The branch, master has been updated
via aa6fec0532a9dd48d4e35831c1b1c9785c124dd7 (commit)
from bef58c45190f73bb3572122aa3d092677bc6affd (commit)
- Log -----------------------------------------------------------------
commit aa6fec0532a9dd48d4e35831c1b1c9785c124dd7
Author: Michal Čihař <mcihar(a)novell.com>
Date: Tue Dec 7 12:19:07 2010 +0100
Remove error.php
Redirecting to other script introduces possibility of inject custom
messages to it. Though there is no clear security issue in this, it
might confuse users and mistake them to go to external site as it allows
to include links.
-----------------------------------------------------------------------
Summary of changes:
error.php | 89 ----------------------------------------------
libraries/common.inc.php | 1 -
libraries/core.lib.php | 15 +++-----
libraries/error.inc.php | 57 +++++++++++++++++++++++++++++
4 files changed, 63 insertions(+), 99 deletions(-)
delete mode 100644 error.php
create mode 100644 libraries/error.inc.php
diff --git a/error.php b/error.php
deleted file mode 100644
index b1d47e2..0000000
--- a/error.php
+++ /dev/null
@@ -1,89 +0,0 @@
-<?php
-/* vim: set expandtab sw=4 ts=4 sts=4: */
-/**
- * phpMyAdmin fatal error display page
- *
- * @package phpMyAdmin
- */
-
-/**
- * Input sanitizing.
- */
-require './libraries/sanitizing.lib.php';
-
-/* Get variables */
-if (! empty($_REQUEST['lang']) && is_string($_REQUEST['lang']))
{
- $lang = htmlspecialchars($_REQUEST['lang']);
-} else {
- $lang = 'en';
-}
-
-if (! empty($_REQUEST['dir']) && is_string($_REQUEST['dir'])) {
- $dir = htmlspecialchars($_REQUEST['dir']);
-} else {
- $dir = 'ltr';
-}
-
-if (! empty($_REQUEST['type']) && is_string($_REQUEST['type']))
{
- $type = htmlspecialchars($_REQUEST['type']);
-} else {
- $type = 'error';
-}
-
-// force utf-8 to avoid XSS with crafted URL and utf-7 in charset parameter
-$charset = 'utf-8';
-
-header('Content-Type: text/html; charset=' . $charset);
-?>
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml" xml:lang="<?php echo
$lang; ?>" dir="<?php echo $dir; ?>">
-<head>
- <link rel="icon" href="./favicon.ico"
type="image/x-icon" />
- <link rel="shortcut icon" href="./favicon.ico"
type="image/x-icon" />
- <title>phpMyAdmin</title>
- <meta http-equiv="Content-Type" content="text/html;
charset=<?php echo $charset; ?>" />
- <style type="text/css">
- <!--
- html {
- padding: 0;
- margin: 0;
- }
- body {
- font-family: sans-serif;
- font-size: small;
- color: #000000;
- background-color: #F5F5F5;
- margin: 1em;
- }
- h1 {
- margin: 0;
- padding: 0.3em;
- font-size: 1.4em;
- font-weight: bold;
- color: #ffffff;
- background-color: #ff0000;
- }
- p {
- margin: 0;
- padding: 0.5em;
- border: 0.1em solid red;
- background-color: #ffeeee;
- }
- //-->
- </style>
-</head>
-<body>
-<h1>phpMyAdmin - <?php echo $type; ?></h1>
-<p><?php
-if (!empty($_REQUEST['error'])) {
- if (function_exists('get_magic_quotes_gpc') &&
get_magic_quotes_gpc()) {
- echo PMA_sanitize(stripslashes($_REQUEST['error']));
- } else {
- echo PMA_sanitize($_REQUEST['error']);
- }
-} else {
- echo 'No error message!';
-}
-?></p>
-</body>
-</html>
diff --git a/libraries/common.inc.php b/libraries/common.inc.php
index 1a140bb..4a67cbc 100644
--- a/libraries/common.inc.php
+++ b/libraries/common.inc.php
@@ -372,7 +372,6 @@ $goto_whitelist = array(
'db_printview.php',
'db_search.php',
//'Documentation.html',
- //'error.php',
'export.php',
'import.php',
//'index.php',
diff --git a/libraries/core.lib.php b/libraries/core.lib.php
index 97d443a..54da58c 100644
--- a/libraries/core.lib.php
+++ b/libraries/core.lib.php
@@ -235,21 +235,18 @@ function PMA_fatalError($error_message, $message_args = null)
}
// Displays the error message
- // (do not use & for parameters sent by header)
- $query_params = array(
- 'lang' =>
$GLOBALS['available_languages'][$GLOBALS['lang']][1],
- 'dir' => $GLOBALS['text_dir'],
- 'type' => $error_header,
- 'error' => $error_message,
- );
- header('Location: ' . (defined('PMA_SETUP') ? '../' :
'') . 'error.php?'
- . http_build_query($query_params, null, '&'));
+ $lang = $GLOBALS['available_languages'][$GLOBALS['lang']][1];
+ $dir = $GLOBALS['text_dir'];
+ $type = $error_header;
+ $error = $error_message;
// on fatal errors it cannot hurt to always delete the current session
if (isset($GLOBALS['session_name']) &&
isset($_COOKIE[$GLOBALS['session_name']])) {
$GLOBALS['PMA_Config']->removeCookie($GLOBALS['session_name']);
}
+ require('./libraries/error.inc.php');
+
exit;
}
diff --git a/libraries/error.inc.php b/libraries/error.inc.php
new file mode 100644
index 0000000..95d8847
--- /dev/null
+++ b/libraries/error.inc.php
@@ -0,0 +1,57 @@
+<?php
+/* vim: set expandtab sw=4 ts=4 sts=4: */
+/**
+ * phpMyAdmin fatal error display page
+ *
+ * @package phpMyAdmin
+ */
+
+if (! defined('PHPMYADMIN')) {
+ exit;
+}
+
+header('Content-Type: text/html; charset=utf-8');
+?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
xmlns="http://www.w3.org/1999/xhtml" xml:lang="<?php echo
$lang; ?>" dir="<?php echo $dir; ?>">
+<head>
+ <link rel="icon" href="./favicon.ico"
type="image/x-icon" />
+ <link rel="shortcut icon" href="./favicon.ico"
type="image/x-icon" />
+ <title>phpMyAdmin</title>
+ <meta http-equiv="Content-Type" content="text/html;
charset=utf-8" />
+ <style type="text/css">
+ <!--
+ html {
+ padding: 0;
+ margin: 0;
+ }
+ body {
+ font-family: sans-serif;
+ font-size: small;
+ color: #000000;
+ background-color: #F5F5F5;
+ margin: 1em;
+ }
+ h1 {
+ margin: 0;
+ padding: 0.3em;
+ font-size: 1.4em;
+ font-weight: bold;
+ color: #ffffff;
+ background-color: #ff0000;
+ }
+ p {
+ margin: 0;
+ padding: 0.5em;
+ border: 0.1em solid red;
+ background-color: #ffeeee;
+ }
+ //-->
+ </style>
+</head>
+<body>
+<h1>phpMyAdmin - <?php echo $error_header; ?></h1>
+<p><?php echo PMA_sanitize($error_message); ?></p>
+</body>
+</html>
+
hooks/post-receive
--
phpMyAdmin