[Phpmyadmin-git] [SCM] phpMyAdmin branch, master, updated. RELEASE_3_4_0BETA2-1480-g5ceb7bc
Michal Čihař
nijel at users.sourceforge.net
Fri Jan 28 13:28:41 CET 2011
The branch, master has been updated
via 5ceb7bc817fdae92b7ba340bc217be3564ac5e3d (commit)
via dc0c6938b284489acc4b13f6a023c44828b9457c (commit)
from 87b0c3074722f4e64c03343145c65a8256227623 (commit)
- Log -----------------------------------------------------------------
commit 5ceb7bc817fdae92b7ba340bc217be3564ac5e3d
Author: Michal Čihař <mcihar at novell.com>
Date: Fri Jan 28 13:28:02 2011 +0100
Drop duplicate implementation of same thing.
commit dc0c6938b284489acc4b13f6a023c44828b9457c
Author: Michal Čihař <mcihar at novell.com>
Date: Fri Jan 28 13:13:22 2011 +0100
[security] Redirect external links to avoid Referer leakage.
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 1 +
libraries/Message.class.php | 55 +---------------------------
libraries/auth/cookie.auth.lib.php | 2 +-
libraries/auth/swekey/swekey.auth.lib.php | 2 +-
libraries/blobstreaming.lib.php | 12 +++---
libraries/common.inc.php | 4 ++-
libraries/common.lib.php | 10 +++---
libraries/config/FormDisplay.class.php | 4 +-
libraries/config/config_functions.lib.php | 8 +++-
libraries/display_export.lib.php | 2 +-
libraries/engines/pbms.lib.php | 6 ++--
libraries/engines/pbxt.lib.php | 6 ++--
libraries/sanitizing.lib.php | 6 +++-
main.php | 8 ++--
themes.php | 2 +-
url.php | 18 +++++++++
16 files changed, 62 insertions(+), 84 deletions(-)
create mode 100644 url.php
diff --git a/ChangeLog b/ChangeLog
index 45e274b..e3add30 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -131,6 +131,7 @@
- [export] Better handling of export to PHP array.
- rfe #3158867 [privileges] No DROP DATABASE warning if you delete a user
- [interface] Add link to documentation for status variables.
+- [security] Redirect external links to avoid Referer leakage.
3.3.10.0 (not yet released)
- patch #3147400 [structure] Aria table size printed as unknown,
diff --git a/libraries/Message.class.php b/libraries/Message.class.php
index 8783cdb..6a4df5b 100644
--- a/libraries/Message.class.php
+++ b/libraries/Message.class.php
@@ -647,65 +647,14 @@ class PMA_Message
* for formatting
*
* @static
- * @uses PREG_SET_ORDER
- * @uses in_array()
- * @uses preg_match_all()
- * @uses preg_match()
- * @uses preg_replace()
- * @uses substr()
- * @uses strtr()
+ * @uses PMA_sanitize
* @param string $message the message
* @return string the decoded message
* @access public
*/
static public function decodeBB($message)
{
- $replace_pairs = array(
- '[i]' => '<em>', // deprecated by em
- '[/i]' => '</em>', // deprecated by em
- '[em]' => '<em>',
- '[/em]' => '</em>',
- '[b]' => '<strong>', // deprecated by strong
- '[/b]' => '</strong>', // deprecated by strong
- '[strong]' => '<strong>',
- '[/strong]' => '</strong>',
- '[tt]' => '<code>', // deprecated by CODE or KBD
- '[/tt]' => '</code>', // deprecated by CODE or KBD
- '[code]' => '<code>',
- '[/code]' => '</code>',
- '[kbd]' => '<kbd>',
- '[/kbd]' => '</kbd>',
- '[br]' => '<br />',
- '[/a]' => '</a>',
- '[sup]' => '<sup>',
- '[/sup]' => '</sup>',
- );
-
- $message = strtr($message, $replace_pairs);
-
- $pattern = '/\[a@([^"@]*)@([^]"]*)\]/';
-
- if (preg_match_all($pattern, $message, $founds, PREG_SET_ORDER)) {
- $valid_links = array(
- 'http', // default http:// links (and https://)
- './Do', // ./Documentation
- );
-
- foreach ($founds as $found) {
- // only http... and ./Do... allowed
- if (! in_array(substr($found[1], 0, 4), $valid_links)) {
- return $message;
- }
- // a-z and _ allowed in target
- if (! empty($found[2]) && preg_match('/[^a-z_]+/i', $found[2])) {
- return $message;
- }
- }
-
- $message = preg_replace($pattern, '<a href="\1" target="\2">', $message);
- }
-
- return $message;
+ return PMA_sanitize($message, false);
}
/**
diff --git a/libraries/auth/cookie.auth.lib.php b/libraries/auth/cookie.auth.lib.php
index 21ca47a..805f9b3 100644
--- a/libraries/auth/cookie.auth.lib.php
+++ b/libraries/auth/cookie.auth.lib.php
@@ -192,7 +192,7 @@ if (top != self) {
?>
<div class="container">
-<a href="http://www.phpmyadmin.net" target="_blank" class="logo"><?php
+<a href="./url.php?url=http://www.phpmyadmin.net" target="_blank" class="logo"><?php
$logo_image = $GLOBALS['pmaThemeImage'] . 'logo_right.png';
if (@file_exists($logo_image)) {
echo '<img src="' . $logo_image . '" id="imLogo" name="imLogo" alt="phpMyAdmin" border="0" />';
diff --git a/libraries/auth/swekey/swekey.auth.lib.php b/libraries/auth/swekey/swekey.auth.lib.php
index bb4e2c5..19b9163 100644
--- a/libraries/auth/swekey/swekey.auth.lib.php
+++ b/libraries/auth/swekey/swekey.auth.lib.php
@@ -231,7 +231,7 @@ function Swekey_login($input_name, $input_go)
?>
function open_swekey_site()
{
- window.open("http://phpmyadmin.net/auth_key");
+ window.open("./url.php?url=http://phpmyadmin.net/auth_key");
}
var input_username = document.getElementById("<?php echo $input_name; ?>");
diff --git a/libraries/blobstreaming.lib.php b/libraries/blobstreaming.lib.php
index 594e5f1..070c8f3 100644
--- a/libraries/blobstreaming.lib.php
+++ b/libraries/blobstreaming.lib.php
@@ -31,7 +31,7 @@ function initPBMSDatabase()
$query = "select * from $target.pbms_metadata_header"; // If it exists this table will not contain much
}
}
-
+
$result = PMA_DBI_query($query );
if (! $result) {
return FALSE;
@@ -106,7 +106,7 @@ function checkBLOBStreamingPlugins()
}
unset($existing_plugins, $one_existing_plugin);
}
-
+
// set variable indicating BS plugin existence
$PMA_Config->set('BLOBSTREAMING_PLUGINS_EXIST', $has_blobstreaming);
@@ -296,7 +296,7 @@ function PMA_BS_IsPBMSReference($bs_reference, $db_name)
if (PMA_do_connect($db_name, FALSE) == FALSE) {
return FALSE;
}
-
+
$ok = pbms_is_blob_reference($bs_reference);
return $ok ;
}
@@ -391,8 +391,8 @@ function PMA_BS_IsTablePBMSEnabled($db_name, $tbl_name, $tbl_type)
}
// This information should be cached rather than selecting it each time.
- //$query = "SELECT count(*) FROM information_schema.TABLES T, pbms.pbms_enabled E where T.table_schema = ". PMA_backquote($db_name) . " and T.table_name = ". PMA_backquote($tbl_name) . " and T.engine = E.name";
- $query = "SELECT count(*) FROM pbms.pbms_enabled E where E.name = '" . PMA_sqlAddslashes($tbl_type) . "'";
+ //$query = "SELECT count(*) FROM information_schema.TABLES T, pbms.pbms_enabled E where T.table_schema = ". PMA_backquote($db_name) . " and T.table_name = ". PMA_backquote($tbl_name) . " and T.engine = E.name";
+ $query = "SELECT count(*) FROM pbms.pbms_enabled E where E.name = '" . PMA_sqlAddslashes($tbl_type) . "'";
$result = PMA_DBI_query($query);
$data = PMA_DBI_fetch_row($result);
@@ -497,7 +497,7 @@ function PMA_BS_getURL($reference)
return FALSE;
}
- $bs_url = 'http://' . $bs_server . '/' . rtrim($reference);
+ $bs_url = './url.php?url=http://' . $bs_server . '/' . rtrim($reference);
return $bs_url;
}
diff --git a/libraries/common.inc.php b/libraries/common.inc.php
index d65c254..da66fda 100644
--- a/libraries/common.inc.php
+++ b/libraries/common.inc.php
@@ -476,7 +476,9 @@ if (! PMA_isValid($_REQUEST['token']) || $_SESSION[' PMA_token '] != $_REQUEST['
/* for playing blobstreamable media */
'media_type', 'custom_type', 'bs_reference',
/* for changing BLOB repository file MIME type */
- 'bs_db', 'bs_table', 'bs_ref', 'bs_new_mime_type'
+ 'bs_db', 'bs_table', 'bs_ref', 'bs_new_mime_type',
+ /* URL redirector */
+ 'url'
);
/**
* Require cleanup functions
diff --git a/libraries/common.lib.php b/libraries/common.lib.php
index 711627f..cf9b7a5 100644
--- a/libraries/common.lib.php
+++ b/libraries/common.lib.php
@@ -419,13 +419,13 @@ function PMA_showMySQLDocu($chapter, $link, $big_icon = false, $anchor = '', $ju
}
if ($just_open) {
- return '<a href="' . $url . '" target="mysql_doc">';
+ return '<a href="./url.php?url=' . $url . '" target="mysql_doc">';
} elseif ($big_icon) {
- return '<a href="' . $url . '" target="mysql_doc"><img class="icon" src="' . $GLOBALS['pmaThemeImage'] . 'b_sqlhelp.png" width="16" height="16" alt="' . __('Documentation') . '" title="' . __('Documentation') . '" /></a>';
+ return '<a href="./url.php?url=' . $url . '" target="mysql_doc"><img class="icon" src="' . $GLOBALS['pmaThemeImage'] . 'b_sqlhelp.png" width="16" height="16" alt="' . __('Documentation') . '" title="' . __('Documentation') . '" /></a>';
} elseif ($GLOBALS['cfg']['ReplaceHelpImg']) {
- return '<a href="' . $url . '" target="mysql_doc"><img class="icon" src="' . $GLOBALS['pmaThemeImage'] . 'b_help.png" width="11" height="11" alt="' . __('Documentation') . '" title="' . __('Documentation') . '" /></a>';
+ return '<a href="./url.php?url=' . $url . '" target="mysql_doc"><img class="icon" src="' . $GLOBALS['pmaThemeImage'] . 'b_help.png" width="11" height="11" alt="' . __('Documentation') . '" title="' . __('Documentation') . '" /></a>';
} else {
- return '[<a href="' . $url . '" target="mysql_doc">' . __('Documentation') . '</a>]';
+ return '[<a href="./url.php?url=' . $url . '" target="mysql_doc">' . __('Documentation') . '</a>]';
}
} // end of the 'PMA_showMySQLDocu()' function
@@ -2425,7 +2425,7 @@ function PMA_getDbLink($database = null)
function PMA_externalBug($functionality, $component, $minimum_version, $bugref)
{
if ($component == 'mysql' && PMA_MYSQL_INT_VERSION < $minimum_version) {
- echo PMA_showHint(sprintf(__('The %s functionality is affected by a known bug, see %s'), $functionality, 'http://bugs.mysql.com/' . $bugref));
+ echo PMA_showHint(sprintf(__('The %s functionality is affected by a known bug, see %s'), $functionality, './url.php?url=http://bugs.mysql.com/' . $bugref));
}
}
diff --git a/libraries/config/FormDisplay.class.php b/libraries/config/FormDisplay.class.php
index e3b10dc..b07ac3a 100644
--- a/libraries/config/FormDisplay.class.php
+++ b/libraries/config/FormDisplay.class.php
@@ -681,7 +681,7 @@ class FormDisplay
if ($test == 'Export') {
$opt_name = substr($opt_name, 7);
}
- return 'http://wiki.phpmyadmin.net/pma/Config#' . $opt_name;
+ return './url.php?url=http://wiki.phpmyadmin.net/pma/Config#' . $opt_name;
}
/**
@@ -774,4 +774,4 @@ class FormDisplay
}
}
}
-?>
\ No newline at end of file
+?>
diff --git a/libraries/config/config_functions.lib.php b/libraries/config/config_functions.lib.php
index 6f9aabb..0d26cb5 100644
--- a/libraries/config/config_functions.lib.php
+++ b/libraries/config/config_functions.lib.php
@@ -91,10 +91,14 @@ function PMA_lang_link_replace($link, $text)
$separator = PMA_get_arg_separator('html');
}
- if (!preg_match('#^http://#', $link)) {
+ if (!preg_match('#^https?://#', $link)) {
$link = str_replace('&', $separator, $link);
+ } elseif (defined('PMA_SETUP')) {
+ $link = '../url.php?url=' . $link;
+ } else {
+ $link = './url.php?url=' . $link;
}
return '<a href="' . $link . '">' . $text . '</a>';
}
-?>
\ No newline at end of file
+?>
diff --git a/libraries/display_export.lib.php b/libraries/display_export.lib.php
index 202cd4d..fc2065f 100644
--- a/libraries/display_export.lib.php
+++ b/libraries/display_export.lib.php
@@ -235,7 +235,7 @@ if(isset($_GET['sql_query'])) {
}
$message = new PMA_Message(__('This value is interpreted using %1$sstrftime%2$s, so you can use time formatting strings. Additionally the following transformations will happen: %3$s. Other text will be kept as is. See the %4$sFAQ%5$s for details.'));
- $message->addParam('<a href="http://php.net/strftime" target="documentation" title="'
+ $message->addParam('<a href="./url.php?url=http://php.net/strftime" target="documentation" title="'
. __('Documentation') . '">', false);
$message->addParam('</a>', false);
$message->addParam($trans);
diff --git a/libraries/engines/pbms.lib.php b/libraries/engines/pbms.lib.php
index 58e3159..4065bf3 100644
--- a/libraries/engines/pbms.lib.php
+++ b/libraries/engines/pbms.lib.php
@@ -91,15 +91,15 @@ class PMA_StorageEngine_pbms extends PMA_StorageEngine
function getPageDocumentation()
{
$output = '<p> Documentation and further information about PBMS can be found on ' . "\n"
- . '<a href="http://www.blobstreaming.org/" target="_blank">The PrimeBase Media Streaming home page</a>.<br><br>' . "\n"
+ . '<a href="./url.php?url=http://www.blobstreaming.org/" target="_blank">The PrimeBase Media Streaming home page</a>.<br><br>' . "\n"
. '<table id="PBMS_Related_Links" >' . "\n"
. '<tr>' . "\n"
. '<td>' . "\n"
. '<p>' . "\n"
. '<strong><font size="2"><b>Related Links</b></font></strong>' . "\n"
. '<br>' . "\n"
- . '<a href="http://bpbdev.blogspot.com/" target="_blank">The PrimeBase Media Streaming Blog by Barry Leslie</a><br><br>' . "\n"
- . '<a href="http://www.primebase.com/xt" target="_blank">PrimeBase XT Home Page</a><br><br>' . "\n"
+ . '<a href="./url.php?url=http://bpbdev.blogspot.com/" target="_blank">The PrimeBase Media Streaming Blog by Barry Leslie</a><br><br>' . "\n"
+ . '<a href="./url.php?url=http://www.primebase.com/xt" target="_blank">PrimeBase XT Home Page</a><br><br>' . "\n"
. '</font>' . "\n"
. '</td>' . "\n"
. '</tr>' . "\n"
diff --git a/libraries/engines/pbxt.lib.php b/libraries/engines/pbxt.lib.php
index fbc6ce6..66da56a 100644
--- a/libraries/engines/pbxt.lib.php
+++ b/libraries/engines/pbxt.lib.php
@@ -122,15 +122,15 @@ class PMA_StorageEngine_pbxt extends PMA_StorageEngine
function getPageDocumentation()
{
$output = '<p> Documentation and further information about PBXT can be found on the ' . "\n"
- . '<a href="http://www.primebase.com/xt/" target="_blank">PrimeBase XT Home Page</a>.<br><br>' . "\n"
+ . '<a href="./url.php?url=http://www.primebase.com/xt/" target="_blank">PrimeBase XT Home Page</a>.<br><br>' . "\n"
. '<table id="PBMS_Related_Links" >' . "\n"
. '<tr>' . "\n"
. '<td>' . "\n"
. '<p>' . "\n"
. '<strong><font size="2"><b>Related Links</b></font></strong>' . "\n"
. '<br>' . "\n"
- . '<a href="http://pbxt.blogspot.com/" target="_blank">The PrimeBase XT Blog by Paul McCullagh</a><br><br>' . "\n"
- . '<a href="http://www.blobstreaming.org/" target="_blank">The PrimeBase Media Streaming (PBMS) home page</a>.<br><br>' . "\n"
+ . '<a href="./url.php?url=http://pbxt.blogspot.com/" target="_blank">The PrimeBase XT Blog by Paul McCullagh</a><br><br>' . "\n"
+ . '<a href="./url.php?url=http://www.blobstreaming.org/" target="_blank">The PrimeBase Media Streaming (PBMS) home page</a>.<br><br>' . "\n"
. '</font>' . "\n"
. '</td>' . "\n"
. '</tr>' . "\n"
diff --git a/libraries/sanitizing.lib.php b/libraries/sanitizing.lib.php
index eb8696d..606c730 100644
--- a/libraries/sanitizing.lib.php
+++ b/libraries/sanitizing.lib.php
@@ -72,7 +72,11 @@ function PMA_sanitize($message, $escape = false)
}
}
- $message = preg_replace($pattern, '<a href="\1" target="\2">', $message);
+ if (substr($found[1], 0, 4) == 'http') {
+ $message = preg_replace($pattern, '<a href="./url.php?url=\1" target="\2">', $message);
+ } else {
+ $message = preg_replace($pattern, '<a href="\1" target="\2">', $message);
+ }
}
if ($escape) {
diff --git a/main.php b/main.php
index 48e98fc..3d03234 100644
--- a/main.php
+++ b/main.php
@@ -210,16 +210,16 @@ echo '<h2>phpMyAdmin</h2>';
echo '<ul>';
PMA_printListItem(__('Version information') . ': ' . PMA_VERSION, 'li_pma_version');
PMA_printListItem(__('Documentation'), 'li_pma_docs', 'Documentation.html', null, '_blank');
-PMA_printListItem(__('Wiki'), 'li_pma_wiki', 'http://wiki.phpmyadmin.net', null, '_blank');
+PMA_printListItem(__('Wiki'), 'li_pma_wiki', './url.php?url=http://wiki.phpmyadmin.net', null, '_blank');
// does not work if no target specified, don't know why
-PMA_printListItem(__('Official Homepage'), 'li_pma_homepage', 'http://www.phpMyAdmin.net/', null, '_blank');
+PMA_printListItem(__('Official Homepage'), 'li_pma_homepage', './url.php?url=http://www.phpMyAdmin.net/', null, '_blank');
?>
<li><bdo xml:lang="en" dir="ltr">
[<a href="changelog.php" target="_blank">ChangeLog</a>]
- [<a href="http://phpmyadmin.git.sourceforge.net/git/gitweb-index.cgi"
+ [<a href="./url.php?url=http://phpmyadmin.git.sourceforge.net/git/gitweb-index.cgi"
target="_blank">Git</a>]
- [<a href="http://sourceforge.net/mail/?group_id=23067"
+ [<a href="./url.php?url=http://sourceforge.net/mail/?group_id=23067"
target="_blank"><?php echo __('Mailing lists'); ?></a>]
</bdo>
</li>
diff --git a/themes.php b/themes.php
index e58933f..e4ad9f6 100644
--- a/themes.php
+++ b/themes.php
@@ -38,7 +38,7 @@ function takeThis(what){
<body id="bodythemes">
<h1>phpMyAdmin - <?php echo __('Theme / Style'); ?></h1>
-<p><a href="http://www.phpmyadmin.net/home_page/themes.php#pma_<?php echo preg_replace('/([0-9]*)\.([0-9]*)\..*/', '\1_\2', PMA_VERSION); ?>"><?php echo __('Get more themes!'); ?></a></p>
+<p><a href="./url.php?url=http://www.phpmyadmin.net/home_page/themes.php#pma_<?php echo preg_replace('/([0-9]*)\.([0-9]*)\..*/', '\1_\2', PMA_VERSION); ?>"><?php echo __('Get more themes!'); ?></a></p>
<?php
$_SESSION['PMA_Theme_Manager']->printPreviews();
?>
diff --git a/url.php b/url.php
new file mode 100644
index 0000000..a9d0f58
--- /dev/null
+++ b/url.php
@@ -0,0 +1,18 @@
+<?php
+/**
+ * URL redirector to avoid leaking Referer with some sensitive information.
+ */
+
+/**
+ * Gets core libraries and defines some variables
+ */
+require_once './libraries/common.inc.php';
+
+PMA_checkParameters(array('url'));
+
+if (! preg_match('/^https?:\/\/[^\n\r]*$/', $GLOBALS['url'])) {
+ header('Location: ' . $cfg['PmaAbsoluteUri']);
+} else {
+ header('Location: ' . $GLOBALS['url']);
+}
+?>
hooks/post-receive
--
phpMyAdmin
More information about the Git
mailing list