s&amp;item_type=PROCEDURE'
. '&amp;edit_item=1',
. '&amp;edit_item=1&amp;token=' . $_SESSION[' PMA_token '],
'icon' => 'db_routines.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s&amp;item_name=%1$s&amp;item_type=PROCEDURE'
. '&amp;execute_dialog=1',
. '&amp;execute_dialog=1&amp;token=' . $_SESSION[' PMA_token '],
);
$this->classes = 'procedure';
}
Expand Down
12 changes: 8 additions & 4 deletions libraries/navigation/nodes/NodeProcedureContainer.php
View file
Expand Up @@ -29,9 +29,11 @@ public function __construct()
);
$this->links = array(
'text' => 'db_routines.php?server=' . $GLOBALS['server']
. '&amp;db=%1$s&amp;type=PROCEDURE',
. '&amp;db=%1$s&amp;token=' . $_SESSION[' PMA_token ']
. '&amp;type=PROCEDURE',
'icon' => 'db_routines.php?server=' . $GLOBALS['server']
. '&amp;db=%1$s&amp;type=PROCEDURE',
. '&amp;db=%1$s&amp;token=' . $_SESSION[' PMA_token ']
. '&amp;type=PROCEDURE',
);
$this->real_name = 'procedures';

Expand All @@ -44,9 +46,11 @@ public function __construct()
$new->icon = PMA\libraries\Util::getImage('b_routine_add.png', $new_label);
$new->links = array(
'text' => 'db_routines.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s&add_item=1',
. '&amp;db=%2$s&amp;token=' . $_SESSION[' PMA_token ']
. '&add_item=1',
'icon' => 'db_routines.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s&add_item=1',
. '&amp;db=%2$s&amp;token=' . $_SESSION[' PMA_token ']
. '&add_item=1',
);
$new->classes = 'new_procedure italics';
$this->addChild($new);
Expand Down
8 changes: 5 additions & 3 deletions libraries/navigation/nodes/NodeTable.php
View file
Expand Up @@ -53,20 +53,22 @@ public function __construct($name, $type = Node::OBJECT, $is_group = false)
'text' => $script_name
. '?server=' . $GLOBALS['server']
. '&amp;db=%2$s&amp;table=%1$s'
. '&amp;pos=0',
. '&amp;pos=0&amp;token=' . $_SESSION[' PMA_token '],
'icon' => array(
Util::getScriptNameForOption(
$GLOBALS['cfg']['NavigationTreeDefaultTabTable'],
'table'
)
. '?server=' . $GLOBALS['server']
. '&amp;db=%2$s&amp;table=%1$s',
. '&amp;db=%2$s&amp;table=%1$s&amp;token='
. $_SESSION[' PMA_token '],
Util::getScriptNameForOption(
$GLOBALS['cfg']['NavigationTreeDefaultTabTable2'],
'table'
)
. '?server=' . $GLOBALS['server']
. '&amp;db=%2$s&amp;table=%1$s',
. '&amp;db=%2$s&amp;table=%1$s&amp;token='
. $_SESSION[' PMA_token '],
),
'title' => $this->title,
);
Expand Down
10 changes: 6 additions & 4 deletions libraries/navigation/nodes/NodeTableContainer.php
View file
Expand Up @@ -26,9 +26,11 @@ public function __construct()
$this->icon = PMA\libraries\Util::getImage('b_browse.png', __('Tables'));
$this->links = array(
'text' => 'db_structure.php?server=' . $GLOBALS['server']
. '&amp;db=%1$s&amp;tbl_type=table',
. '&amp;db=%1$s&amp;tbl_type=table'
. '&amp;token=' . $_SESSION[' PMA_token '],
'icon' => 'db_structure.php?server=' . $GLOBALS['server']
. '&amp;db=%1$s&amp;tbl_type=table',
. '&amp;db=%1$s&amp;tbl_type=table'
. '&amp;token=' . $_SESSION[' PMA_token '],
);
$this->real_name = 'tables';
$this->classes = 'tableContainer subContainer';
Expand All @@ -42,9 +44,9 @@ public function __construct()
$new->icon = PMA\libraries\Util::getImage('b_table_add.png', $new_label);
$new->links = array(
'text' => 'tbl_create.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s',
. '&amp;db=%2$s&amp;token=' . $_SESSION[' PMA_token '],
'icon' => 'tbl_create.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s',
. '&amp;db=%2$s&amp;token=' . $_SESSION[' PMA_token '],
);
$new->classes = 'new_table italics';
$this->addChild($new);
Expand Down
6 changes: 4 additions & 2 deletions libraries/navigation/nodes/NodeTrigger.php
View file
Expand Up @@ -30,9 +30,11 @@ public function __construct($name, $type = Node::OBJECT, $is_group = false)
$this->icon = PMA\libraries\Util::getImage('b_triggers.png');
$this->links = array(
'text' => 'db_triggers.php?server=' . $GLOBALS['server']
. '&amp;db=%3$s&amp;item_name=%1$s&amp;edit_item=1',
. '&amp;db=%3$s&amp;item_name=%1$s&amp;edit_item=1'
. '&amp;token=' . $_SESSION[' PMA_token '],
'icon' => 'db_triggers.php?server=' . $GLOBALS['server']
. '&amp;db=%3$s&amp;item_name=%1$s&amp;export_item=1',
. '&amp;db=%3$s&amp;item_name=%1$s&amp;export_item=1'
. '&amp;token=' . $_SESSION[' PMA_token '],
);
$this->classes = 'trigger';
}
Expand Down

0 comments on commit 5503abe

Please sign in to comment.