Merge pull request #317 from phpmyadmin/fix/314-transformation-wrapper

Fix #314 - make sure where_clause is not modified
phpmyadmin · Oct 9, 2020 · b47a5d9 · b47a5d9
2 parents deb2dce + 19df63b
commit b47a5d9
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 0 deletions.
diff --git a/libraries/classes/Display/Results.php b/libraries/classes/Display/Results.php
@@ -3001,6 +3001,7 @@ private function _getRowValues(
             $_url_params = array(
                 'db'            => $this->__get('db'),
                 'table'         => $meta->orgtable,
+                'where_clause_sign' => Core::signSqlQuery($whereClauseMap[$row_no][$meta->orgtable]),
                 'where_clause'  => $whereClauseMap[$row_no][$meta->orgtable],
                 'transform_key' => $meta->orgname
             );

diff --git a/libraries/classes/InsertEdit.php b/libraries/classes/InsertEdit.php
@@ -18,6 +18,7 @@
 use PhpMyAdmin\Transformations;
 use PhpMyAdmin\Url;
 use PhpMyAdmin\Util;
+use PhpMyAdmin\Core;
 
 /**
  * PhpMyAdmin\InsertEdit class
@@ -2480,6 +2481,7 @@ public function transformEditedValues(
             $_url_params = array(
                 'db'            => $db,
                 'table'         => $table,
+                'where_clause_sign' => Core::signSqlQuery($_POST['where_clause']),
                 'where_clause'  => $_POST['where_clause'],
                 'transform_key' => $column_name
             );
@@ -3275,6 +3277,7 @@ private function getHtmlForInsertEditFormColumn(
                         'db'            => $db,
                         'table'         => $table,
                         'transform_key' => $column['Field'],
+                        'where_clause_sign' => Core::signSqlQuery($where_clause),
                         'where_clause'  => $where_clause
                     );
                     $transformation_options['wrapper_link']

diff --git a/transformation_wrapper.php b/transformation_wrapper.php
@@ -63,6 +63,12 @@
  */
 $GLOBALS['dbi']->selectDb($db);
 if (isset($where_clause)) {
+
+    if (! Core::checkSqlQuerySignature($where_clause, isset($_GET['where_clause_sign']) ? $_GET['where_clause_sign'] : '')) {
+        /* l10n: In case a SQL query did not pass a security check  */
+        Core::fatalError(__('There is an issue with your request.'));
+        exit;
+    }
     $result = $GLOBALS['dbi']->query(
         'SELECT * FROM ' . PhpMyAdmin\Util::backquote($table)
         . ' WHERE ' . $where_clause . ';',