bug #4595 [security] Path traversal can lead to leakage of line count

Signed-off-by: Madhura Jayaratne <madhura.cj@gmail.com>
phpmyadmin · Nov 17, 2014 · da44dd4 · da44dd4
1 parent c641ad4
commit da44dd4
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 0 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -3,6 +3,7 @@ phpMyAdmin - ChangeLog
 
 4.1.14.7 (not yet released)
 - bug #4596 [security] XSS through exception stack
+- bug #4595 [security] Path traversal can lead to leakage of line count
 
 4.1.14.6 (2014-10-21)
 - bug #4562 [security] XSS in debug SQL output

diff --git a/libraries/error_report.lib.php b/libraries/error_report.lib.php
@@ -181,6 +181,20 @@ function PMA_countLines($filename)
 {
     global $LINE_COUNT;
     if (!defined('LINE_COUNTS')) {
+
+        // ensure that the file is inside the phpMyAdmin folder
+        $depath = 1;
+        foreach (explode('/', $filename) as $part) {
+            if ($part == '..') {
+                $depath--;
+            } elseif ($part != '.') {
+                $depath++;
+            }
+            if ($depath < 0) {
+                return 0;
+            }
+        }
+
         $linecount = 0;
         $handle = fopen('./js/' . $filename, 'r');
         while (!feof($handle)) {