Skip to content

Commit

Permalink
Merge pull request #17429 from mauriciofauth/check-parameters-method
Browse files Browse the repository at this point in the history 
Move `Util::checkParameters` method to the `AbstractController`
  • Loading branch information
@MauricioFauth
MauricioFauth committed Mar 8, 2022
2 parents 2161c63 + f940693 commit 5954af9
Show file tree
Hide file tree
Showing 49 changed files with 188 additions and 154 deletions.
42 changes: 42 additions & 0 deletions libraries/classes/Controllers/AbstractController.php
View file
Expand Up @@ -5,12 +5,14 @@
namespace PhpMyAdmin\Controllers;

use PhpMyAdmin\Core;
use PhpMyAdmin\Html\MySQLDocumentation;
use PhpMyAdmin\Message;
use PhpMyAdmin\ResponseRenderer;
use PhpMyAdmin\Template;
use PhpMyAdmin\Url;

use function __;
use function basename;
use function defined;
use function strlen;

Expand Down Expand Up @@ -101,4 +103,44 @@ protected function redirect(string $route, array $params = []): void
$uri = './index.php?route=' . $route . Url::getCommonRaw($params, '&');
Core::sendHeaderLocation($uri);
}

/**
* Function added to avoid path disclosures.
* Called by each script that needs parameters, it displays
* an error message and, by default, stops the execution.
*
* @param bool $request Check parameters in request
* @psalm-param non-empty-list<non-empty-string> $params The names of the parameters needed by the calling script
*/
protected function checkParameters(array $params, bool $request = false): void
{
$reportedScriptName = basename($GLOBALS['PMA_PHP_SELF']);
$foundError = false;
$errorMessage = '';
if ($request) {
$array = $_REQUEST;
} else {
$array = $GLOBALS;
}

foreach ($params as $param) {
if (isset($array[$param]) && $array[$param] !== '') {
continue;
}

$errorMessage .= $reportedScriptName
. ': ' . __('Missing parameter:') . ' '
. $param
. MySQLDocumentation::showDocumentation('faq', 'faqmissingparameters', true)
. '[br]';
$foundError = true;
}

if (! $foundError) {
return;
}

$this->response->setHttpResponseCode(400);
Core::fatalError($errorMessage);
}
}
2 changes: 1 addition & 1 deletion libraries/classes/Controllers/Database/DataDictionaryController.php
View file
Expand Up @@ -42,7 +42,7 @@ public function __construct(

public function __invoke(): void
{
Util::checkParameters(['db'], true);
$this->checkParameters(['db'], true);

$relationParameters = $this->relation->getRelationParameters();

Expand Down
2 changes: 1 addition & 1 deletion libraries/classes/Controllers/Database/DesignerController.php
View file
Expand Up @@ -140,7 +140,7 @@ public function __invoke(): void
return;
}

Util::checkParameters(['db']);
$this->checkParameters(['db']);

$GLOBALS['errorUrl'] = Util::getScriptNameForOption($GLOBALS['cfg']['DefaultTabDatabase'], 'database');
$GLOBALS['errorUrl'] .= Url::getCommon(['db' => $GLOBALS['db']], '&');
Expand Down
2 changes: 1 addition & 1 deletion libraries/classes/Controllers/Database/EventsController.php
View file
Expand Up @@ -38,7 +38,7 @@ public function __invoke(): void
$this->addScriptFiles(['database/events.js']);

if (! $this->response->isAjax()) {
Util::checkParameters(['db']);
$this->checkParameters(['db']);

$GLOBALS['errorUrl'] = Util::getScriptNameForOption($GLOBALS['cfg']['DefaultTabDatabase'], 'database');
$GLOBALS['errorUrl'] .= Url::getCommon(['db' => $GLOBALS['db']], '&');
Expand Down
2 changes: 1 addition & 1 deletion libraries/classes/Controllers/Database/ExportController.php
View file
Expand Up @@ -50,7 +50,7 @@ public function __invoke(): void
// /database/export, in which case we don't obey $cfg['MaxTableList']
$GLOBALS['sub_part'] = '_export';

Util::checkParameters(['db']);
$this->checkParameters(['db']);

$GLOBALS['errorUrl'] = Util::getScriptNameForOption($GLOBALS['cfg']['DefaultTabDatabase'], 'database');
$GLOBALS['errorUrl'] .= Url::getCommon(['db' => $GLOBALS['db']], '&');
Expand Down
2 changes: 1 addition & 1 deletion libraries/classes/Controllers/Database/ImportController.php
View file
Expand Up @@ -42,7 +42,7 @@ public function __invoke(): void

$this->addScriptFiles(['import.js']);

Util::checkParameters(['db']);
$this->checkParameters(['db']);

$GLOBALS['errorUrl'] = Util::getScriptNameForOption($GLOBALS['cfg']['DefaultTabDatabase'], 'database');
$GLOBALS['errorUrl'] .= Url::getCommon(['db' => $GLOBALS['db']], '&');
Expand Down
2 changes: 1 addition & 1 deletion libraries/classes/Controllers/Database/Operations/CollationController.php
View file
Expand Up @@ -47,7 +47,7 @@ public function __invoke(): void
return;
}

Util::checkParameters(['db']);
$this->checkParameters(['db']);

$GLOBALS['errorUrl'] = Util::getScriptNameForOption($GLOBALS['cfg']['DefaultTabDatabase'], 'database');
$GLOBALS['errorUrl'] .= Url::getCommon(['db' => $GLOBALS['db']], '&');
Expand Down
2 changes: 1 addition & 1 deletion libraries/classes/Controllers/Database/OperationsController.php
View file
Expand Up @@ -237,7 +237,7 @@ public function __invoke(): void
$this->relation->setDbComment($GLOBALS['db'], $_POST['comment']);
}

Util::checkParameters(['db']);
$this->checkParameters(['db']);

$GLOBALS['errorUrl'] = Util::getScriptNameForOption($GLOBALS['cfg']['DefaultTabDatabase'], 'database');
$GLOBALS['errorUrl'] .= Url::getCommon(['db' => $GLOBALS['db']], '&');
Expand Down
2 changes: 1 addition & 1 deletion libraries/classes/Controllers/Database/QueryByExampleController.php
View file
Expand Up @@ -132,7 +132,7 @@ public function __invoke(): void

$GLOBALS['sub_part'] = '_qbe';

Util::checkParameters(['db']);
$this->checkParameters(['db']);

$GLOBALS['errorUrl'] = Util::getScriptNameForOption($GLOBALS['cfg']['DefaultTabDatabase'], 'database');
$GLOBALS['errorUrl'] .= Url::getCommon(['db' => $GLOBALS['db']], '&');
Expand Down
4 changes: 2 additions & 2 deletions libraries/classes/Controllers/Database/RoutinesController.php
View file
Expand Up @@ -52,7 +52,7 @@ public function __invoke(): void
* Displays the header and tabs
*/
if (! empty($GLOBALS['table']) && in_array($GLOBALS['table'], $this->dbi->getTables($GLOBALS['db']))) {
Util::checkParameters(['db', 'table']);
$this->checkParameters(['db', 'table']);

$GLOBALS['urlParams'] = ['db' => $GLOBALS['db'], 'table' => $GLOBALS['table']];
$GLOBALS['errorUrl'] = Util::getScriptNameForOption($GLOBALS['cfg']['DefaultTabTable'], 'table');
Expand All @@ -62,7 +62,7 @@ public function __invoke(): void
} else {
$GLOBALS['table'] = '';

Util::checkParameters(['db']);
$this->checkParameters(['db']);

$GLOBALS['errorUrl'] = Util::getScriptNameForOption($GLOBALS['cfg']['DefaultTabDatabase'], 'database');
$GLOBALS['errorUrl'] .= Url::getCommon(['db' => $GLOBALS['db']], '&');
Expand Down
2 changes: 1 addition & 1 deletion libraries/classes/Controllers/Database/SearchController.php
View file
Expand Up @@ -35,7 +35,7 @@ public function __invoke(): void
'makegrid.js',
]);

Util::checkParameters(['db']);
$this->checkParameters(['db']);

$GLOBALS['errorUrl'] = Util::getScriptNameForOption($GLOBALS['cfg']['DefaultTabDatabase'], 'database');
$GLOBALS['errorUrl'] .= Url::getCommon(['db' => $GLOBALS['db']], '&');
Expand Down
2 changes: 1 addition & 1 deletion libraries/classes/Controllers/Database/SqlController.php
View file
Expand Up @@ -41,7 +41,7 @@ public function __invoke(): void
$this->response->addHTML($pageSettings->getErrorHTML());
$this->response->addHTML($pageSettings->getHTML());

Util::checkParameters(['db']);
$this->checkParameters(['db']);

$GLOBALS['errorUrl'] = Util::getScriptNameForOption($GLOBALS['cfg']['DefaultTabDatabase'], 'database');
$GLOBALS['errorUrl'] .= Url::getCommon(['db' => $GLOBALS['db']], '&');
Expand Down
2 changes: 1 addition & 1 deletion libraries/classes/Controllers/Database/Structure/FavoriteTableController.php
View file
Expand Up @@ -38,7 +38,7 @@ public function __invoke(): void
'sync_favorite_tables' => $_REQUEST['sync_favorite_tables'] ?? null,
];

Util::checkParameters(['db']);
$this->checkParameters(['db']);

$GLOBALS['errorUrl'] = Util::getScriptNameForOption($GLOBALS['cfg']['DefaultTabDatabase'], 'database');
$GLOBALS['errorUrl'] .= Url::getCommon(['db' => $GLOBALS['db']], '&');
Expand Down
2 changes: 1 addition & 1 deletion libraries/classes/Controllers/Database/Structure/RealRowCountController.php
View file
Expand Up @@ -34,7 +34,7 @@ public function __invoke(): void
'table' => $_REQUEST['table'] ?? null,
];

Util::checkParameters(['db']);
$this->checkParameters(['db']);

$GLOBALS['errorUrl'] = Util::getScriptNameForOption($GLOBALS['cfg']['DefaultTabDatabase'], 'database');
$GLOBALS['errorUrl'] .= Url::getCommon(['db' => $GLOBALS['db']], '&');
Expand Down
2 changes: 1 addition & 1 deletion libraries/classes/Controllers/Database/StructureController.php
View file
Expand Up @@ -140,7 +140,7 @@ public function __invoke(): void
'sort_order' => $_REQUEST['sort_order'] ?? null,
];

Util::checkParameters(['db']);
$this->checkParameters(['db']);

$GLOBALS['errorUrl'] = Util::getScriptNameForOption($GLOBALS['cfg']['DefaultTabDatabase'], 'database');
$GLOBALS['errorUrl'] .= Url::getCommon(['db' => $GLOBALS['db']], '&');
Expand Down
2 changes: 1 addition & 1 deletion libraries/classes/Controllers/Database/TrackingController.php
View file
Expand Up @@ -47,7 +47,7 @@ public function __invoke(): void
{
$this->addScriptFiles(['vendor/jquery/jquery.tablesorter.js', 'database/tracking.js']);

Util::checkParameters(['db']);
$this->checkParameters(['db']);

$GLOBALS['errorUrl'] = Util::getScriptNameForOption($GLOBALS['cfg']['DefaultTabDatabase'], 'database');
$GLOBALS['errorUrl'] .= Url::getCommon(['db' => $GLOBALS['db']], '&');
Expand Down
4 changes: 2 additions & 2 deletions libraries/classes/Controllers/Database/TriggersController.php
View file
Expand Up @@ -39,7 +39,7 @@ public function __invoke(): void
* Displays the header and tabs
*/
if (! empty($GLOBALS['table']) && in_array($GLOBALS['table'], $this->dbi->getTables($GLOBALS['db']))) {
Util::checkParameters(['db', 'table']);
$this->checkParameters(['db', 'table']);

$GLOBALS['urlParams'] = ['db' => $GLOBALS['db'], 'table' => $GLOBALS['table']];
$GLOBALS['errorUrl'] = Util::getScriptNameForOption($GLOBALS['cfg']['DefaultTabTable'], 'table');
Expand All @@ -49,7 +49,7 @@ public function __invoke(): void
} else {
$GLOBALS['table'] = '';

Util::checkParameters(['db']);
$this->checkParameters(['db']);

$GLOBALS['errorUrl'] = Util::getScriptNameForOption($GLOBALS['cfg']['DefaultTabDatabase'], 'database');
$GLOBALS['errorUrl'] .= Url::getCommon(['db' => $GLOBALS['db']], '&');
Expand Down
2 changes: 1 addition & 1 deletion libraries/classes/Controllers/Export/ExportController.php
View file
Expand Up @@ -212,7 +212,7 @@ public function __invoke(ServerRequest $request): void
$GLOBALS[$param] = $postParams[$param];
}

Util::checkParameters(['what', 'export_type']);
$this->checkParameters(['what', 'export_type']);

// sanitize this parameter which will be used below in a file inclusion
$GLOBALS['what'] = Core::securePath($whatParam);
Expand Down
3 changes: 1 addition & 2 deletions libraries/classes/Controllers/Import/ImportController.php
View file
Expand Up @@ -255,8 +255,7 @@ public function __invoke(): void

Core::setPostAsGlobal($post_patterns);

// Check needed parameters
Util::checkParameters(['import_type', 'format']);
$this->checkParameters(['import_type', 'format']);

// We don't want anything special in format
$GLOBALS['format'] = Core::securePath($GLOBALS['format']);
Expand Down
12 changes: 10 additions & 2 deletions libraries/classes/Controllers/SchemaExportController.php
View file
Expand Up @@ -4,8 +4,11 @@

namespace PhpMyAdmin\Controllers;

use PhpMyAdmin\Core;
use PhpMyAdmin\Export;
use PhpMyAdmin\Util;
use PhpMyAdmin\Html\MySQLDocumentation;

use function __;

/**
* Schema export handler
Expand All @@ -23,7 +26,12 @@ public function __construct(Export $export)
public function __invoke(): void
{
if (! isset($_POST['export_type'])) {
Util::checkParameters(['export_type']);
$errorMessage = __('Missing parameter:') . ' export_type'
. MySQLDocumentation::showDocumentation('faq', 'faqmissingparameters', true)
. '[br]';
Core::fatalError($errorMessage);

return;
}

/**
Expand Down
3 changes: 1 addition & 2 deletions libraries/classes/Controllers/Sql/SqlController.php
View file
Expand Up @@ -124,8 +124,7 @@ public function __invoke(): void
// set $goto to what will be displayed if query returns 0 rows
$GLOBALS['goto'] = '';
} else {
// Now we can check the parameters
Util::checkParameters(['sql_query']);
$this->checkParameters(['sql_query']);
}

/**
Expand Down
5 changes: 3 additions & 2 deletions libraries/classes/Controllers/Table/AddFieldController.php
View file
Expand Up @@ -61,8 +61,7 @@ public function __invoke(): void
{
$this->addScriptFiles(['table/structure.js']);

// Check parameters
Util::checkParameters(['db', 'table']);
$this->checkParameters(['db', 'table']);

$cfg = $this->config->settings;

Expand Down Expand Up @@ -178,6 +177,8 @@ public function __invoke(): void

$this->addScriptFiles(['vendor/jquery/jquery.uitablefilter.js', 'indexes.js']);

$this->checkParameters(['server', 'db', 'table', 'num_fields']);

$templateData = $this->columnsDefinition->displayForm(
'/table/add-field',
$GLOBALS['num_fields'],
Expand Down
6 changes: 3 additions & 3 deletions libraries/classes/Controllers/Table/ChartController.php
View file
Expand Up @@ -81,7 +81,7 @@ public function __invoke(): void
* Runs common work
*/
if (strlen($GLOBALS['table']) > 0) {
Util::checkParameters(['db', 'table']);
$this->checkParameters(['db', 'table']);

$url_params = ['db' => $GLOBALS['db'], 'table' => $GLOBALS['table']];
$GLOBALS['errorUrl'] = Util::getScriptNameForOption($GLOBALS['cfg']['DefaultTabTable'], 'table');
Expand All @@ -96,7 +96,7 @@ public function __invoke(): void
$url_params['goto'] = Util::getScriptNameForOption($GLOBALS['cfg']['DefaultTabDatabase'], 'database');
$url_params['back'] = Url::getFromRoute('/sql');

Util::checkParameters(['db']);
$this->checkParameters(['db']);

$GLOBALS['errorUrl'] = Util::getScriptNameForOption($GLOBALS['cfg']['DefaultTabDatabase'], 'database');
$GLOBALS['errorUrl'] .= Url::getCommon(['db' => $GLOBALS['db']], '&');
Expand Down Expand Up @@ -168,7 +168,7 @@ public function __invoke(): void
public function ajax(): void
{
if (strlen($GLOBALS['table']) > 0 && strlen($GLOBALS['db']) > 0) {
Util::checkParameters(['db', 'table']);
$this->checkParameters(['db', 'table']);

$GLOBALS['urlParams'] = ['db' => $GLOBALS['db'], 'table' => $GLOBALS['table']];
$GLOBALS['errorUrl'] = Util::getScriptNameForOption($GLOBALS['cfg']['DefaultTabTable'], 'table');
Expand Down
5 changes: 3 additions & 2 deletions libraries/classes/Controllers/Table/CreateController.php
View file
Expand Up @@ -15,7 +15,6 @@
use PhpMyAdmin\Template;
use PhpMyAdmin\Transformations;
use PhpMyAdmin\Url;
use PhpMyAdmin\Util;

use function __;
use function htmlspecialchars;
Expand Down Expand Up @@ -58,7 +57,7 @@ public function __construct(

public function __invoke(): void
{
Util::checkParameters(['db']);
$this->checkParameters(['db']);

$cfg = $this->config->settings;

Expand Down Expand Up @@ -156,6 +155,8 @@ public function __invoke(): void

$this->addScriptFiles(['vendor/jquery/jquery.uitablefilter.js', 'indexes.js']);

$this->checkParameters(['server', 'db', 'table', 'num_fields']);

$templateData = $this->columnsDefinition->displayForm('/table/create', $GLOBALS['num_fields']);

$this->render('columns_definitions/column_definitions_form', $templateData);
Expand Down
2 changes: 1 addition & 1 deletion libraries/classes/Controllers/Table/DeleteConfirmController.php
View file
Expand Up @@ -26,7 +26,7 @@ public function __invoke(): void
return;
}

Util::checkParameters(['db', 'table']);
$this->checkParameters(['db', 'table']);

$GLOBALS['urlParams'] = ['db' => $GLOBALS['db'], 'table' => $GLOBALS['table']];
$GLOBALS['errorUrl'] = Util::getScriptNameForOption($GLOBALS['cfg']['DefaultTabTable'], 'table');
Expand Down
2 changes: 1 addition & 1 deletion libraries/classes/Controllers/Table/DropColumnConfirmationController.php
View file
Expand Up @@ -24,7 +24,7 @@ public function __invoke(): void
return;
}

Util::checkParameters(['db', 'table']);
$this->checkParameters(['db', 'table']);

$GLOBALS['urlParams'] = ['db' => $GLOBALS['db'], 'table' => $GLOBALS['table']];
$GLOBALS['errorUrl'] = Util::getScriptNameForOption($GLOBALS['cfg']['DefaultTabTable'], 'table');
Expand Down
2 changes: 1 addition & 1 deletion libraries/classes/Controllers/Table/ExportController.php
View file
Expand Up @@ -44,7 +44,7 @@ public function __invoke(): void

$this->addScriptFiles(['export.js']);

Util::checkParameters(['db', 'table']);
$this->checkParameters(['db', 'table']);

$GLOBALS['urlParams'] = ['db' => $GLOBALS['db'], 'table' => $GLOBALS['table']];
$GLOBALS['errorUrl'] = Util::getScriptNameForOption($GLOBALS['cfg']['DefaultTabTable'], 'table');
Expand Down
2 changes: 1 addition & 1 deletion libraries/classes/Controllers/Table/FindReplaceController.php
View file
Expand Up @@ -60,7 +60,7 @@ public function __construct(

public function __invoke(): void
{
Util::checkParameters(['db', 'table']);
$this->checkParameters(['db', 'table']);

$GLOBALS['urlParams'] = ['db' => $GLOBALS['db'], 'table' => $GLOBALS['table']];
$GLOBALS['errorUrl'] = Util::getScriptNameForOption($GLOBALS['cfg']['DefaultTabTable'], 'table');
Expand Down
6 changes: 1 addition & 5 deletions libraries/classes/Controllers/Table/GetFieldController.php
View file
Expand Up @@ -40,11 +40,7 @@ public function __invoke(): void
{
$this->response->disable();

/* Check parameters */
Util::checkParameters([
'db',
'table',
]);
$this->checkParameters(['db', 'table']);

/* Select database */
if (! $this->dbi->selectDb($GLOBALS['db'])) {
Expand Down

0 comments on commit 5954af9

Please sign in to comment.