From f2bfa7d745a49ecc6625924a376c66ace194d8d1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= <michal@cihar.com>
Date: Thu, 8 Dec 2016 11:39:32 +0100
Subject: [PATCH] Avoid running shell scripts as CGI
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

There is really no reason for that besides misconfigured servers.

This is followup for PMASA-2016-54

Signed-off-by: Michal Čihař <michal@cihar.com>
---
 scripts/create-release.sh                       | 6 ++++++
 scripts/generate-mo                             | 6 ++++++
 scripts/generate-sprites                        | 6 ++++++
 scripts/lang-cleanup.sh                         | 6 ++++++
 scripts/line-counts.sh                          | 7 +++++++
 scripts/locales-contributors                    | 6 ++++++
 scripts/remove-incomplete-mo                    | 6 ++++++
 scripts/transformations_generator_main_class.sh | 8 +++++++-
 scripts/transformations_generator_plugin.sh     | 8 +++++++-
 scripts/update-po                               | 6 ++++++
 scripts/upload-release                          | 6 ++++++
 test/install-browserstack                       | 6 ++++++
 test/install-runkit                             | 6 ++++++
 test/start-local-server                         | 6 ++++++
 14 files changed, 87 insertions(+), 2 deletions(-)

diff --git a/scripts/create-release.sh b/scripts/create-release.sh
index 00caf870a8a9..8d3c4b79928a 100755
--- a/scripts/create-release.sh
+++ b/scripts/create-release.sh
@@ -3,6 +3,12 @@
 # vim: expandtab sw=4 ts=4 sts=4:
 #
 
+# Do not run as CGI
+if [ -n "$GATEWAY_INTERFACE" ] ; then
+    echo 'Can not invoke as CGI!'
+    exit 1
+fi
+
 # More documentation about making a release is available at:
 # https://wiki.phpmyadmin.net/pma/Releasing
 
diff --git a/scripts/generate-mo b/scripts/generate-mo
index 9e16927d97d8..3dc88f619912 100755
--- a/scripts/generate-mo
+++ b/scripts/generate-mo
@@ -1,4 +1,10 @@
 #!/bin/sh
+# Do not run as CGI
+if [ -n "$GATEWAY_INTERFACE" ] ; then
+    echo 'Can not invoke as CGI!'
+    exit 1
+fi
+
 if [ x$1 = x--quiet ] ; then
     stats=""
     shift
diff --git a/scripts/generate-sprites b/scripts/generate-sprites
index 1b8ffb947764..2b80431cc7bc 100755
--- a/scripts/generate-sprites
+++ b/scripts/generate-sprites
@@ -1,6 +1,12 @@
 #!/bin/sh
 # vim: expandtab sw=4 ts=4 sts=4:
 
+# Do not run as CGI
+if [ -n "$GATEWAY_INTERFACE" ] ; then
+    echo 'Can not invoke as CGI!'
+    exit 1
+fi
+
 # Check for proper number of command line args.
 if [ $# -ne 1 ]; then
   echo "Usage: `basename $0` {path_to_pma_root_folder}"
diff --git a/scripts/lang-cleanup.sh b/scripts/lang-cleanup.sh
index 54dfd16f7bf2..846dffc87e51 100755
--- a/scripts/lang-cleanup.sh
+++ b/scripts/lang-cleanup.sh
@@ -4,6 +4,12 @@
 #
 # Script for removing language selection from phpMyAdmin
 
+# Do not run as CGI
+if [ -n "$GATEWAY_INTERFACE" ] ; then
+    echo 'Can not invoke as CGI!'
+    exit 1
+fi
+
 if [ $# -lt 1 ] ; then
     echo "Usage: lang-cleanup.sh type"
     echo "Type can be one of:"
diff --git a/scripts/line-counts.sh b/scripts/line-counts.sh
index bcf07620eaa4..c4657ca09789 100755
--- a/scripts/line-counts.sh
+++ b/scripts/line-counts.sh
@@ -1,4 +1,11 @@
 #!/bin/bash
+
+# Do not run as CGI
+if [ -n "$GATEWAY_INTERFACE" ] ; then
+    echo 'Can not invoke as CGI!'
+    exit 1
+fi
+
 cat > js/line_counts.php <<EOF
 <?php
 /* vim: set expandtab sw=4 ts=4 sts=4: */
diff --git a/scripts/locales-contributors b/scripts/locales-contributors
index 021eca3659aa..4ddf5cdd217f 100755
--- a/scripts/locales-contributors
+++ b/scripts/locales-contributors
@@ -1,4 +1,10 @@
 #!/bin/sh
+# Do not run as CGI
+if [ -n "$GATEWAY_INTERFACE" ] ; then
+    echo 'Can not invoke as CGI!'
+    exit 1
+fi
+
 for x in po/*.po  ; do
     grep 'Team' $x | sed 's/.*: \(.*\)<.*/\1/'
     git shortlog -sne --no-merges -- $x | grep '^  [ 0-9][0-9]\{3\}'
diff --git a/scripts/remove-incomplete-mo b/scripts/remove-incomplete-mo
index 8d703452fcfc..66008368dab0 100755
--- a/scripts/remove-incomplete-mo
+++ b/scripts/remove-incomplete-mo
@@ -3,6 +3,12 @@
 # Removes mo files for incomplete translations
 #
 
+# Do not run as CGI
+if [ -n "$GATEWAY_INTERFACE" ] ; then
+    echo 'Can not invoke as CGI!'
+    exit 1
+fi
+
 set -e
 
 #
diff --git a/scripts/transformations_generator_main_class.sh b/scripts/transformations_generator_main_class.sh
index 05876671ac58..c609d1793c18 100755
--- a/scripts/transformations_generator_main_class.sh
+++ b/scripts/transformations_generator_main_class.sh
@@ -7,10 +7,16 @@
 # $2: MIMESubtype
 # $3: Transformation Name
 
+# Do not run as CGI
+if [ -n "$GATEWAY_INTERFACE" ] ; then
+    echo 'Can not invoke as CGI!'
+    exit 1
+fi
+
 if [ $# != 3 ]
 then
   echo -e "Usage: ./generator_main_class.sh MIMEType MIMESubtype TransformationName\n"
   exit 65
 fi
 
-./generator_plugin.sh "$1" "$2" "$3" "--generate_only_main_class"
\ No newline at end of file
+./generator_plugin.sh "$1" "$2" "$3" "--generate_only_main_class"
diff --git a/scripts/transformations_generator_plugin.sh b/scripts/transformations_generator_plugin.sh
index 912072532bbe..9d6ba28d542b 100755
--- a/scripts/transformations_generator_plugin.sh
+++ b/scripts/transformations_generator_plugin.sh
@@ -11,6 +11,12 @@
 # $3: Transformation Name
 # $4: (optional) Description
 
+# Do not run as CGI
+if [ -n "$GATEWAY_INTERFACE" ] ; then
+    echo 'Can not invoke as CGI!'
+    exit 1
+fi
+
 echo $#
 if [ $# -ne 3 -a $# -ne 4 ]; then
   echo -e "Usage: ./generator_plugin.sh MIMEType MIMESubtype TransformationName [Description]\n"
@@ -61,4 +67,4 @@ if [ $GenerateAbstractClass -eq 1 ]; then
     echo "Created $AbstractClassFile"
 fi
 
-echo ""
\ No newline at end of file
+echo ""
diff --git a/scripts/update-po b/scripts/update-po
index 3e7d9dcbeee9..53387ab575a1 100755
--- a/scripts/update-po
+++ b/scripts/update-po
@@ -2,6 +2,12 @@
 # vim: expandtab sw=4 ts=4 sts=4:
 export LC_ALL=C
 
+# Do not run as CGI
+if [ -n "$GATEWAY_INTERFACE" ] ; then
+    echo 'Can not invoke as CGI!'
+    exit 1
+fi
+
 # Exit on failure
 set -e
 
diff --git a/scripts/upload-release b/scripts/upload-release
index 7e0b9d35c917..dedc91e3f3fd 100755
--- a/scripts/upload-release
+++ b/scripts/upload-release
@@ -1,5 +1,11 @@
 #!/bin/sh
 
+# Do not run as CGI
+if [ -n "$GATEWAY_INTERFACE" ] ; then
+    echo 'Can not invoke as CGI!'
+    exit 1
+fi
+
 set -e
 set -u
 
diff --git a/test/install-browserstack b/test/install-browserstack
index 7320dadb4672..240fd4870b05 100755
--- a/test/install-browserstack
+++ b/test/install-browserstack
@@ -1,5 +1,11 @@
 #!/bin/sh
 
+# Do not run as CGI
+if [ -n "$GATEWAY_INTERFACE" ] ; then
+    echo 'Can not invoke as CGI!'
+    exit 1
+fi
+
 set -e
 set -x
 
diff --git a/test/install-runkit b/test/install-runkit
index 469440e8a015..0b3b55cdf0a8 100755
--- a/test/install-runkit
+++ b/test/install-runkit
@@ -1,5 +1,11 @@
 #!/bin/bash
 
+# Do not run as CGI
+if [ -n "$GATEWAY_INTERFACE" ] ; then
+    echo 'Can not invoke as CGI!'
+    exit 1
+fi
+
 if [ "$TRAVIS_PHP_VERSION" = "nightly" -o "$TRAVIS_PHP_VERSION" = "hhvm" -o "$TRAVIS_PHP_VERSION" = "7.0" ] ; then
     exit 0
 fi
diff --git a/test/start-local-server b/test/start-local-server
index c76d3740511e..8fb8037db7e2 100755
--- a/test/start-local-server
+++ b/test/start-local-server
@@ -1,5 +1,11 @@
 #!/bin/sh
 
+# Do not run as CGI
+if [ -n "$GATEWAY_INTERFACE" ] ; then
+    echo 'Can not invoke as CGI!'
+    exit 1
+fi
+
 set -e
 set -x