Skip to content
Permalink
Browse files

Validate input of validator

We can not trust the input here, so we can expect anything and deal with
missing parameters or invalid values.

Signed-off-by: Michal Čihař <michal@cihar.com>
  • Loading branch information...
nijel committed Jun 17, 2016
1 parent 96e0aa3 commit cd229d718e8cb4bc8ba32446beaa82d27727b6f0
Showing with 38 additions and 23 deletions.
  1. +38 −23 libraries/config/Validator.php
@@ -8,6 +8,7 @@
namespace PMA\libraries\config;
use PMA\libraries\DatabaseInterface;
use PMA\libraries\Util;
/**
* Validation class for various validation functions
@@ -280,6 +281,11 @@ public static function validateServer($path, $values)
'Servers/1/SignonURL' => ''
);
$error = false;
if (empty($values['Servers/1/auth_type'])) {
$values['Servers/1/auth_type'] = '';
$result['Servers/1/auth_type'] = __('Invalid authentication type!');
$error = true;
}
if ($values['Servers/1/auth_type'] == 'config'
&& empty($values['Servers/1/user'])
) {
@@ -308,14 +314,14 @@ public static function validateServer($path, $values)
}
if (! $error && $values['Servers/1/auth_type'] == 'config') {
$password = $values['Servers/1/nopassword'] ? null
: $values['Servers/1/password'];
$password = !empty($values['Servers/1/nopassword']) && $values['Servers/1/nopassword'] ? null
: (empty($values['Servers/1/password']) ? '' : $values['Servers/1/password']);
$test = static::testDBConnection(
$values['Servers/1/connect_type'],
$values['Servers/1/host'],
$values['Servers/1/port'],
$values['Servers/1/socket'],
$values['Servers/1/user'],
empty($values['Servers/1/connect_type']) ? '' : $values['Servers/1/connect_type'],
empty($values['Servers/1/host']) ? '' : $values['Servers/1/host'],
empty($values['Servers/1/port']) ? '' : $values['Servers/1/port'],
empty($values['Servers/1/socket']) ? '' : $values['Servers/1/socket'],
empty($values['Servers/1/user']) ? '' : $values['Servers/1/user'],
$password,
'Server'
);
@@ -345,19 +351,19 @@ public static function validatePMAStorage($path, $values)
);
$error = false;
if ($values['Servers/1/pmadb'] == '') {
if (empty($values['Servers/1/pmadb'])) {
return $result;
}
$result = array();
if ($values['Servers/1/controluser'] == '') {
if (empty($values['Servers/1/controluser'])) {
$result['Servers/1/controluser'] = __(
'Empty phpMyAdmin control user while using phpMyAdmin configuration '
. 'storage!'
);
$error = true;
}
if ($values['Servers/1/controlpass'] == '') {
if (empty($values['Servers/1/controlpass'])) {
$result['Servers/1/controlpass'] = __(
'Empty phpMyAdmin control user password while using phpMyAdmin '
. 'configuration storage!'
@@ -366,10 +372,13 @@ public static function validatePMAStorage($path, $values)
}
if (! $error) {
$test = static::testDBConnection(
$values['Servers/1/connect_type'],
$values['Servers/1/host'], $values['Servers/1/port'],
$values['Servers/1/socket'], $values['Servers/1/controluser'],
$values['Servers/1/controlpass'], 'Server_pmadb'
empty($values['Servers/1/connect_type']) ? '' : $values['Servers/1/connect_type'],
empty($values['Servers/1/host']) ? '' : $values['Servers/1/host'],
empty($values['Servers/1/port']) ? '' : $values['Servers/1/port'],
empty($values['Servers/1/socket']) ? '' : $values['Servers/1/socket'],
empty($values['Servers/1/controluser']) ? '' : $values['Servers/1/controluser'],
empty($values['Servers/1/controlpass']) ? '' : $values['Servers/1/controlpass'],
'Server_pmadb'
);
if ($test !== true) {
$result = array_merge($result, $test);
@@ -391,7 +400,7 @@ public static function validateRegex($path, $values)
{
$result = array($path => '');
if ($values[$path] == '') {
if (empty($values[$path])) {
return $result;
}
@@ -400,7 +409,7 @@ public static function validateRegex($path, $values)
$matches = array();
// in libraries/ListDatabase.php _checkHideDatabase(),
// a '/' is used as the delimiter for hide_db
preg_match('/' . $values[$path] . '/', '', $matches);
preg_match('/' . Util::requestString($values[$path]) . '/', '', $matches);
static::testPHPErrorMsg(false);
@@ -428,10 +437,11 @@ public static function validateTrustedProxies($path, $values)
return $result;
}
if (is_array($values[$path])) {
if (is_array($values[$path]) || is_object($values[$path])) {
// value already processed by FormDisplay::save
$lines = array();
foreach ($values[$path] as $ip => $v) {
$v = Util::requestString($v);
$lines[] = preg_match('/^-\d+$/', $ip)
? $v
: $ip . ': ' . $v;
@@ -483,14 +493,16 @@ public static function validateNumber(
$max_value,
$error_string
) {
if ($values[$path] === '') {
if (empty($values[$path])) {
return '';
}
if (intval($values[$path]) != $values[$path]
|| (! $allow_neg && $values[$path] < 0)
|| (! $allow_zero && $values[$path] == 0)
|| $values[$path] > $max_value
$value = Util::requestString($values[$path]);
if (intval($value) != $value
|| (! $allow_neg && $value < 0)
|| (! $allow_zero && $value == 0)
|| $value > $max_value
) {
return $error_string;
}
@@ -576,7 +588,10 @@ public static function validateNonNegativeNumber($path, $values)
*/
public static function validateByRegex($path, $values, $regex)
{
$result = preg_match($regex, $values[$path]);
if (!isset($values[$path])) {
return '';
}
$result = preg_match($regex, Util::requestString($values[$path]));
return array($path => ($result ? '' : __('Incorrect value!')));
}

0 comments on commit cd229d7

Please sign in to comment.
You can’t perform that action at this time.