Skip to content

Commit

Permalink
Bring back token validation to GET requests
Browse files Browse the repository at this point in the history 
This is necessary to avoid CSRF on SQL queries. This is really more a
short term fix, proper fix (to be implemented in master) is to avoid
accepting SQL queries from GET requests.

This reverts commits:

* dae3390
* ea73fde
* 9043378
* f797a8d
* 9c1cfc8

Signed-off-by: Michal Čihař <michal@cihar.com>
  • Loading branch information
@nijel
nijel committed Dec 14, 2017
1 parent 7f535fd commit edd9292
Show file tree
Hide file tree
Showing 37 changed files with 177 additions and 103 deletions.
4 changes: 4 additions & 0 deletions libraries/URL.php
View file
Expand Up @@ -223,6 +223,10 @@ public static function getCommonRaw($params = array(), $divider = '?')
$params['collation_connection'] = $GLOBALS['collation_connection'];
}

if (isset($_SESSION[' PMA_token '])) {
$params['token'] = $_SESSION[' PMA_token '];
}

$query = http_build_query($params, null, $separator);

if ($divider != '?' || strlen($query) > 0) {
Expand Down
59 changes: 42 additions & 17 deletions libraries/common.inc.php
View file
Expand Up @@ -361,31 +361,56 @@
* could access this variables before we reach this point
* f.e. PMA\libraries\Config: fontsize
*
* Check for token mismatch only if the Request method is POST
* GET Requests would never have token and therefore checking
* mis-match does not make sense
*
* @todo variables should be handled by their respective owners (objects)
* f.e. lang, server, collation_connection in PMA\libraries\Config
*/

$token_mismatch = true;
$token_provided = false;
if (PMA_isValid($_REQUEST['token'])) {
$token_provided = true;
$token_mismatch = ! hash_equals($_SESSION[' PMA_token '], $_REQUEST['token']);
}

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
if (PMA_isValid($_POST['token'])) {
$token_provided = true;
$token_mismatch = ! @hash_equals($_SESSION[' PMA_token '], $_POST['token']);
}

if ($token_mismatch) {
/**
* We don't allow any POST operation parameters if the token is mismatched
* or is not provided
if ($token_mismatch) {
/**
* List of parameters which are allowed from unsafe source
*/
$allow_list = array(
/* needed for direct access, see FAQ 1.34
* also, server needed for cookie login screen (multi-server)
*/
$whitelist = array('ajax_request');
PMA\libraries\Sanitize::removeRequestVars($whitelist);
'server', 'db', 'table', 'target', 'lang',
/* Session ID */
'phpMyAdmin',
/* Cookie preferences */
'pma_lang', 'pma_collation_connection',
/* Possible login form */
'pma_servername', 'pma_username', 'pma_password',
'g-recaptcha-response',
/* Needed to send the correct reply */
'ajax_request',
/* Permit to log out even if there is a token mismatch */
'old_usr',
/* Permit redirection with token-mismatch in url.php */
'url',
/* Permit session expiry flag */
'session_expired',
/* JS loading */
'scripts', 'call_done',
/* Navigation panel */
'aPath', 'vPath', 'pos', 'pos2_name', 'pos2_value', 'searchClause', 'searchClause2'
);
/**
* Allow changing themes in test/theme.php
*/
if (defined('PMA_TEST_THEME')) {
$allow_list[] = 'set_theme';
}
/**
* Do actual cleanup
*/
PMA\libraries\Sanitize::removeRequestVars($allow_list);

}


Expand Down
1 change: 1 addition & 0 deletions libraries/navigation/NavigationTree.php
View file
Expand Up @@ -1264,6 +1264,7 @@ public function renderDbSelect()
);
$children = $this->_tree->children;
$url_params = array(
'token' => $_SESSION[' PMA_token '],
'server' => $GLOBALS['server'],
);
$retval .= '<div id="pma_navigation_db_select">';
Expand Down
6 changes: 4 additions & 2 deletions libraries/navigation/nodes/NodeColumn.php
View file
Expand Up @@ -31,10 +31,12 @@ public function __construct($name, $type = Node::OBJECT, $is_group = false)
$this->links = array(
'text' => 'tbl_structure.php?server=' . $GLOBALS['server']
. '&amp;db=%3$s&amp;table=%2$s&amp;field=%1$s'
. '&amp;change_column=1',
. '&amp;change_column=1'
. '&amp;token=' . $_SESSION[' PMA_token '],
'icon' => 'tbl_structure.php?server=' . $GLOBALS['server']
. '&amp;db=%3$s&amp;table=%2$s&amp;field=%1$s'
. '&amp;change_column=1',
. '&amp;change_column=1'
. '&amp;token=' . $_SESSION[' PMA_token '],
'title' => __('Structure'),
);
}
Expand Down
12 changes: 8 additions & 4 deletions libraries/navigation/nodes/NodeColumnContainer.php
View file
Expand Up @@ -27,9 +27,11 @@ public function __construct()
$this->icon = Util::getImage('pause.png', __('Columns'));
$this->links = array(
'text' => 'tbl_structure.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s&amp;table=%1$s',
. '&amp;db=%2$s&amp;table=%1$s'
. '&amp;token=' . $_SESSION[' PMA_token '],
'icon' => 'tbl_structure.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s&amp;table=%1$s',
. '&amp;db=%2$s&amp;table=%1$s'
. '&amp;token=' . $_SESSION[' PMA_token '],
);
$this->real_name = 'columns';

Expand All @@ -43,10 +45,12 @@ public function __construct()
$new->links = array(
'text' => 'tbl_addfield.php?server=' . $GLOBALS['server']
. '&amp;db=%3$s&amp;table=%2$s'
. '&amp;field_where=last&after_field=',
. '&amp;field_where=last&after_field='
. '&amp;token=' . $_SESSION[' PMA_token '],
'icon' => 'tbl_addfield.php?server=' . $GLOBALS['server']
. '&amp;db=%3$s&amp;table=%2$s'
. '&amp;field_where=last&after_field=',
. '&amp;field_where=last&after_field='
. '&amp;token=' . $_SESSION[' PMA_token '],
);
$new->classes = 'new_column italics';
$this->addChild($new);
Expand Down
4 changes: 2 additions & 2 deletions libraries/navigation/nodes/NodeDatabase.php
View file
Expand Up @@ -47,9 +47,9 @@ public function __construct($name, $type = Node::OBJECT, $is_group = false)
$this->links = array(
'text' => $script_name
. '?server=' . $GLOBALS['server']
. '&amp;db=%1$s',
. '&amp;db=%1$s&amp;token=' . $_SESSION[' PMA_token '],
'icon' => 'db_operations.php?server=' . $GLOBALS['server']
. '&amp;db=%1$s&amp;',
. '&amp;db=%1$s&amp;token=' . $_SESSION[' PMA_token '],
'title' => __('Structure'),
);
$this->classes = 'database';
Expand Down
6 changes: 4 additions & 2 deletions libraries/navigation/nodes/NodeDatabaseContainer.php
View file
Expand Up @@ -38,8 +38,10 @@ public function __construct($name)
$new->isNew = true;
$new->icon = PMA\libraries\Util::getImage('b_newdb.png', '');
$new->links = array(
'text' => 'server_databases.php?server=' . $GLOBALS['server'],
'icon' => 'server_databases.php?server=' . $GLOBALS['server'],
'text' => 'server_databases.php?server=' . $GLOBALS['server']
. '&amp;token=' . $_SESSION[' PMA_token '],
'icon' => 'server_databases.php?server=' . $GLOBALS['server']
. '&amp;token=' . $_SESSION[' PMA_token '],
);
$new->classes = 'new_database italics';
$this->addChild($new);
Expand Down
6 changes: 4 additions & 2 deletions libraries/navigation/nodes/NodeEvent.php
View file
Expand Up @@ -30,9 +30,11 @@ public function __construct($name, $type = Node::OBJECT, $is_group = false)
$this->icon = PMA\libraries\Util::getImage('b_events.png');
$this->links = array(
'text' => 'db_events.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s&amp;item_name=%1$s&amp;edit_item=1',
. '&amp;db=%2$s&amp;item_name=%1$s&amp;edit_item=1'
. '&amp;token=' . $_SESSION[' PMA_token '],
'icon' => 'db_events.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s&amp;item_name=%1$s&amp;export_item=1',
. '&amp;db=%2$s&amp;item_name=%1$s&amp;export_item=1'
. '&amp;token=' . $_SESSION[' PMA_token '],
);
$this->classes = 'event';
}
Expand Down
10 changes: 6 additions & 4 deletions libraries/navigation/nodes/NodeEventContainer.php
View file
Expand Up @@ -26,9 +26,9 @@ public function __construct()
$this->icon = PMA\libraries\Util::getImage('b_events.png', '');
$this->links = array(
'text' => 'db_events.php?server=' . $GLOBALS['server']
. '&amp;db=%1$s',
. '&amp;db=%1$s&amp;token=' . $_SESSION[' PMA_token '],
'icon' => 'db_events.php?server=' . $GLOBALS['server']
. '&amp;db=%1$s',
. '&amp;db=%1$s&amp;token=' . $_SESSION[' PMA_token '],
);
$this->real_name = 'events';

Expand All @@ -40,9 +40,11 @@ public function __construct()
$new->icon = PMA\libraries\Util::getImage('b_event_add.png', '');
$new->links = array(
'text' => 'db_events.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s&add_item=1',
. '&amp;db=%2$s&amp;token=' . $_SESSION[' PMA_token ']
. '&add_item=1',
'icon' => 'db_events.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s&add_item=1',
. '&amp;db=%2$s&amp;token=' . $_SESSION[' PMA_token ']
. '&add_item=1',
);
$new->classes = 'new_event italics';
$this->addChild($new);
Expand Down
4 changes: 2 additions & 2 deletions libraries/navigation/nodes/NodeFunction.php
View file
Expand Up @@ -31,10 +31,10 @@ public function __construct($name, $type = Node::OBJECT, $is_group = false)
$this->links = array(
'text' => 'db_routines.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s&amp;item_name=%1$s&amp;item_type=FUNCTION'
. '&amp;edit_item=1',
. '&amp;edit_item=1&amp;token=' . $_SESSION[' PMA_token '],
'icon' => 'db_routines.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s&amp;item_name=%1$s&amp;item_type=FUNCTION'
. '&amp;execute_dialog=1',
. '&amp;execute_dialog=1&amp;token=' . $_SESSION[' PMA_token '],
);
$this->classes = 'function';
}
Expand Down
12 changes: 8 additions & 4 deletions libraries/navigation/nodes/NodeFunctionContainer.php
View file
Expand Up @@ -29,9 +29,11 @@ public function __construct()
);
$this->links = array(
'text' => 'db_routines.php?server=' . $GLOBALS['server']
. '&amp;db=%1$s&amp;type=FUNCTION',
. '&amp;db=%1$s&amp;token=' . $_SESSION[' PMA_token ']
. '&amp;type=FUNCTION',
'icon' => 'db_routines.php?server=' . $GLOBALS['server']
. '&amp;db=%1$s&amp;type=FUNCTION',
. '&amp;db=%1$s&amp;token=' . $_SESSION[' PMA_token ']
. '&amp;type=FUNCTION',
);
$this->real_name = 'functions';

Expand All @@ -44,9 +46,11 @@ public function __construct()
$new->icon = PMA\libraries\Util::getImage('b_routine_add.png', $new_label);
$new->links = array(
'text' => 'db_routines.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s&add_item=1&amp;item_type=FUNCTION',
. '&amp;db=%2$s&amp;token=' . $_SESSION[' PMA_token ']
. '&add_item=1&amp;item_type=FUNCTION',
'icon' => 'db_routines.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s&add_item=1&amp;item_type=FUNCTION',
. '&amp;db=%2$s&amp;token=' . $_SESSION[' PMA_token ']
. '&add_item=1&amp;item_type=FUNCTION',
);
$new->classes = 'new_function italics';
$this->addChild($new);
Expand Down
6 changes: 4 additions & 2 deletions libraries/navigation/nodes/NodeIndex.php
View file
Expand Up @@ -30,9 +30,11 @@ public function __construct($name, $type = Node::OBJECT, $is_group = false)
$this->icon = PMA\libraries\Util::getImage('b_index.png', __('Index'));
$this->links = array(
'text' => 'tbl_indexes.php?server=' . $GLOBALS['server']
. '&amp;db=%3$s&amp;table=%2$s&amp;index=%1$s',
. '&amp;db=%3$s&amp;table=%2$s&amp;index=%1$s'
. '&amp;token=' . $_SESSION[' PMA_token '],
'icon' => 'tbl_indexes.php?server=' . $GLOBALS['server']
. '&amp;db=%3$s&amp;table=%2$s&amp;index=%1$s',
. '&amp;db=%3$s&amp;table=%2$s&amp;index=%1$s'
. '&amp;token=' . $_SESSION[' PMA_token '],
);
$this->classes = 'index';
}
Expand Down
12 changes: 8 additions & 4 deletions libraries/navigation/nodes/NodeIndexContainer.php
View file
Expand Up @@ -26,9 +26,11 @@ public function __construct()
$this->icon = PMA\libraries\Util::getImage('b_index.png', __('Indexes'));
$this->links = array(
'text' => 'tbl_structure.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s&amp;table=%1$s',
. '&amp;db=%2$s&amp;table=%1$s'
. '&amp;token=' . $_SESSION[' PMA_token '],
'icon' => 'tbl_structure.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s&amp;table=%1$s',
. '&amp;db=%2$s&amp;table=%1$s'
. '&amp;token=' . $_SESSION[' PMA_token '],
);
$this->real_name = 'indexes';

Expand All @@ -42,10 +44,12 @@ public function __construct()
$new->links = array(
'text' => 'tbl_indexes.php?server=' . $GLOBALS['server']
. '&amp;create_index=1&amp;added_fields=2'
. '&amp;db=%3$s&amp;table=%2$s',
. '&amp;db=%3$s&amp;table=%2$s&amp;token='
. $_SESSION[' PMA_token '],
'icon' => 'tbl_indexes.php?server=' . $GLOBALS['server']
. '&amp;create_index=1&amp;added_fields=2'
. '&amp;db=%3$s&amp;table=%2$s',
. '&amp;db=%3$s&amp;table=%2$s&amp;token='
. $_SESSION[' PMA_token '],
);
$new->classes = 'new_index italics';
$this->addChild($new);
Expand Down
4 changes: 2 additions & 2 deletions libraries/navigation/nodes/NodeProcedure.php
View file
Expand Up @@ -34,10 +34,10 @@ public function __construct($name, $type = Node::OBJECT, $is_group = false)
$this->links = array(
'text' => 'db_routines.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s&amp;item_name=%1$s&amp;item_type=PROCEDURE'
. '&amp;edit_item=1',
. '&amp;edit_item=1&amp;token=' . $_SESSION[' PMA_token '],
'icon' => 'db_routines.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s&amp;item_name=%1$s&amp;item_type=PROCEDURE'
. '&amp;execute_dialog=1',
. '&amp;execute_dialog=1&amp;token=' . $_SESSION[' PMA_token '],
);
$this->classes = 'procedure';
}
Expand Down
12 changes: 8 additions & 4 deletions libraries/navigation/nodes/NodeProcedureContainer.php
View file
Expand Up @@ -29,9 +29,11 @@ public function __construct()
);
$this->links = array(
'text' => 'db_routines.php?server=' . $GLOBALS['server']
. '&amp;db=%1$s&amp;type=PROCEDURE',
. '&amp;db=%1$s&amp;token=' . $_SESSION[' PMA_token ']
. '&amp;type=PROCEDURE',
'icon' => 'db_routines.php?server=' . $GLOBALS['server']
. '&amp;db=%1$s&amp;type=PROCEDURE',
. '&amp;db=%1$s&amp;token=' . $_SESSION[' PMA_token ']
. '&amp;type=PROCEDURE',
);
$this->real_name = 'procedures';

Expand All @@ -44,9 +46,11 @@ public function __construct()
$new->icon = PMA\libraries\Util::getImage('b_routine_add.png', $new_label);
$new->links = array(
'text' => 'db_routines.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s&add_item=1',
. '&amp;db=%2$s&amp;token=' . $_SESSION[' PMA_token ']
. '&add_item=1',
'icon' => 'db_routines.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s&add_item=1',
. '&amp;db=%2$s&amp;token=' . $_SESSION[' PMA_token ']
. '&add_item=1',
);
$new->classes = 'new_procedure italics';
$this->addChild($new);
Expand Down
8 changes: 5 additions & 3 deletions libraries/navigation/nodes/NodeTable.php
View file
Expand Up @@ -53,20 +53,22 @@ public function __construct($name, $type = Node::OBJECT, $is_group = false)
'text' => $script_name
. '?server=' . $GLOBALS['server']
. '&amp;db=%2$s&amp;table=%1$s'
. '&amp;pos=0',
. '&amp;pos=0&amp;token=' . $_SESSION[' PMA_token '],
'icon' => array(
Util::getScriptNameForOption(
$GLOBALS['cfg']['NavigationTreeDefaultTabTable'],
'table'
)
. '?server=' . $GLOBALS['server']
. '&amp;db=%2$s&amp;table=%1$s',
. '&amp;db=%2$s&amp;table=%1$s&amp;token='
. $_SESSION[' PMA_token '],
Util::getScriptNameForOption(
$GLOBALS['cfg']['NavigationTreeDefaultTabTable2'],
'table'
)
. '?server=' . $GLOBALS['server']
. '&amp;db=%2$s&amp;table=%1$s',
. '&amp;db=%2$s&amp;table=%1$s&amp;token='
. $_SESSION[' PMA_token '],
),
'title' => $this->title,
);
Expand Down
10 changes: 6 additions & 4 deletions libraries/navigation/nodes/NodeTableContainer.php
View file
Expand Up @@ -26,9 +26,11 @@ public function __construct()
$this->icon = PMA\libraries\Util::getImage('b_browse.png', __('Tables'));
$this->links = array(
'text' => 'db_structure.php?server=' . $GLOBALS['server']
. '&amp;db=%1$s&amp;tbl_type=table',
. '&amp;db=%1$s&amp;tbl_type=table'
. '&amp;token=' . $_SESSION[' PMA_token '],
'icon' => 'db_structure.php?server=' . $GLOBALS['server']
. '&amp;db=%1$s&amp;tbl_type=table',
. '&amp;db=%1$s&amp;tbl_type=table'
. '&amp;token=' . $_SESSION[' PMA_token '],
);
$this->real_name = 'tables';
$this->classes = 'tableContainer subContainer';
Expand All @@ -42,9 +44,9 @@ public function __construct()
$new->icon = PMA\libraries\Util::getImage('b_table_add.png', $new_label);
$new->links = array(
'text' => 'tbl_create.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s',
. '&amp;db=%2$s&amp;token=' . $_SESSION[' PMA_token '],
'icon' => 'tbl_create.php?server=' . $GLOBALS['server']
. '&amp;db=%2$s',
. '&amp;db=%2$s&amp;token=' . $_SESSION[' PMA_token '],
);
$new->classes = 'new_table italics';
$this->addChild($new);
Expand Down
6 changes: 4 additions & 2 deletions libraries/navigation/nodes/NodeTrigger.php
View file
Expand Up @@ -30,9 +30,11 @@ public function __construct($name, $type = Node::OBJECT, $is_group = false)
$this->icon = PMA\libraries\Util::getImage('b_triggers.png');
$this->links = array(
'text' => 'db_triggers.php?server=' . $GLOBALS['server']
. '&amp;db=%3$s&amp;item_name=%1$s&amp;edit_item=1',
. '&amp;db=%3$s&amp;item_name=%1$s&amp;edit_item=1'
. '&amp;token=' . $_SESSION[' PMA_token '],
'icon' => 'db_triggers.php?server=' . $GLOBALS['server']
. '&amp;db=%3$s&amp;item_name=%1$s&amp;export_item=1',
. '&amp;db=%3$s&amp;item_name=%1$s&amp;export_item=1'
. '&amp;token=' . $_SESSION[' PMA_token '],
);
$this->classes = 'trigger';
}
Expand Down

0 comments on commit edd9292

Please sign in to comment.