[Phpmyadmin-git] [SCM] phpMyAdmin branch, master, updated. RELEASE_3_4_0BETA2-1480-g5ceb7bc
The branch, master has been updated via 5ceb7bc817fdae92b7ba340bc217be3564ac5e3d (commit) via dc0c6938b284489acc4b13f6a023c44828b9457c (commit) from 87b0c3074722f4e64c03343145c65a8256227623 (commit)
- Log ----------------------------------------------------------------- commit 5ceb7bc817fdae92b7ba340bc217be3564ac5e3d Author: Michal Čihař mcihar@novell.com Date: Fri Jan 28 13:28:02 2011 +0100
Drop duplicate implementation of same thing.
commit dc0c6938b284489acc4b13f6a023c44828b9457c Author: Michal Čihař mcihar@novell.com Date: Fri Jan 28 13:13:22 2011 +0100
[security] Redirect external links to avoid Referer leakage.
-----------------------------------------------------------------------
Summary of changes: ChangeLog | 1 + libraries/Message.class.php | 55 +--------------------------- libraries/auth/cookie.auth.lib.php | 2 +- libraries/auth/swekey/swekey.auth.lib.php | 2 +- libraries/blobstreaming.lib.php | 12 +++--- libraries/common.inc.php | 4 ++- libraries/common.lib.php | 10 +++--- libraries/config/FormDisplay.class.php | 4 +- libraries/config/config_functions.lib.php | 8 +++- libraries/display_export.lib.php | 2 +- libraries/engines/pbms.lib.php | 6 ++-- libraries/engines/pbxt.lib.php | 6 ++-- libraries/sanitizing.lib.php | 6 +++- main.php | 8 ++-- themes.php | 2 +- url.php | 18 +++++++++ 16 files changed, 62 insertions(+), 84 deletions(-) create mode 100644 url.php
diff --git a/ChangeLog b/ChangeLog index 45e274b..e3add30 100644 --- a/ChangeLog +++ b/ChangeLog @@ -131,6 +131,7 @@ - [export] Better handling of export to PHP array. - rfe #3158867 [privileges] No DROP DATABASE warning if you delete a user - [interface] Add link to documentation for status variables. +- [security] Redirect external links to avoid Referer leakage.
3.3.10.0 (not yet released) - patch #3147400 [structure] Aria table size printed as unknown, diff --git a/libraries/Message.class.php b/libraries/Message.class.php index 8783cdb..6a4df5b 100644 --- a/libraries/Message.class.php +++ b/libraries/Message.class.php @@ -647,65 +647,14 @@ class PMA_Message * for formatting * * @static - * @uses PREG_SET_ORDER - * @uses in_array() - * @uses preg_match_all() - * @uses preg_match() - * @uses preg_replace() - * @uses substr() - * @uses strtr() + * @uses PMA_sanitize * @param string $message the message * @return string the decoded message * @access public */ static public function decodeBB($message) { - $replace_pairs = array( - '[i]' => '<em>', // deprecated by em - '[/i]' => '</em>', // deprecated by em - '[em]' => '<em>', - '[/em]' => '</em>', - '[b]' => '<strong>', // deprecated by strong - '[/b]' => '</strong>', // deprecated by strong - '[strong]' => '<strong>', - '[/strong]' => '</strong>', - '[tt]' => '<code>', // deprecated by CODE or KBD - '[/tt]' => '</code>', // deprecated by CODE or KBD - '[code]' => '<code>', - '[/code]' => '</code>', - '[kbd]' => '<kbd>', - '[/kbd]' => '</kbd>', - '[br]' => '<br />', - '[/a]' => '</a>', - '[sup]' => '<sup>', - '[/sup]' => '</sup>', - ); - - $message = strtr($message, $replace_pairs); - - $pattern = '/[a@([^"@]*)@([^]"]*)]/'; - - if (preg_match_all($pattern, $message, $founds, PREG_SET_ORDER)) { - $valid_links = array( - 'http', // default http:// links (and https://) - './Do', // ./Documentation - ); - - foreach ($founds as $found) { - // only http... and ./Do... allowed - if (! in_array(substr($found[1], 0, 4), $valid_links)) { - return $message; - } - // a-z and _ allowed in target - if (! empty($found[2]) && preg_match('/[^a-z_]+/i', $found[2])) { - return $message; - } - } - - $message = preg_replace($pattern, '<a href="\1" target="\2">', $message); - } - - return $message; + return PMA_sanitize($message, false); }
/** diff --git a/libraries/auth/cookie.auth.lib.php b/libraries/auth/cookie.auth.lib.php index 21ca47a..805f9b3 100644 --- a/libraries/auth/cookie.auth.lib.php +++ b/libraries/auth/cookie.auth.lib.php @@ -192,7 +192,7 @@ if (top != self) { ?>
<div class="container"> -<a href="http://www.phpmyadmin.net" target="_blank" class="logo"><?php +<a href="./url.php?url=http://www.phpmyadmin.net" target="_blank" class="logo"><?php $logo_image = $GLOBALS['pmaThemeImage'] . 'logo_right.png'; if (@file_exists($logo_image)) { echo '<img src="' . $logo_image . '" id="imLogo" name="imLogo" alt="phpMyAdmin" border="0" />'; diff --git a/libraries/auth/swekey/swekey.auth.lib.php b/libraries/auth/swekey/swekey.auth.lib.php index bb4e2c5..19b9163 100644 --- a/libraries/auth/swekey/swekey.auth.lib.php +++ b/libraries/auth/swekey/swekey.auth.lib.php @@ -231,7 +231,7 @@ function Swekey_login($input_name, $input_go) ?> function open_swekey_site() { - window.open("http://phpmyadmin.net/auth_key"); + window.open("./url.php?url=http://phpmyadmin.net/auth_key"); }
var input_username = document.getElementById("<?php echo $input_name; ?>"); diff --git a/libraries/blobstreaming.lib.php b/libraries/blobstreaming.lib.php index 594e5f1..070c8f3 100644 --- a/libraries/blobstreaming.lib.php +++ b/libraries/blobstreaming.lib.php @@ -31,7 +31,7 @@ function initPBMSDatabase() $query = "select * from $target.pbms_metadata_header"; // If it exists this table will not contain much } } - + $result = PMA_DBI_query($query ); if (! $result) { return FALSE; @@ -106,7 +106,7 @@ function checkBLOBStreamingPlugins() } unset($existing_plugins, $one_existing_plugin); } - + // set variable indicating BS plugin existence $PMA_Config->set('BLOBSTREAMING_PLUGINS_EXIST', $has_blobstreaming);
@@ -296,7 +296,7 @@ function PMA_BS_IsPBMSReference($bs_reference, $db_name) if (PMA_do_connect($db_name, FALSE) == FALSE) { return FALSE; } - + $ok = pbms_is_blob_reference($bs_reference); return $ok ; } @@ -391,8 +391,8 @@ function PMA_BS_IsTablePBMSEnabled($db_name, $tbl_name, $tbl_type) }
// This information should be cached rather than selecting it each time. - //$query = "SELECT count(*) FROM information_schema.TABLES T, pbms.pbms_enabled E where T.table_schema = ". PMA_backquote($db_name) . " and T.table_name = ". PMA_backquote($tbl_name) . " and T.engine = E.name"; - $query = "SELECT count(*) FROM pbms.pbms_enabled E where E.name = '" . PMA_sqlAddslashes($tbl_type) . "'"; + //$query = "SELECT count(*) FROM information_schema.TABLES T, pbms.pbms_enabled E where T.table_schema = ". PMA_backquote($db_name) . " and T.table_name = ". PMA_backquote($tbl_name) . " and T.engine = E.name"; + $query = "SELECT count(*) FROM pbms.pbms_enabled E where E.name = '" . PMA_sqlAddslashes($tbl_type) . "'"; $result = PMA_DBI_query($query);
$data = PMA_DBI_fetch_row($result); @@ -497,7 +497,7 @@ function PMA_BS_getURL($reference) return FALSE; }
- $bs_url = 'http://' . $bs_server . '/' . rtrim($reference); + $bs_url = './url.php?url=http://' . $bs_server . '/' . rtrim($reference); return $bs_url; }
diff --git a/libraries/common.inc.php b/libraries/common.inc.php index d65c254..da66fda 100644 --- a/libraries/common.inc.php +++ b/libraries/common.inc.php @@ -476,7 +476,9 @@ if (! PMA_isValid($_REQUEST['token']) || $_SESSION[' PMA_token '] != $_REQUEST[' /* for playing blobstreamable media */ 'media_type', 'custom_type', 'bs_reference', /* for changing BLOB repository file MIME type */ - 'bs_db', 'bs_table', 'bs_ref', 'bs_new_mime_type' + 'bs_db', 'bs_table', 'bs_ref', 'bs_new_mime_type', + /* URL redirector */ + 'url' ); /** * Require cleanup functions diff --git a/libraries/common.lib.php b/libraries/common.lib.php index 711627f..cf9b7a5 100644 --- a/libraries/common.lib.php +++ b/libraries/common.lib.php @@ -419,13 +419,13 @@ function PMA_showMySQLDocu($chapter, $link, $big_icon = false, $anchor = '', $ju }
if ($just_open) { - return '<a href="' . $url . '" target="mysql_doc">'; + return '<a href="./url.php?url=' . $url . '" target="mysql_doc">'; } elseif ($big_icon) { - return '<a href="' . $url . '" target="mysql_doc"><img class="icon" src="' . $GLOBALS['pmaThemeImage'] . 'b_sqlhelp.png" width="16" height="16" alt="' . __('Documentation') . '" title="' . __('Documentation') . '" /></a>'; + return '<a href="./url.php?url=' . $url . '" target="mysql_doc"><img class="icon" src="' . $GLOBALS['pmaThemeImage'] . 'b_sqlhelp.png" width="16" height="16" alt="' . __('Documentation') . '" title="' . __('Documentation') . '" /></a>'; } elseif ($GLOBALS['cfg']['ReplaceHelpImg']) { - return '<a href="' . $url . '" target="mysql_doc"><img class="icon" src="' . $GLOBALS['pmaThemeImage'] . 'b_help.png" width="11" height="11" alt="' . __('Documentation') . '" title="' . __('Documentation') . '" /></a>'; + return '<a href="./url.php?url=' . $url . '" target="mysql_doc"><img class="icon" src="' . $GLOBALS['pmaThemeImage'] . 'b_help.png" width="11" height="11" alt="' . __('Documentation') . '" title="' . __('Documentation') . '" /></a>'; } else { - return '[<a href="' . $url . '" target="mysql_doc">' . __('Documentation') . '</a>]'; + return '[<a href="./url.php?url=' . $url . '" target="mysql_doc">' . __('Documentation') . '</a>]'; } } // end of the 'PMA_showMySQLDocu()' function
@@ -2425,7 +2425,7 @@ function PMA_getDbLink($database = null) function PMA_externalBug($functionality, $component, $minimum_version, $bugref) { if ($component == 'mysql' && PMA_MYSQL_INT_VERSION < $minimum_version) { - echo PMA_showHint(sprintf(__('The %s functionality is affected by a known bug, see %s'), $functionality, 'http://bugs.mysql.com/' . $bugref)); + echo PMA_showHint(sprintf(__('The %s functionality is affected by a known bug, see %s'), $functionality, './url.php?url=http://bugs.mysql.com/' . $bugref)); } }
diff --git a/libraries/config/FormDisplay.class.php b/libraries/config/FormDisplay.class.php index e3b10dc..b07ac3a 100644 --- a/libraries/config/FormDisplay.class.php +++ b/libraries/config/FormDisplay.class.php @@ -681,7 +681,7 @@ class FormDisplay if ($test == 'Export') { $opt_name = substr($opt_name, 7); } - return 'http://wiki.phpmyadmin.net/pma/Config#' . $opt_name; + return './url.php?url=http://wiki.phpmyadmin.net/pma/Config#' . $opt_name; }
/** @@ -774,4 +774,4 @@ class FormDisplay } } } -?> \ No newline at end of file +?> diff --git a/libraries/config/config_functions.lib.php b/libraries/config/config_functions.lib.php index 6f9aabb..0d26cb5 100644 --- a/libraries/config/config_functions.lib.php +++ b/libraries/config/config_functions.lib.php @@ -91,10 +91,14 @@ function PMA_lang_link_replace($link, $text) $separator = PMA_get_arg_separator('html'); }
- if (!preg_match('#^http://#', $link)) { + if (!preg_match('#^https?://#', $link)) { $link = str_replace('&', $separator, $link); + } elseif (defined('PMA_SETUP')) { + $link = '../url.php?url=' . $link; + } else { + $link = './url.php?url=' . $link; }
return '<a href="' . $link . '">' . $text . '</a>'; } -?> \ No newline at end of file +?> diff --git a/libraries/display_export.lib.php b/libraries/display_export.lib.php index 202cd4d..fc2065f 100644 --- a/libraries/display_export.lib.php +++ b/libraries/display_export.lib.php @@ -235,7 +235,7 @@ if(isset($_GET['sql_query'])) { }
$message = new PMA_Message(__('This value is interpreted using %1$sstrftime%2$s, so you can use time formatting strings. Additionally the following transformations will happen: %3$s. Other text will be kept as is. See the %4$sFAQ%5$s for details.')); - $message->addParam('<a href="http://php.net/strftime" target="documentation" title="' + $message->addParam('<a href="./url.php?url=http://php.net/strftime" target="documentation" title="' . __('Documentation') . '">', false); $message->addParam('</a>', false); $message->addParam($trans); diff --git a/libraries/engines/pbms.lib.php b/libraries/engines/pbms.lib.php index 58e3159..4065bf3 100644 --- a/libraries/engines/pbms.lib.php +++ b/libraries/engines/pbms.lib.php @@ -91,15 +91,15 @@ class PMA_StorageEngine_pbms extends PMA_StorageEngine function getPageDocumentation() { $output = '<p> Documentation and further information about PBMS can be found on ' . "\n" - . '<a href="http://www.blobstreaming.org/" target="_blank">The PrimeBase Media Streaming home page</a>.<br><br>' . "\n" + . '<a href="./url.php?url=http://www.blobstreaming.org/" target="_blank">The PrimeBase Media Streaming home page</a>.<br><br>' . "\n" . '<table id="PBMS_Related_Links" >' . "\n" . '<tr>' . "\n" . '<td>' . "\n" . '<p>' . "\n" . '<strong><font size="2"><b>Related Links</b></font></strong>' . "\n" . '<br>' . "\n" - . '<a href="http://bpbdev.blogspot.com/" target="_blank">The PrimeBase Media Streaming Blog by Barry Leslie</a><br><br>' . "\n" - . '<a href="http://www.primebase.com/xt" target="_blank">PrimeBase XT Home Page</a><br><br>' . "\n" + . '<a href="./url.php?url=http://bpbdev.blogspot.com/" target="_blank">The PrimeBase Media Streaming Blog by Barry Leslie</a><br><br>' . "\n" + . '<a href="./url.php?url=http://www.primebase.com/xt" target="_blank">PrimeBase XT Home Page</a><br><br>' . "\n" . '</font>' . "\n" . '</td>' . "\n" . '</tr>' . "\n" diff --git a/libraries/engines/pbxt.lib.php b/libraries/engines/pbxt.lib.php index fbc6ce6..66da56a 100644 --- a/libraries/engines/pbxt.lib.php +++ b/libraries/engines/pbxt.lib.php @@ -122,15 +122,15 @@ class PMA_StorageEngine_pbxt extends PMA_StorageEngine function getPageDocumentation() { $output = '<p> Documentation and further information about PBXT can be found on the ' . "\n" - . '<a href="http://www.primebase.com/xt/" target="_blank">PrimeBase XT Home Page</a>.<br><br>' . "\n" + . '<a href="./url.php?url=http://www.primebase.com/xt/" target="_blank">PrimeBase XT Home Page</a>.<br><br>' . "\n" . '<table id="PBMS_Related_Links" >' . "\n" . '<tr>' . "\n" . '<td>' . "\n" . '<p>' . "\n" . '<strong><font size="2"><b>Related Links</b></font></strong>' . "\n" . '<br>' . "\n" - . '<a href="http://pbxt.blogspot.com/" target="_blank">The PrimeBase XT Blog by Paul McCullagh</a><br><br>' . "\n" - . '<a href="http://www.blobstreaming.org/" target="_blank">The PrimeBase Media Streaming (PBMS) home page</a>.<br><br>' . "\n" + . '<a href="./url.php?url=http://pbxt.blogspot.com/" target="_blank">The PrimeBase XT Blog by Paul McCullagh</a><br><br>' . "\n" + . '<a href="./url.php?url=http://www.blobstreaming.org/" target="_blank">The PrimeBase Media Streaming (PBMS) home page</a>.<br><br>' . "\n" . '</font>' . "\n" . '</td>' . "\n" . '</tr>' . "\n" diff --git a/libraries/sanitizing.lib.php b/libraries/sanitizing.lib.php index eb8696d..606c730 100644 --- a/libraries/sanitizing.lib.php +++ b/libraries/sanitizing.lib.php @@ -72,7 +72,11 @@ function PMA_sanitize($message, $escape = false) } }
- $message = preg_replace($pattern, '<a href="\1" target="\2">', $message); + if (substr($found[1], 0, 4) == 'http') { + $message = preg_replace($pattern, '<a href="./url.php?url=\1" target="\2">', $message); + } else { + $message = preg_replace($pattern, '<a href="\1" target="\2">', $message); + } }
if ($escape) { diff --git a/main.php b/main.php index 48e98fc..3d03234 100644 --- a/main.php +++ b/main.php @@ -210,16 +210,16 @@ echo '<h2>phpMyAdmin</h2>'; echo '<ul>'; PMA_printListItem(__('Version information') . ': ' . PMA_VERSION, 'li_pma_version'); PMA_printListItem(__('Documentation'), 'li_pma_docs', 'Documentation.html', null, '_blank'); -PMA_printListItem(__('Wiki'), 'li_pma_wiki', 'http://wiki.phpmyadmin.net', null, '_blank'); +PMA_printListItem(__('Wiki'), 'li_pma_wiki', './url.php?url=http://wiki.phpmyadmin.net', null, '_blank');
// does not work if no target specified, don't know why -PMA_printListItem(__('Official Homepage'), 'li_pma_homepage', 'http://www.phpMyAdmin.net/', null, '_blank'); +PMA_printListItem(__('Official Homepage'), 'li_pma_homepage', './url.php?url=http://www.phpMyAdmin.net/', null, '_blank'); ?> <li><bdo xml:lang="en" dir="ltr"> [<a href="changelog.php" target="_blank">ChangeLog</a>] - [<a href="http://phpmyadmin.git.sourceforge.net/git/gitweb-index.cgi" + [<a href="./url.php?url=http://phpmyadmin.git.sourceforge.net/git/gitweb-index.cgi" target="_blank">Git</a>] - [<a href="http://sourceforge.net/mail/?group_id=23067" + [<a href="./url.php?url=http://sourceforge.net/mail/?group_id=23067" target="_blank"><?php echo __('Mailing lists'); ?></a>] </bdo> </li> diff --git a/themes.php b/themes.php index e58933f..e4ad9f6 100644 --- a/themes.php +++ b/themes.php @@ -38,7 +38,7 @@ function takeThis(what){
<body id="bodythemes"> <h1>phpMyAdmin - <?php echo __('Theme / Style'); ?></h1> -<p><a href="http://www.phpmyadmin.net/home_page/themes.php#pma_<?php echo preg_replace('/([0-9]*)\.([0-9]*)\..*/', '\1_\2', PMA_VERSION); ?>"><?php echo __('Get more themes!'); ?></a></p> +<p><a href="./url.php?url=http://www.phpmyadmin.net/home_page/themes.php#pma_<?php echo preg_replace('/([0-9]*)\.([0-9]*)\..*/', '\1_\2', PMA_VERSION); ?>"><?php echo __('Get more themes!'); ?></a></p> <?php $_SESSION['PMA_Theme_Manager']->printPreviews(); ?> diff --git a/url.php b/url.php new file mode 100644 index 0000000..a9d0f58 --- /dev/null +++ b/url.php @@ -0,0 +1,18 @@ +<?php +/** + * URL redirector to avoid leaking Referer with some sensitive information. + */ + +/** + * Gets core libraries and defines some variables + */ +require_once './libraries/common.inc.php'; + +PMA_checkParameters(array('url')); + +if (! preg_match('/^https?:\/\/[^\n\r]*$/', $GLOBALS['url'])) { + header('Location: ' . $cfg['PmaAbsoluteUri']); +} else { + header('Location: ' . $GLOBALS['url']); +} +?>
hooks/post-receive
-
Michal Čihař