The branch, master has been updated via aa6fec0532a9dd48d4e35831c1b1c9785c124dd7 (commit) from bef58c45190f73bb3572122aa3d092677bc6affd (commit)
- Log ----------------------------------------------------------------- commit aa6fec0532a9dd48d4e35831c1b1c9785c124dd7 Author: Michal Čihař mcihar@novell.com Date: Tue Dec 7 12:19:07 2010 +0100
Remove error.php
Redirecting to other script introduces possibility of inject custom messages to it. Though there is no clear security issue in this, it might confuse users and mistake them to go to external site as it allows to include links.
-----------------------------------------------------------------------
Summary of changes: error.php | 89 ---------------------------------------------- libraries/common.inc.php | 1 - libraries/core.lib.php | 15 +++----- libraries/error.inc.php | 57 +++++++++++++++++++++++++++++ 4 files changed, 63 insertions(+), 99 deletions(-) delete mode 100644 error.php create mode 100644 libraries/error.inc.php
diff --git a/error.php b/error.php deleted file mode 100644 index b1d47e2..0000000 --- a/error.php +++ /dev/null @@ -1,89 +0,0 @@ -<?php -/* vim: set expandtab sw=4 ts=4 sts=4: */ -/** - * phpMyAdmin fatal error display page - * - * @package phpMyAdmin - */ - -/** - * Input sanitizing. - */ -require './libraries/sanitizing.lib.php'; - -/* Get variables */ -if (! empty($_REQUEST['lang']) && is_string($_REQUEST['lang'])) { - $lang = htmlspecialchars($_REQUEST['lang']); -} else { - $lang = 'en'; -} - -if (! empty($_REQUEST['dir']) && is_string($_REQUEST['dir'])) { - $dir = htmlspecialchars($_REQUEST['dir']); -} else { - $dir = 'ltr'; -} - -if (! empty($_REQUEST['type']) && is_string($_REQUEST['type'])) { - $type = htmlspecialchars($_REQUEST['type']); -} else { - $type = 'error'; -} - -// force utf-8 to avoid XSS with crafted URL and utf-7 in charset parameter -$charset = 'utf-8'; - -header('Content-Type: text/html; charset=' . $charset); -?> -<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> -<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="<?php echo $lang; ?>" dir="<?php echo $dir; ?>"> -<head> - <link rel="icon" href="./favicon.ico" type="image/x-icon" /> - <link rel="shortcut icon" href="./favicon.ico" type="image/x-icon" /> - <title>phpMyAdmin</title> - <meta http-equiv="Content-Type" content="text/html; charset=<?php echo $charset; ?>" /> - <style type="text/css"> - <!-- - html { - padding: 0; - margin: 0; - } - body { - font-family: sans-serif; - font-size: small; - color: #000000; - background-color: #F5F5F5; - margin: 1em; - } - h1 { - margin: 0; - padding: 0.3em; - font-size: 1.4em; - font-weight: bold; - color: #ffffff; - background-color: #ff0000; - } - p { - margin: 0; - padding: 0.5em; - border: 0.1em solid red; - background-color: #ffeeee; - } - //--> - </style> -</head> -<body> -<h1>phpMyAdmin - <?php echo $type; ?></h1> -<p><?php -if (!empty($_REQUEST['error'])) { - if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) { - echo PMA_sanitize(stripslashes($_REQUEST['error'])); - } else { - echo PMA_sanitize($_REQUEST['error']); - } -} else { - echo 'No error message!'; -} -?></p> -</body> -</html> diff --git a/libraries/common.inc.php b/libraries/common.inc.php index 1a140bb..4a67cbc 100644 --- a/libraries/common.inc.php +++ b/libraries/common.inc.php @@ -372,7 +372,6 @@ $goto_whitelist = array( 'db_printview.php', 'db_search.php', //'Documentation.html', - //'error.php', 'export.php', 'import.php', //'index.php', diff --git a/libraries/core.lib.php b/libraries/core.lib.php index 97d443a..54da58c 100644 --- a/libraries/core.lib.php +++ b/libraries/core.lib.php @@ -235,21 +235,18 @@ function PMA_fatalError($error_message, $message_args = null) }
// Displays the error message - // (do not use & for parameters sent by header) - $query_params = array( - 'lang' => $GLOBALS['available_languages'][$GLOBALS['lang']][1], - 'dir' => $GLOBALS['text_dir'], - 'type' => $error_header, - 'error' => $error_message, - ); - header('Location: ' . (defined('PMA_SETUP') ? '../' : '') . 'error.php?' - . http_build_query($query_params, null, '&')); + $lang = $GLOBALS['available_languages'][$GLOBALS['lang']][1]; + $dir = $GLOBALS['text_dir']; + $type = $error_header; + $error = $error_message;
// on fatal errors it cannot hurt to always delete the current session if (isset($GLOBALS['session_name']) && isset($_COOKIE[$GLOBALS['session_name']])) { $GLOBALS['PMA_Config']->removeCookie($GLOBALS['session_name']); }
+ require('./libraries/error.inc.php'); + exit; }
diff --git a/libraries/error.inc.php b/libraries/error.inc.php new file mode 100644 index 0000000..95d8847 --- /dev/null +++ b/libraries/error.inc.php @@ -0,0 +1,57 @@ +<?php +/* vim: set expandtab sw=4 ts=4 sts=4: */ +/** + * phpMyAdmin fatal error display page + * + * @package phpMyAdmin + */ + +if (! defined('PHPMYADMIN')) { + exit; +} + +header('Content-Type: text/html; charset=utf-8'); +?> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="<?php echo $lang; ?>" dir="<?php echo $dir; ?>"> +<head> + <link rel="icon" href="./favicon.ico" type="image/x-icon" /> + <link rel="shortcut icon" href="./favicon.ico" type="image/x-icon" /> + <title>phpMyAdmin</title> + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> + <style type="text/css"> + <!-- + html { + padding: 0; + margin: 0; + } + body { + font-family: sans-serif; + font-size: small; + color: #000000; + background-color: #F5F5F5; + margin: 1em; + } + h1 { + margin: 0; + padding: 0.3em; + font-size: 1.4em; + font-weight: bold; + color: #ffffff; + background-color: #ff0000; + } + p { + margin: 0; + padding: 0.5em; + border: 0.1em solid red; + background-color: #ffeeee; + } + //--> + </style> +</head> +<body> +<h1>phpMyAdmin - <?php echo $error_header; ?></h1> +<p><?php echo PMA_sanitize($error_message); ?></p> +</body> +</html> +
hooks/post-receive