Skip to content
Permalink
Browse files

Fix #249 CSRF to CREATE TABLE query

Signed-off-by: Madhura Jayaratne <madhura.cj@gmail.com>
  • Loading branch information...
madhuracj authored and mauriciofauth committed Jul 15, 2018
1 parent 5d78142 commit d6e04ca09b205cbc1e00f26da9d1f3690287a4af
Showing with 80 additions and 80 deletions.
  1. +65 −65 libraries/classes/CreateAddField.php
  2. +12 −12 tbl_create.php
  3. +3 −3 test/classes/CreateAddFieldTest.php
@@ -42,12 +42,12 @@ public function __construct(DatabaseInterface $dbi)
*/
private function getIndexedColumns()
{
$fieldCount = count($_REQUEST['field_name']);
$fieldPrimary = json_decode($_REQUEST['primary_indexes'], true);
$fieldIndex = json_decode($_REQUEST['indexes'], true);
$fieldUnique = json_decode($_REQUEST['unique_indexes'], true);
$fieldFullText = json_decode($_REQUEST['fulltext_indexes'], true);
$fieldSpatial = json_decode($_REQUEST['spatial_indexes'], true);
$fieldCount = count($_POST['field_name']);
$fieldPrimary = json_decode($_POST['primary_indexes'], true);
$fieldIndex = json_decode($_POST['indexes'], true);
$fieldUnique = json_decode($_POST['unique_indexes'], true);
$fieldFullText = json_decode($_POST['fulltext_indexes'], true);
$fieldSpatial = json_decode($_POST['spatial_indexes'], true);
return [
$fieldCount,
@@ -78,35 +78,35 @@ private function buildColumnCreationStatement(
$previousField = -1;
for ($i = 0; $i < $fieldCount; ++$i) {
// '0' is also empty for php :-(
if (strlen($_REQUEST['field_name'][$i]) === 0) {
if (strlen($_POST['field_name'][$i]) === 0) {
continue;
}
$definition = $this->getStatementPrefix($isCreateTable) .
Table::generateFieldSpec(
trim($_REQUEST['field_name'][$i]),
$_REQUEST['field_type'][$i],
$_REQUEST['field_length'][$i],
$_REQUEST['field_attribute'][$i],
isset($_REQUEST['field_collation'][$i])
? $_REQUEST['field_collation'][$i]
trim($_POST['field_name'][$i]),
$_POST['field_type'][$i],
$_POST['field_length'][$i],
$_POST['field_attribute'][$i],
isset($_POST['field_collation'][$i])
? $_POST['field_collation'][$i]
: '',
isset($_REQUEST['field_null'][$i])
? $_REQUEST['field_null'][$i]
isset($_POST['field_null'][$i])
? $_POST['field_null'][$i]
: 'NOT NULL',
$_REQUEST['field_default_type'][$i],
$_REQUEST['field_default_value'][$i],
isset($_REQUEST['field_extra'][$i])
? $_REQUEST['field_extra'][$i]
$_POST['field_default_type'][$i],
$_POST['field_default_value'][$i],
isset($_POST['field_extra'][$i])
? $_POST['field_extra'][$i]
: false,
isset($_REQUEST['field_comments'][$i])
? $_REQUEST['field_comments'][$i]
isset($_POST['field_comments'][$i])
? $_POST['field_comments'][$i]
: '',
isset($_REQUEST['field_virtuality'][$i])
? $_REQUEST['field_virtuality'][$i]
isset($_POST['field_virtuality'][$i])
? $_POST['field_virtuality'][$i]
: '',
isset($_REQUEST['field_expression'][$i])
? $_REQUEST['field_expression'][$i]
isset($_POST['field_expression'][$i])
? $_POST['field_expression'][$i]
: ''
);
@@ -139,22 +139,22 @@ private function setColumnCreationStatementSuffix(
return $sqlSuffix;
}
if ((string) $_REQUEST['field_where'] === 'last') {
if ((string) $_POST['field_where'] === 'last') {
return $sqlSuffix;
}
// Only the first field can be added somewhere other than at the end
if ($previousField == -1) {
if ((string) $_REQUEST['field_where'] === 'first') {
if ((string) $_POST['field_where'] === 'first') {
$sqlSuffix .= ' FIRST';
} else {
$sqlSuffix .= ' AFTER '
. Util::backquote($_REQUEST['after_field']);
. Util::backquote($_POST['after_field']);
}
} else {
$sqlSuffix .= ' AFTER '
. Util::backquote(
$_REQUEST['field_name'][$previousField]
$_POST['field_name'][$previousField]
);
}
@@ -192,7 +192,7 @@ private function buildIndexStatements(
$indexFields = [];
foreach ($index['columns'] as $key => $column) {
$indexFields[$key] = Util::backquote(
$_REQUEST['field_name'][$column['col_index']]
$_POST['field_name'][$column['col_index']]
);
if ($column['size']) {
$indexFields[$key] .= '(' . $column['size'] . ')';
@@ -358,30 +358,30 @@ private function getColumnCreationStatements($isCreateTable = true)
public function getPartitionsDefinition()
{
$sqlQuery = "";
if (! empty($_REQUEST['partition_by'])
&& ! empty($_REQUEST['partition_expr'])
&& ! empty($_REQUEST['partition_count'])
&& $_REQUEST['partition_count'] > 1
if (! empty($_POST['partition_by'])
&& ! empty($_POST['partition_expr'])
&& ! empty($_POST['partition_count'])
&& $_POST['partition_count'] > 1
) {
$sqlQuery .= " PARTITION BY " . $_REQUEST['partition_by']
. " (" . $_REQUEST['partition_expr'] . ")"
. " PARTITIONS " . $_REQUEST['partition_count'];
$sqlQuery .= " PARTITION BY " . $_POST['partition_by']
. " (" . $_POST['partition_expr'] . ")"
. " PARTITIONS " . $_POST['partition_count'];
}
if (! empty($_REQUEST['subpartition_by'])
&& ! empty($_REQUEST['subpartition_expr'])
&& ! empty($_REQUEST['subpartition_count'])
&& $_REQUEST['subpartition_count'] > 1
if (! empty($_POST['subpartition_by'])
&& ! empty($_POST['subpartition_expr'])
&& ! empty($_POST['subpartition_count'])
&& $_POST['subpartition_count'] > 1
) {
$sqlQuery .= " SUBPARTITION BY " . $_REQUEST['subpartition_by']
. " (" . $_REQUEST['subpartition_expr'] . ")"
. " SUBPARTITIONS " . $_REQUEST['subpartition_count'];
$sqlQuery .= " SUBPARTITION BY " . $_POST['subpartition_by']
. " (" . $_POST['subpartition_expr'] . ")"
. " SUBPARTITIONS " . $_POST['subpartition_count'];
}
if (! empty($_REQUEST['partitions'])) {
if (! empty($_POST['partitions'])) {
$i = 0;
$partitions = [];
foreach ($_REQUEST['partitions'] as $partition) {
foreach ($_POST['partitions'] as $partition) {
$partitions[] = $this->getPartitionDefinition($partition);
$i++;
}
@@ -471,24 +471,24 @@ public function getTableCreationQuery($db, $table)
. Util::backquote(trim($table)) . ' (' . $sqlStatement . ')';
// Adds table type, character set, comments and partition definition
if (!empty($_REQUEST['tbl_storage_engine'])
&& ($_REQUEST['tbl_storage_engine'] != 'Default')
if (!empty($_POST['tbl_storage_engine'])
&& ($_POST['tbl_storage_engine'] != 'Default')
) {
$sqlQuery .= ' ENGINE = ' . $_REQUEST['tbl_storage_engine'];
$sqlQuery .= ' ENGINE = ' . $_POST['tbl_storage_engine'];
}
if (!empty($_REQUEST['tbl_collation'])) {
$sqlQuery .= Util::getCharsetQueryPart($_REQUEST['tbl_collation']);
if (!empty($_POST['tbl_collation'])) {
$sqlQuery .= Util::getCharsetQueryPart($_POST['tbl_collation']);
}
if (! empty($_REQUEST['connection'])
&& ! empty($_REQUEST['tbl_storage_engine'])
&& $_REQUEST['tbl_storage_engine'] == 'FEDERATED'
if (! empty($_POST['connection'])
&& ! empty($_POST['tbl_storage_engine'])
&& $_POST['tbl_storage_engine'] == 'FEDERATED'
) {
$sqlQuery .= " CONNECTION = '"
. $this->dbi->escapeString($_REQUEST['connection']) . "'";
. $this->dbi->escapeString($_POST['connection']) . "'";
}
if (!empty($_REQUEST['comment'])) {
if (!empty($_POST['comment'])) {
$sqlQuery .= ' COMMENT = \''
. $this->dbi->escapeString($_REQUEST['comment']) . '\'';
. $this->dbi->escapeString($_POST['comment']) . '\'';
}
$sqlQuery .= $this->getPartitionsDefinition();
$sqlQuery .= ';';
@@ -506,14 +506,14 @@ public function getNumberOfFieldsFromRequest()
// Limit to 4096 fields (MySQL maximal value)
$mysqlLimit = 4096;
if (isset($_REQUEST['submit_num_fields'])) { // adding new fields
$numberOfFields = intval($_REQUEST['orig_num_fields']) + intval($_REQUEST['added_fields']);
} elseif (isset($_REQUEST['orig_num_fields'])) { // retaining existing fields
$numberOfFields = intval($_REQUEST['orig_num_fields']);
} elseif (isset($_REQUEST['num_fields'])
&& intval($_REQUEST['num_fields']) > 0
if (isset($_POST['submit_num_fields'])) { // adding new fields
$numberOfFields = intval($_POST['orig_num_fields']) + intval($_POST['added_fields']);
} elseif (isset($_POST['orig_num_fields'])) { // retaining existing fields
$numberOfFields = intval($_POST['orig_num_fields']);
} elseif (isset($_POST['num_fields'])
&& intval($_POST['num_fields']) > 0
) { // new table with specified number of fields
$numberOfFields = intval($_REQUEST['num_fields']);
$numberOfFields = intval($_POST['num_fields']);
} else { // new table with unspecified number of fields
$numberOfFields = 4;
}
@@ -548,7 +548,7 @@ public function tryColumnCreationQuery($db, $table, $errorUrl)
$sqlQuery = 'ALTER TABLE ' .
Util::backquote($table) . ' ' . $sqlStatement . ';';
// If there is a request for SQL previewing.
if (isset($_REQUEST['preview_sql'])) {
if (isset($_POST['preview_sql'])) {
Core::previewSQL($sqlQuery);
}
return [$this->dbi->tryQuery($sqlQuery), $sqlQuery];
@@ -61,33 +61,33 @@
/**
* The form used to define the structure of the table has been submitted
*/
if (isset($_REQUEST['do_save_data'])) {
if (isset($_POST['do_save_data'])) {
$sql_query = $createAddField->getTableCreationQuery($db, $table);
// If there is a request for SQL previewing.
if (isset($_REQUEST['preview_sql'])) {
if (isset($_POST['preview_sql'])) {
Core::previewSQL($sql_query);
}
// Executes the query
$result = $GLOBALS['dbi']->tryQuery($sql_query);
if ($result) {
// Update comment table for mime types [MIME]
if (isset($_REQUEST['field_mimetype'])
&& is_array($_REQUEST['field_mimetype'])
if (isset($_POST['field_mimetype'])
&& is_array($_POST['field_mimetype'])
&& $cfg['BrowseMIME']
) {
foreach ($_REQUEST['field_mimetype'] as $fieldindex => $mimetype) {
if (isset($_REQUEST['field_name'][$fieldindex])
&& strlen($_REQUEST['field_name'][$fieldindex]) > 0
foreach ($_POST['field_mimetype'] as $fieldindex => $mimetype) {
if (isset($_POST['field_name'][$fieldindex])
&& strlen($_POST['field_name'][$fieldindex]) > 0
) {
Transformations::setMIME(
$db, $table,
$_REQUEST['field_name'][$fieldindex], $mimetype,
$_REQUEST['field_transformation'][$fieldindex],
$_REQUEST['field_transformation_options'][$fieldindex],
$_REQUEST['field_input_transformation'][$fieldindex],
$_REQUEST['field_input_transformation_options'][$fieldindex]
$_POST['field_name'][$fieldindex], $mimetype,
$_POST['field_transformation'][$fieldindex],
$_POST['field_transformation_options'][$fieldindex],
$_POST['field_input_transformation'][$fieldindex],
$_POST['field_input_transformation_options'][$fieldindex]
);
}
}
@@ -44,7 +44,7 @@ protected function setUp()
*/
public function testGetPartitionsDefinition($expected, $request)
{
$_REQUEST = $request;
$_POST = $request;
$actual = $this->createAddField->getPartitionsDefinition();
$this->assertEquals($expected, $actual);
}
@@ -80,7 +80,7 @@ public function providerGetPartitionsDefinition()
*/
public function testGetTableCreationQuery($expected, $db, $table, $request)
{
$_REQUEST = $request;
$_POST = $request;
$actual = $this->createAddField->getTableCreationQuery($db, $table);
$this->assertEquals($expected, $actual);
}
@@ -116,7 +116,7 @@ public function providerGetTableCreationQuery()
*/
public function testGetNumberOfFieldsFromRequest($expected, $request)
{
$_REQUEST = $request;
$_POST = $request;
$actual = $this->createAddField->getNumberOfFieldsFromRequest();
$this->assertEquals($expected, $actual);
}

0 comments on commit d6e04ca

Please sign in to comment.
You can’t perform that action at this time.