Permalink
Browse files

Bring back token validation to GET requests

This is necessary to avoid CSRF on SQL queries. This is really more a
short term fix, proper fix (to be implemented in master) is to avoid
accepting SQL queries from GET requests.

This reverts commits:

* dae3390
* ea73fde
* 9043378
* f797a8d
* 9c1cfc8

Signed-off-by: Michal Čihař <michal@cihar.com>
  • Loading branch information...
nijel committed Dec 14, 2017
1 parent 7f535fd commit edd929216ade9f7c150a262ba3db44db0fed0e1b
Showing with 177 additions and 103 deletions.
  1. +4 −0 libraries/URL.php
  2. +42 −17 libraries/common.inc.php
  3. +1 −0 libraries/navigation/NavigationTree.php
  4. +4 −2 libraries/navigation/nodes/NodeColumn.php
  5. +8 −4 libraries/navigation/nodes/NodeColumnContainer.php
  6. +2 −2 libraries/navigation/nodes/NodeDatabase.php
  7. +4 −2 libraries/navigation/nodes/NodeDatabaseContainer.php
  8. +4 −2 libraries/navigation/nodes/NodeEvent.php
  9. +6 −4 libraries/navigation/nodes/NodeEventContainer.php
  10. +2 −2 libraries/navigation/nodes/NodeFunction.php
  11. +8 −4 libraries/navigation/nodes/NodeFunctionContainer.php
  12. +4 −2 libraries/navigation/nodes/NodeIndex.php
  13. +8 −4 libraries/navigation/nodes/NodeIndexContainer.php
  14. +2 −2 libraries/navigation/nodes/NodeProcedure.php
  15. +8 −4 libraries/navigation/nodes/NodeProcedureContainer.php
  16. +5 −3 libraries/navigation/nodes/NodeTable.php
  17. +6 −4 libraries/navigation/nodes/NodeTableContainer.php
  18. +4 −2 libraries/navigation/nodes/NodeTrigger.php
  19. +8 −4 libraries/navigation/nodes/NodeTriggerContainer.php
  20. +4 −2 libraries/navigation/nodes/NodeView.php
  21. +6 −4 libraries/navigation/nodes/NodeViewContainer.php
  22. +1 −1 test/classes/AdvisorTest.php
  23. +2 −2 test/classes/DbSearchTest.php
  24. +7 −7 test/classes/DisplayResultsTest.php
  25. +2 −2 test/classes/FooterTest.php
  26. +1 −1 test/classes/ThemeTest.php
  27. +4 −0 test/classes/URLTest.php
  28. +1 −1 test/classes/config/PageSettingsTest.php
  29. +1 −1 test/classes/navigation/NavigationTest.php
  30. +1 −1 test/classes/navigation/NodeDatabaseChildTest.php
  31. +1 −1 test/classes/plugin/auth/AuthenticationConfigTest.php
  32. +1 −1 test/classes/plugin/auth/AuthenticationCookieTest.php
  33. +1 −1 test/libraries/PMA_Form_Processing_test.php
  34. +8 −8 test/libraries/PMA_insert_edit_test.php
  35. +2 −2 test/libraries/PMA_server_privileges_test.php
  36. +1 −1 test/libraries/PMA_user_preferences_test.php
  37. +3 −3 test/libraries/common/PMA_getDbLink_test.php
View
@@ -223,6 +223,10 @@ public static function getCommonRaw($params = array(), $divider = '?')
$params['collation_connection'] = $GLOBALS['collation_connection'];
}
if (isset($_SESSION[' PMA_token '])) {
$params['token'] = $_SESSION[' PMA_token '];
}
$query = http_build_query($params, null, $separator);
if ($divider != '?' || strlen($query) > 0) {
View
@@ -361,31 +361,56 @@
* could access this variables before we reach this point
* f.e. PMA\libraries\Config: fontsize
*
* Check for token mismatch only if the Request method is POST
* GET Requests would never have token and therefore checking
* mis-match does not make sense
*
* @todo variables should be handled by their respective owners (objects)
* f.e. lang, server, collation_connection in PMA\libraries\Config
*/
$token_mismatch = true;
$token_provided = false;
if (PMA_isValid($_REQUEST['token'])) {
$token_provided = true;
$token_mismatch = ! hash_equals($_SESSION[' PMA_token '], $_REQUEST['token']);
}
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
if (PMA_isValid($_POST['token'])) {
$token_provided = true;
$token_mismatch = ! @hash_equals($_SESSION[' PMA_token '], $_POST['token']);
}
if ($token_mismatch) {
/**
* We don't allow any POST operation parameters if the token is mismatched
* or is not provided
if ($token_mismatch) {
/**
* List of parameters which are allowed from unsafe source
*/
$allow_list = array(
/* needed for direct access, see FAQ 1.34
* also, server needed for cookie login screen (multi-server)
*/
$whitelist = array('ajax_request');
PMA\libraries\Sanitize::removeRequestVars($whitelist);
'server', 'db', 'table', 'target', 'lang',
/* Session ID */
'phpMyAdmin',
/* Cookie preferences */
'pma_lang', 'pma_collation_connection',
/* Possible login form */
'pma_servername', 'pma_username', 'pma_password',
'g-recaptcha-response',
/* Needed to send the correct reply */
'ajax_request',
/* Permit to log out even if there is a token mismatch */
'old_usr',
/* Permit redirection with token-mismatch in url.php */
'url',
/* Permit session expiry flag */
'session_expired',
/* JS loading */
'scripts', 'call_done',
/* Navigation panel */
'aPath', 'vPath', 'pos', 'pos2_name', 'pos2_value', 'searchClause', 'searchClause2'
);
/**
* Allow changing themes in test/theme.php
*/
if (defined('PMA_TEST_THEME')) {
$allow_list[] = 'set_theme';
}
/**
* Do actual cleanup
*/
PMA\libraries\Sanitize::removeRequestVars($allow_list);
}
@@ -1264,6 +1264,7 @@ public function renderDbSelect()
);
$children = $this->_tree->children;
$url_params = array(
'token' => $_SESSION[' PMA_token '],
'server' => $GLOBALS['server'],
);
$retval .= '<div id="pma_navigation_db_select">';
@@ -31,10 +31,12 @@ public function __construct($name, $type = Node::OBJECT, $is_group = false)
$this->links = array(
'text' => 'tbl_structure.php?server=' . $GLOBALS['server']
. '&amp;db=%3$s&amp;table=%2$s&amp;field=%1$s'
. '&amp;change_column=1',
. '&amp;change_column=1'
. '&amp;token=' . $_SESSION[' PMA_token '],
'icon' => 'tbl_structure.php?server=' . $GLOBALS['server']
. '&amp;db=%3$s&amp;table=%2$s&amp;field=%1$s'
. '&amp;change_column=1',
. '&amp;change_column=1'
. '&amp;token=' . $_SESSION[' PMA_token '],
'title' => __('Structure'),
);
}
@@ -27,9 +27,11 @@ public function __construct()
$this->icon = Util::getImage('pause.png', __('Columns'));
$this->links = array(
'text' => 'tbl_structure.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s&amp;table=%1$s',
. '&amp;db=%2$s&amp;table=%1$s'
. '&amp;token=' . $_SESSION[' PMA_token '],
'icon' => 'tbl_structure.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s&amp;table=%1$s',
. '&amp;db=%2$s&amp;table=%1$s'
. '&amp;token=' . $_SESSION[' PMA_token '],
);
$this->real_name = 'columns';
@@ -43,10 +45,12 @@ public function __construct()
$new->links = array(
'text' => 'tbl_addfield.php?server=' . $GLOBALS['server']
. '&amp;db=%3$s&amp;table=%2$s'
. '&amp;field_where=last&after_field=',
. '&amp;field_where=last&after_field='
. '&amp;token=' . $_SESSION[' PMA_token '],
'icon' => 'tbl_addfield.php?server=' . $GLOBALS['server']
. '&amp;db=%3$s&amp;table=%2$s'
. '&amp;field_where=last&after_field=',
. '&amp;field_where=last&after_field='
. '&amp;token=' . $_SESSION[' PMA_token '],
);
$new->classes = 'new_column italics';
$this->addChild($new);
@@ -47,9 +47,9 @@ public function __construct($name, $type = Node::OBJECT, $is_group = false)
$this->links = array(
'text' => $script_name
. '?server=' . $GLOBALS['server']
. '&amp;db=%1$s',
. '&amp;db=%1$s&amp;token=' . $_SESSION[' PMA_token '],
'icon' => 'db_operations.php?server=' . $GLOBALS['server']
. '&amp;db=%1$s&amp;',
. '&amp;db=%1$s&amp;token=' . $_SESSION[' PMA_token '],
'title' => __('Structure'),
);
$this->classes = 'database';
@@ -38,8 +38,10 @@ public function __construct($name)
$new->isNew = true;
$new->icon = PMA\libraries\Util::getImage('b_newdb.png', '');
$new->links = array(
'text' => 'server_databases.php?server=' . $GLOBALS['server'],
'icon' => 'server_databases.php?server=' . $GLOBALS['server'],
'text' => 'server_databases.php?server=' . $GLOBALS['server']
. '&amp;token=' . $_SESSION[' PMA_token '],
'icon' => 'server_databases.php?server=' . $GLOBALS['server']
. '&amp;token=' . $_SESSION[' PMA_token '],
);
$new->classes = 'new_database italics';
$this->addChild($new);
@@ -30,9 +30,11 @@ public function __construct($name, $type = Node::OBJECT, $is_group = false)
$this->icon = PMA\libraries\Util::getImage('b_events.png');
$this->links = array(
'text' => 'db_events.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s&amp;item_name=%1$s&amp;edit_item=1',
. '&amp;db=%2$s&amp;item_name=%1$s&amp;edit_item=1'
. '&amp;token=' . $_SESSION[' PMA_token '],
'icon' => 'db_events.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s&amp;item_name=%1$s&amp;export_item=1',
. '&amp;db=%2$s&amp;item_name=%1$s&amp;export_item=1'
. '&amp;token=' . $_SESSION[' PMA_token '],
);
$this->classes = 'event';
}
@@ -26,9 +26,9 @@ public function __construct()
$this->icon = PMA\libraries\Util::getImage('b_events.png', '');
$this->links = array(
'text' => 'db_events.php?server=' . $GLOBALS['server']
. '&amp;db=%1$s',
. '&amp;db=%1$s&amp;token=' . $_SESSION[' PMA_token '],
'icon' => 'db_events.php?server=' . $GLOBALS['server']
. '&amp;db=%1$s',
. '&amp;db=%1$s&amp;token=' . $_SESSION[' PMA_token '],
);
$this->real_name = 'events';
@@ -40,9 +40,11 @@ public function __construct()
$new->icon = PMA\libraries\Util::getImage('b_event_add.png', '');
$new->links = array(
'text' => 'db_events.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s&add_item=1',
. '&amp;db=%2$s&amp;token=' . $_SESSION[' PMA_token ']
. '&add_item=1',
'icon' => 'db_events.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s&add_item=1',
. '&amp;db=%2$s&amp;token=' . $_SESSION[' PMA_token ']
. '&add_item=1',
);
$new->classes = 'new_event italics';
$this->addChild($new);
@@ -31,10 +31,10 @@ public function __construct($name, $type = Node::OBJECT, $is_group = false)
$this->links = array(
'text' => 'db_routines.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s&amp;item_name=%1$s&amp;item_type=FUNCTION'
. '&amp;edit_item=1',
. '&amp;edit_item=1&amp;token=' . $_SESSION[' PMA_token '],
'icon' => 'db_routines.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s&amp;item_name=%1$s&amp;item_type=FUNCTION'
. '&amp;execute_dialog=1',
. '&amp;execute_dialog=1&amp;token=' . $_SESSION[' PMA_token '],
);
$this->classes = 'function';
}
@@ -29,9 +29,11 @@ public function __construct()
);
$this->links = array(
'text' => 'db_routines.php?server=' . $GLOBALS['server']
. '&amp;db=%1$s&amp;type=FUNCTION',
. '&amp;db=%1$s&amp;token=' . $_SESSION[' PMA_token ']
. '&amp;type=FUNCTION',
'icon' => 'db_routines.php?server=' . $GLOBALS['server']
. '&amp;db=%1$s&amp;type=FUNCTION',
. '&amp;db=%1$s&amp;token=' . $_SESSION[' PMA_token ']
. '&amp;type=FUNCTION',
);
$this->real_name = 'functions';
@@ -44,9 +46,11 @@ public function __construct()
$new->icon = PMA\libraries\Util::getImage('b_routine_add.png', $new_label);
$new->links = array(
'text' => 'db_routines.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s&add_item=1&amp;item_type=FUNCTION',
. '&amp;db=%2$s&amp;token=' . $_SESSION[' PMA_token ']
. '&add_item=1&amp;item_type=FUNCTION',
'icon' => 'db_routines.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s&add_item=1&amp;item_type=FUNCTION',
. '&amp;db=%2$s&amp;token=' . $_SESSION[' PMA_token ']
. '&add_item=1&amp;item_type=FUNCTION',
);
$new->classes = 'new_function italics';
$this->addChild($new);
@@ -30,9 +30,11 @@ public function __construct($name, $type = Node::OBJECT, $is_group = false)
$this->icon = PMA\libraries\Util::getImage('b_index.png', __('Index'));
$this->links = array(
'text' => 'tbl_indexes.php?server=' . $GLOBALS['server']
. '&amp;db=%3$s&amp;table=%2$s&amp;index=%1$s',
. '&amp;db=%3$s&amp;table=%2$s&amp;index=%1$s'
. '&amp;token=' . $_SESSION[' PMA_token '],
'icon' => 'tbl_indexes.php?server=' . $GLOBALS['server']
. '&amp;db=%3$s&amp;table=%2$s&amp;index=%1$s',
. '&amp;db=%3$s&amp;table=%2$s&amp;index=%1$s'
. '&amp;token=' . $_SESSION[' PMA_token '],
);
$this->classes = 'index';
}
@@ -26,9 +26,11 @@ public function __construct()
$this->icon = PMA\libraries\Util::getImage('b_index.png', __('Indexes'));
$this->links = array(
'text' => 'tbl_structure.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s&amp;table=%1$s',
. '&amp;db=%2$s&amp;table=%1$s'
. '&amp;token=' . $_SESSION[' PMA_token '],
'icon' => 'tbl_structure.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s&amp;table=%1$s',
. '&amp;db=%2$s&amp;table=%1$s'
. '&amp;token=' . $_SESSION[' PMA_token '],
);
$this->real_name = 'indexes';
@@ -42,10 +44,12 @@ public function __construct()
$new->links = array(
'text' => 'tbl_indexes.php?server=' . $GLOBALS['server']
. '&amp;create_index=1&amp;added_fields=2'
. '&amp;db=%3$s&amp;table=%2$s',
. '&amp;db=%3$s&amp;table=%2$s&amp;token='
. $_SESSION[' PMA_token '],
'icon' => 'tbl_indexes.php?server=' . $GLOBALS['server']
. '&amp;create_index=1&amp;added_fields=2'
. '&amp;db=%3$s&amp;table=%2$s',
. '&amp;db=%3$s&amp;table=%2$s&amp;token='
. $_SESSION[' PMA_token '],
);
$new->classes = 'new_index italics';
$this->addChild($new);
@@ -34,10 +34,10 @@ public function __construct($name, $type = Node::OBJECT, $is_group = false)
$this->links = array(
'text' => 'db_routines.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s&amp;item_name=%1$s&amp;item_type=PROCEDURE'
. '&amp;edit_item=1',
. '&amp;edit_item=1&amp;token=' . $_SESSION[' PMA_token '],
'icon' => 'db_routines.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s&amp;item_name=%1$s&amp;item_type=PROCEDURE'
. '&amp;execute_dialog=1',
. '&amp;execute_dialog=1&amp;token=' . $_SESSION[' PMA_token '],
);
$this->classes = 'procedure';
}
@@ -29,9 +29,11 @@ public function __construct()
);
$this->links = array(
'text' => 'db_routines.php?server=' . $GLOBALS['server']
. '&amp;db=%1$s&amp;type=PROCEDURE',
. '&amp;db=%1$s&amp;token=' . $_SESSION[' PMA_token ']
. '&amp;type=PROCEDURE',
'icon' => 'db_routines.php?server=' . $GLOBALS['server']
. '&amp;db=%1$s&amp;type=PROCEDURE',
. '&amp;db=%1$s&amp;token=' . $_SESSION[' PMA_token ']
. '&amp;type=PROCEDURE',
);
$this->real_name = 'procedures';
@@ -44,9 +46,11 @@ public function __construct()
$new->icon = PMA\libraries\Util::getImage('b_routine_add.png', $new_label);
$new->links = array(
'text' => 'db_routines.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s&add_item=1',
. '&amp;db=%2$s&amp;token=' . $_SESSION[' PMA_token ']
. '&add_item=1',
'icon' => 'db_routines.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s&add_item=1',
. '&amp;db=%2$s&amp;token=' . $_SESSION[' PMA_token ']
. '&add_item=1',
);
$new->classes = 'new_procedure italics';
$this->addChild($new);
@@ -53,20 +53,22 @@ public function __construct($name, $type = Node::OBJECT, $is_group = false)
'text' => $script_name
. '?server=' . $GLOBALS['server']
. '&amp;db=%2$s&amp;table=%1$s'
. '&amp;pos=0',
. '&amp;pos=0&amp;token=' . $_SESSION[' PMA_token '],
'icon' => array(
Util::getScriptNameForOption(
$GLOBALS['cfg']['NavigationTreeDefaultTabTable'],
'table'
)
. '?server=' . $GLOBALS['server']
. '&amp;db=%2$s&amp;table=%1$s',
. '&amp;db=%2$s&amp;table=%1$s&amp;token='
. $_SESSION[' PMA_token '],
Util::getScriptNameForOption(
$GLOBALS['cfg']['NavigationTreeDefaultTabTable2'],
'table'
)
. '?server=' . $GLOBALS['server']
. '&amp;db=%2$s&amp;table=%1$s',
. '&amp;db=%2$s&amp;table=%1$s&amp;token='
. $_SESSION[' PMA_token '],
),
'title' => $this->title,
);
@@ -26,9 +26,11 @@ public function __construct()
$this->icon = PMA\libraries\Util::getImage('b_browse.png', __('Tables'));
$this->links = array(
'text' => 'db_structure.php?server=' . $GLOBALS['server']
. '&amp;db=%1$s&amp;tbl_type=table',
. '&amp;db=%1$s&amp;tbl_type=table'
. '&amp;token=' . $_SESSION[' PMA_token '],
'icon' => 'db_structure.php?server=' . $GLOBALS['server']
. '&amp;db=%1$s&amp;tbl_type=table',
. '&amp;db=%1$s&amp;tbl_type=table'
. '&amp;token=' . $_SESSION[' PMA_token '],
);
$this->real_name = 'tables';
$this->classes = 'tableContainer subContainer';
@@ -42,9 +44,9 @@ public function __construct()
$new->icon = PMA\libraries\Util::getImage('b_table_add.png', $new_label);
$new->links = array(
'text' => 'tbl_create.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s',
. '&amp;db=%2$s&amp;token=' . $_SESSION[' PMA_token '],
'icon' => 'tbl_create.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s',
. '&amp;db=%2$s&amp;token=' . $_SESSION[' PMA_token '],
);
$new->classes = 'new_table italics';
$this->addChild($new);
@@ -30,9 +30,11 @@ public function __construct($name, $type = Node::OBJECT, $is_group = false)
$this->icon = PMA\libraries\Util::getImage('b_triggers.png');
$this->links = array(
'text' => 'db_triggers.php?server=' . $GLOBALS['server']
. '&amp;db=%3$s&amp;item_name=%1$s&amp;edit_item=1',
. '&amp;db=%3$s&amp;item_name=%1$s&amp;edit_item=1'
. '&amp;token=' . $_SESSION[' PMA_token '],
'icon' => 'db_triggers.php?server=' . $GLOBALS['server']
. '&amp;db=%3$s&amp;item_name=%1$s&amp;export_item=1',
. '&amp;db=%3$s&amp;item_name=%1$s&amp;export_item=1'
. '&amp;token=' . $_SESSION[' PMA_token '],
);
$this->classes = 'trigger';
}
Oops, something went wrong.

0 comments on commit edd9292

Please sign in to comment.