Hi
...resending to the list...
Dne Thu, 4 Aug 2011 21:13:16 +0300 Tyron Madlener tyronx@gmail.com napsal(a):
On Thu, Aug 4, 2011 at 8:51 PM, Michal Čihař michal@cihar.com wrote:
This is just limiting access to file_echo.php to users who are allowed to use phpMyAdmin (and thus have login to MySQL). I see no reason having publicly available echo service in phpMyAdmin.
But don't you need valid mysql credentials to get a session (and token) anyway?
Yes, though the token might be valid longer than MySQL credentials, so it's better to check both.
Since the file uploading is handled by the browser, I cannot think of a case where you can upload a file unintentionally, or in any way get it uploaded through other means than manually uploading it yourself. I'd be really curious to know how a hacker can do anything malicious in this direction.
You can easily place form on other page and redirect it to this file. This is data you receive from outside, you should never trust it.
If you don't need any HTML code inside, htmlspecialchars will help here. Also if you set content type to JSON, browser will not process it as HTML.
Ah yes, great solution :) It just didn't into my mind to actually change the http header, even though its so obvious. I'll change that today.
Okay, please base changes on current master, I've made numerous changes to that file.
On Fri, Aug 5, 2011 at 10:45 AM, Michal Čihař michal@cihar.com wrote:
Hi
...resending to the list...
Dne Thu, 4 Aug 2011 21:13:16 +0300 Tyron Madlener tyronx@gmail.com napsal(a):
On Thu, Aug 4, 2011 at 8:51 PM, Michal Čihař michal@cihar.com wrote:
This is just limiting access to file_echo.php to users who are allowed to use phpMyAdmin (and thus have login to MySQL). I see no reason having publicly available echo service in phpMyAdmin.
But don't you need valid mysql credentials to get a session (and token) anyway?
Yes, though the token might be valid longer than MySQL credentials, so it's better to check both.
Since the file uploading is handled by the browser, I cannot think of a case where you can upload a file unintentionally, or in any way get it uploaded through other means than manually uploading it yourself. I'd be really curious to know how a hacker can do anything malicious in this direction.
You can easily place form on other page and redirect it to this file. This is data you receive from outside, you should never trust it.
If you don't need any HTML code inside, htmlspecialchars will help here. Also if you set content type to JSON, browser will not process it as HTML.
Ah yes, great solution :) It just didn't into my mind to actually change the http header, even though its so obvious. I'll change that today.
Okay, please base changes on current master, I've made numerous changes to that file.
Commit d368a81ccaf2c1013bd49cbf51ec23be346aeffb and 9f425de0e727b4219e50111b25c362164d420284 does this now.
I had to use text/plain though because some browsers like FF doesn't understand application/json (and offers the file to be downloaded).
-- Michal Čihař | http://cihar.com | http://blog.cihar.com
BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA The must-attend event for mobile developers. Connect with experts. Get tools for creating Super Apps. See the latest technologies. Sessions, hands-on labs, demos & much more. Register early & save! http://p.sf.net/sfu/rim-blackberry-1 _______________________________________________ Phpmyadmin-devel mailing list Phpmyadmin-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/phpmyadmin-devel
Hi
Dne Fri, 5 Aug 2011 13:34:07 +0300 Tyron Madlener tyronx@gmail.com napsal(a):
Commit d368a81ccaf2c1013bd49cbf51ec23be346aeffb and 9f425de0e727b4219e50111b25c362164d420284 does this now.
I had to use text/plain though because some browsers like FF doesn't understand application/json (and offers the file to be downloaded).
You need to change only Content-Type and not Content-Disposition as PMA_download_header does. Then application/json should work just fine in all browsers.
resending to list..
On Fri, Aug 5, 2011 at 2:08 PM, Michal Čihař michal@cihar.com wrote:
Hi
Dne Fri, 5 Aug 2011 13:34:07 +0300 Tyron Madlener tyronx@gmail.com napsal(a):
Commit d368a81ccaf2c1013bd49cbf51ec23be346aeffb and 9f425de0e727b4219e50111b25c362164d420284 does this now.
I had to use text/plain though because some browsers like FF doesn't understand application/json (and offers the file to be downloaded).
You need to change only Content-Type and not Content-Disposition as PMA_download_header does. Then application/json should work just fine in all browsers.
I didn't use content-disposition. Only content-type I've set.
-- Michal Čihař | http://cihar.com | http://blog.cihar.com
Hi
Dne Fri, 5 Aug 2011 15:57:56 +0300 Tyron Madlener tyronx@gmail.com napsal(a):
resending to list..
On Fri, Aug 5, 2011 at 2:08 PM, Michal Čihař michal@cihar.com wrote:
Hi
Dne Fri, 5 Aug 2011 13:34:07 +0300 Tyron Madlener tyronx@gmail.com napsal(a):
Commit d368a81ccaf2c1013bd49cbf51ec23be346aeffb and 9f425de0e727b4219e50111b25c362164d420284 does this now.
I had to use text/plain though because some browsers like FF doesn't understand application/json (and offers the file to be downloaded).
You need to change only Content-Type and not Content-Disposition as PMA_download_header does. Then application/json should work just fine in all browsers.
I didn't use content-disposition. Only content-type I've set.
Right, probably browser handles differently whether it is GET or POST request...