Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Disable session.use_trans_sid to preserve export result

Do not depend on session.use_trans_sid without cookies

git-svn-id: https://adminer.svn.sourceforge.net/svnroot/adminer/trunk@1050 7c3ca157-0c34-0410-bff1-cbf682f78f5c
  • Loading branch information...
commit 25cef1ffe1f970a566168cb67a492b1bebe43320 1 parent e895368
jakubvrana authored
View
4 adminer/include/adminer.inc.php
@@ -425,7 +425,9 @@ function navigation($missing) {
</p>
</form>
<form action="">
-<p><?php if (strlen($_GET["server"])) { ?><input type="hidden" name="server" value="<?php echo h($_GET["server"]); ?>"><?php } ?>
+<p>
+<?php if (SID) { ?><input type="hidden" name="<?php echo session_name(); ?>" value="<?php echo h(session_id()); ?>"><?php } ?>
+<?php if (strlen($_GET["server"])) { ?><input type="hidden" name="server" value="<?php echo h($_GET["server"]); ?>"><?php } ?>
<?php if ($databases) { ?>
<select name="db" onchange="this.form.submit();"><option value="">(<?php echo lang('database'); ?>)<?php echo optionlist($databases, DB); ?></select>
<?php } else { ?>
View
31 adminer/include/auth.inc.php
@@ -1,26 +1,21 @@
<?php
$ignore = array("server", "username", "password");
$session_name = session_name();
-if (ini_get("session.use_trans_sid") && isset($_POST[$session_name])) {
- $ignore[] = $session_name;
-}
if (isset($_POST["server"])) {
- if (isset($_COOKIE[$session_name]) || isset($_POST[$session_name])) {
- session_regenerate_id(); // defense against session fixation
- $_SESSION["usernames"][$_POST["server"]] = $_POST["username"];
- $_SESSION["passwords"][$_POST["server"]] = $_POST["password"];
- $_SESSION["tokens"][$_POST["server"]] = rand(1, 1e6); // defense against cross-site request forgery
- if (count($_POST) == count($ignore)) {
- $location = ((string) $_GET["server"] === $_POST["server"] ? remove_from_uri() : preg_replace('~^[^?]*/([^?]*).*~', '\\1', $_SERVER["REQUEST_URI"]) . (strlen($_POST["server"]) ? '?server=' . urlencode($_POST["server"]) : ''));
- if (!isset($_COOKIE[$session_name])) {
- $location .= (strpos($location, "?") === false ? "?" : "&") . SID;
- }
- header("Location: " . (strlen($location) ? $location : "."));
- exit;
- }
- if ($_POST["token"]) {
- $_POST["token"] = $_SESSION["tokens"][$_POST["server"]];
+ session_regenerate_id(); // defense against session fixation
+ $_SESSION["usernames"][$_POST["server"]] = $_POST["username"];
+ $_SESSION["passwords"][$_POST["server"]] = $_POST["password"];
+ $_SESSION["tokens"][$_POST["server"]] = rand(1, 1e6); // defense against cross-site request forgery
+ if (count($_POST) == count($ignore)) {
+ $location = ((string) $_GET["server"] === $_POST["server"] ? remove_from_uri() : preg_replace('~^[^?]*/([^?]*).*~', '\\1', $_SERVER["REQUEST_URI"]) . (strlen($_POST["server"]) ? '?server=' . urlencode($_POST["server"]) : ''));
+ if (!isset($_COOKIE[$session_name])) {
+ $location .= (strpos($location, "?") === false ? "?" : "&") . SID;
}
+ header("Location: " . (strlen($location) ? $location : "."));
+ exit;
+ }
+ if ($_POST["token"]) {
+ $_POST["token"] = $_SESSION["tokens"][$_POST["server"]];
}
$_GET["server"] = $_POST["server"];
} elseif (isset($_POST["logout"])) {
View
3  adminer/include/bootstrap.inc.php
@@ -45,6 +45,7 @@
if (!ini_get("session.auto_start")) {
// use specific session name to get own namespace
+ @ini_set("session.use_trans_sid", false); // @ - may be disabled
session_name("adminer_sid");
session_set_cookie_params(0, preg_replace('~\\?.*~', '', $_SERVER["REQUEST_URI"])); //! use HttpOnly in PHP 5
session_start();
@@ -70,7 +71,7 @@
@set_time_limit(0); // @ - can be disabled
define("DB", $_GET["db"]); // for the sake of speed and size
-define("ME", preg_replace('~^[^?]*/([^?]*).*~', '\\1', $_SERVER["REQUEST_URI"]) . '?' . (strlen($_GET["server"]) ? 'server=' . urlencode($_GET["server"]) . '&' : '') . (strlen(DB) ? 'db=' . urlencode(DB) . '&' : ''));
+define("ME", preg_replace('~^[^?]*/([^?]*).*~', '\\1', $_SERVER["REQUEST_URI"]) . '?' . (SID ? SID . '&' : '') . (strlen($_GET["server"]) ? 'server=' . urlencode($_GET["server"]) . '&' : '') . (strlen(DB) ? 'db=' . urlencode(DB) . '&' : ''));
$on_actions = array("RESTRICT", "CASCADE", "SET NULL", "NO ACTION"); // used in foreign_keys()
include "../adminer/include/version.inc.php";
View
4 adminer/include/functions.inc.php
@@ -104,10 +104,6 @@ function redirect($location, $message = null) {
if (isset($message)) {
$_SESSION["messages"][] = $message;
}
- if (strlen(SID)) {
- // append SID if session cookies are disabled
- $location .= (strpos($location, "?") === false ? "?" : "&") . SID;
- }
header("Location: " . (strlen($location) ? $location : "."));
exit;
}
View
1  adminer/privileges.inc.php
@@ -6,6 +6,7 @@
if (!$result) {
?>
<form action=""><p>
+ <?php if (SID) { ?><input type="hidden" name="<?php echo session_name(); ?>" value="<?php echo h(session_id()); ?>"><?php } ?>
<?php if (strlen($_GET["server"])) { ?><input type="hidden" name="server" value="<?php echo h($_GET["server"]); ?>"><?php } ?>
<?php echo lang('Username'); ?>: <input name="user">
<?php echo lang('Server'); ?>: <input name="host" value="localhost">
Please sign in to comment.
Something went wrong with that request. Please try again.