[security] Code execution vulnerability

Author: Marc Delisle

ChangeLog

@@ -8,9 +8,12 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA
 2.11.10.0 (not yet released)
 - [core] safer handling of temporary files with open_basedir (thanks to Thijs
   Kinkhorst)
-- [core] do not automatically set and create TempDir, it might lead to secrity
+- [core] do not automatically set and create TempDir, it might lead to security
   issue (thanks to Thijs Kinkhorst)
 
+2.11.9.1 (2008-09-15)
+- [security] Code execution vulnerability, thanks to Norman Hippert
+
 2.11.9.0 (2008-08-28)
 - bug #2031221 [auth] Links to version number on login screen 
 - bug #2032707 [core] PMA does not start if ini_set() is disabled 

libraries/database_interface.lib.php

@@ -187,6 +187,32 @@ function PMA_DBI_get_tables($database, $link = null)
         null, 0, $link, PMA_DBI_QUERY_STORE);
 }
 
+/**
+ * usort comparison callback
+ *
+ * @param   string  $a first argument to sort 
+ * @param   string  $b second argument to sort 
+ *
+ * @return  integer  a value representing whether $a should be before $b in the
+ *                   sorted array or not
+ *
+ * @global  string   the column the array shall be sorted by
+ * @global  string   the sorting order ('ASC' or 'DESC')
+ *
+ * @access  private
+ */
+function PMA_usort_comparison_callback($a, $b)
+{
+    if ($GLOBALS['cfg']['NaturalOrder']) {
+        $sorter = 'strnatcasecmp';
+    } else {
+        $sorter = 'strcasecmp';
+    }
+    // produces f.e.:
+    // return -1 * strnatcasecmp($a["SCHEMA_TABLES"], $b["SCHEMA_TABLES"])
+    return ($GLOBALS['callback_sort_order'] == 'ASC' ? 1 : -1) * $sorter($a[$GLOBALS['callback_sort_by']], $b[$GLOBALS['callback_sort_by']]);
+} // end of the 'PMA_usort_comparison_callback()' function
+
 /**
  * returns array of all tables in given db or dbs
  * this function expects unquoted names:
@@ -399,7 +425,7 @@ function PMA_DBI_get_tables_full($database, $table = false,
  * @param   string      $databases      database
  * @param   boolean     $force_stats    retrieve stats also for MySQL < 5
  * @param   resource    $link           mysql link
- * @param   string      $sort_by        collumn to order by
+ * @param   string      $sort_by        column to order by
  * @param   string      $sort_order     ASC or DESC
  * @param   integer     $limit_offset   starting offset for LIMIT
  * @param   bool|int    $limit_count    row count for LIMIT or true for $GLOBALS['cfg']['MaxDbList']
@@ -543,23 +569,10 @@ function PMA_DBI_get_databases_full($database = null, $force_stats = false,
      * (caused by older MySQL < 5 or $GLOBALS['cfg']['NaturalOrder'])
      */
     if ($apply_limit_and_order_manual) {
-
-        /**
-         * first apply ordering
-         */
-        if ($GLOBALS['cfg']['NaturalOrder']) {
-            $sorter = 'strnatcasecmp';
-        } else {
-            $sorter = 'strcasecmp';
-        }
-
-        // produces f.e.:
-        // return -1 * strnatcasecmp($a["SCHEMA_TABLES"], $b["SCHEMA_TABLES"])
-        $sort_function = '
-            return ' . ($sort_order == 'ASC' ? 1 : -1) . ' * ' . $sorter . '($a["' . $sort_by . '"], $b["' . $sort_by . '"]);
-        ';
-
-        usort($databases, create_function('$a, $b', $sort_function));
+        $GLOBALS['callback_sort_order'] = $sort_order;
+        $GLOBALS['callback_sort_by'] = $sort_by;
+        usort($databases, 'PMA_usort_comparison_callback');
+        unset($GLOBALS['callback_sort_order'], $GLOBALS['callback_sort_by']);
 
         /**
          * now apply limit