You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
if ($accepted_languages && false === mb_strpos($accepted_languages, '<')) {
The matchesAcceptLanguage function use the value of $accepted_languages in preg_match call that will determinate if $language will be returned (it match the $accepted_languages)
Thus, the below:
It was added as XSS prevention (see 63508c4 and 2d6e0f0). However it indeed seems a bit weird. Though this was in time where everything was put into globals.
it's better to use htmlspecialchars/urlencode (correct output escaping) in relevant places that output content to prevent XSS instead of disallowing < in input.
Where is in the code the value that come from AUTHORIZATION header / $accepted_languages variable are printed? (the sink) as I didn't found any such insecure flow, it's ok to remove this check.
the above commit point to file that doesn't exists anymore in master (grab_globals.lib.php)
I've removed these as indeed the check is not needed anymore. It does come from ages where all environment were in globals and to avoid problems with XSS, anything containing < was simply rejected. The code was simply copied over and over without much thinking what is it's purpose.
https://github.com/phpmyadmin/phpmyadmin/blob/master/libraries/LanguageManager.php#L846
The matchesAcceptLanguage function use the value of $accepted_languages in preg_match call that will determinate if $language will be returned (it match the $accepted_languages)
Thus, the below:
need to be removed.
phpmyadmin/libraries/plugins/auth/AuthenticationHttp.php
Line 129 in 9517695
also look useless (exists only in parsing of one of AUTHORIZATION headers, username can contain <)
The text was updated successfully, but these errors were encountered: