[Phpmyadmin-git] [SCM] phpMyAdmin branch, master, updated. RELEASE_3_4_3_1-12961-g4acaf76

Michal Čihař nijel at users.sourceforge.net
Thu Aug 4 14:58:37 CEST 2011 

The branch, master has been updated
       via  4acaf763128928760fd47e75de794a288dc99762 (commit)
       via  f97b5aba9b9458a627503f164fd5dafdac750002 (commit)
      from  71db1cb416556dceb50cf984e9f8033d3487f15e (commit)


- Log -----------------------------------------------------------------
commit 4acaf763128928760fd47e75de794a288dc99762
Author: Michal Čihař <mcihar at suse.cz>
Date:   Thu Aug 4 14:58:22 2011 +0200

    Documentation

commit f97b5aba9b9458a627503f164fd5dafdac750002
Author: Michal Čihař <mcihar at suse.cz>
Date:   Thu Aug 4 14:57:16 2011 +0200

    Better check for valid filename

-----------------------------------------------------------------------

Summary of changes:
 file_echo.php |   22 +++++++++++++++++++---
 1 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/file_echo.php b/file_echo.php
index 7b27ffa..f829853 100644
--- a/file_echo.php
+++ b/file_echo.php
@@ -15,16 +15,32 @@ if (isset($_REQUEST['filename']) && isset($_REQUEST['image'])) {
         'image/svg+xml' => 'svg',
     );
 
+    /* Check whether MIME type is allowed */
     if (! isset($allowed[$_REQUEST['type']])) {
         die('Invalid export type');
     }
 
-    if (! preg_match("/(".implode("|",$allowed).")$/i", $_REQUEST['filename'])) {
-        $_REQUEST['filename'] .= '.' . $allowed[$_REQUEST['type']];
+    /*
+     * Check file name to match mime type and not contain new lines
+     * to prevent response splitting.
+     */
+    if (! preg_match('/^[^\n\r]*\.' . $allowed[$_REQUEST['type']] . '$/', $_REQUEST['filename'])) {
+        if (! preg_match('/^[^\n\r]*$/', $_REQUEST['filename'])) {
+            /* Add extension */
+            $filename = 'dowload.' . $allowed[$_REQUEST['type']];
+        } else {
+            /* Filename is unsafe, discard it */
+            $filename = $_REQUEST['filename'] . '.' . $allowed[$_REQUEST['type']];
+        }
+    } else {
+        /* Filename from request should be safe here */
+        $filename = $_REQUEST['filename'];
     }
 
-    PMA_download_header($_REQUEST['filename'], $_REQUEST['type']);
+    /* Send download header */
+    PMA_download_header($filename, $_REQUEST['type']);
 
+    /* Send data */
     if ($allowed[$_REQUEST['type']] != 'svg') {
         echo base64_decode(substr($_REQUEST['image'], strpos($_REQUEST['image'],',') + 1));
     } else {


hooks/post-receive
-- 
phpMyAdmin

More information about the Git mailing list