Skip to content

Commit

Permalink
Fix merge conflicts
Browse files Browse the repository at this point in the history
  • Loading branch information
Marc Delisle committed Apr 24, 2013
2 parents f05b0dc + fa6ef14 commit 849eeb4
Show file tree
Hide file tree
Showing 5 changed files with 153 additions and 13 deletions.
4 changes: 4 additions & 0 deletions ChangeLog
View file
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,10 @@ underscore
- bug #3873 Can't copy table to target database if table exists there
- bug #3683 Incorrect listing of records from to count
- bug #3876 [import] PHP 5.2 - unexpected T_PAAMAYIM_NEKUDOTAYIM
- [security] Local file inclusion vulnerability, reported by Janek Vind
(see PMASA-2013-4)
- [security] Global variables overwrite in export.php, reported by Janek Vind
(see PMASA-2013-5)

3.5.9.0 (not yet released)

Expand Down
116 changes: 111 additions & 5 deletions export.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,13 +14,117 @@
require_once 'libraries/plugin_interface.lib.php';

/**
* Sets globals from all $_POST (in export.php only)
* Would it not be tiresome to list all export-plugin options here?
* Sets globals from $_POST
*
* - Please keep the parameters in order of their appearance in the form
* - Some of these parameters are not used, as the code below directly
* verifies from the superglobal $_POST or $_REQUEST
*/
foreach ($_POST as $one_post_param => $one_post_value) {
$GLOBALS[$one_post_param] = $one_post_value;
$post_params = array(
'db',
'table',
'single_table',
'export_type',
'export_method',
'quick_or_custom',
'limit_to',
'limit_from',
'allrows',
'output_format',
'filename_template',
'remember_template',
'charset_of_file',
'compression',
'what',
'htmlword_structure_or_data',
'htmlword_null',
'htmlword_columns',
'mediawiki_structure_or_data',
'mediawiki_caption',
'pdf_report_title',
'pdf_structure_or_data',
'odt_structure_or_data',
'odt_relation',
'odt_comments',
'odt_mime',
'odt_columns',
'odt_null',
'codegen_structure_or_data',
'codegen_format',
'excel_null',
'excel_columns',
'excel_edition',
'excel_structure_or_data',
'yaml_structure_or_data',
'ods_null',
'ods_structure_or_data',
'ods_columns',
'json_structure_or_data',
'xml_structure_or_data',
'xml_export_functions',
'xml_export_procedures',
'xml_export_tables',
'xml_export_triggers',
'xml_export_views',
'xml_export_contents',
'texytext_structure_or_data',
'texytext_columns',
'texytext_null',
'phparray_structure_or_data',
'sql_include_comments',
'sql_header_comment',
'sql_dates',
'sql_relation',
'sql_mime',
'sql_use_transaction',
'sql_disable_fk',
'sql_compatibility',
'sql_structure_or_data',
'sql_drop_table',
'sql_procedure_function',
'sql_create_table_statements',
'sql_if_not_exists',
'sql_auto_increment',
'sql_backquotes',
'sql_truncate',
'sql_delayed',
'sql_ignore',
'sql_type',
'sql_insert_syntax',
'sql_max_query_size',
'sql_hex_for_blob',
'sql_utc_time',
'csv_separator',
'csv_enclosed',
'csv_escaped',
'csv_terminated',
'csv_null',
'csv_columns',
'csv_structure_or_data',
'latex_caption',
'latex_structure_or_data',
'latex_structure_caption',
'latex_structure_continued_caption',
'latex_structure_label',
'latex_relation',
'latex_comments',
'latex_mime',
'latex_columns',
'latex_data_caption',
'latex_data_continued_caption',
'latex_data_label',
'latex_null'
);

foreach ($post_params as $one_post_param) {
if (isset($_POST[$one_post_param])) {
$GLOBALS[$one_post_param] = $_POST[$one_post_param];
}
}

// sanitize this parameter which will be used below in a file inclusion
$what = PMA_securePath($what);

PMA_Util::checkParameters(array('what', 'export_type'));

// export class instance, not array of properties, as before
Expand Down Expand Up @@ -352,7 +456,9 @@ function PMA_exportOutputHandler($line)
}
}
$filename = PMA_Util::expandUserString($filename_template);
$filename = PMA_sanitizeFilename($filename);
// remove dots in filename (coming from either the template or already
// part of the filename) to avoid a remote code execution vulnerability
$filename = PMA_sanitizeFilename($filename, $replaceDots = true);

// Grab basic dump extension and mime type
// Check if the user already added extension;
Expand Down
3 changes: 3 additions & 0 deletions libraries/Tracker.class.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -941,6 +941,9 @@ static public function handleQuery($query)
if (empty($dbname)) {
return;
}
// Remove null bytes (preg_replace() is vulnerable in some
// PHP versions)
$dbname = str_replace("\0", "", $dbname);

// If we found a valid statement
if (isset($result['identifier'])) {
Expand Down
25 changes: 21 additions & 4 deletions libraries/mult_submits.inc.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@

$request_params = array(
'clause_is_unique',
'from_prefix',
'goto',
'mult_btn',
'original_sql_query',
Expand All @@ -24,6 +25,7 @@
'sql_query',
'submit_mult',
'table_type',
'to_prefix',
'url_query'
);

Expand Down Expand Up @@ -481,15 +483,30 @@

case 'replace_prefix_tbl':
$current = $selected[$i];
$newtablename = preg_replace("/^" . $_POST['from_prefix'] . "/", $_POST['to_prefix'], $current);
$a_query = 'ALTER TABLE ' . PMA_Util::backquote($selected[$i]) . ' RENAME ' . PMA_Util::backquote($newtablename); // CHANGE PREFIX PATTERN
if (substr($current, 0, strlen($from_prefix)) == $from_prefix) {
$newtablename = $to_prefix . substr($current, strlen($from_prefix));
} else {
$newtablename = $current;
}
$a_query = 'ALTER TABLE '
. PMA_Util::backquote($selected[$i])
. ' RENAME '
. PMA_Util::backquote($newtablename) ; // CHANGE PREFIX PATTERN
$run_parts = true;
break;

case 'copy_tbl_change_prefix':
$current = $selected[$i];
$newtablename = preg_replace("/^" . $_POST['from_prefix'] . "/", $_POST['to_prefix'], $current);
$a_query = 'CREATE TABLE ' . PMA_Util::backquote($newtablename) . ' SELECT * FROM ' . PMA_Util::backquote($selected[$i]); // COPY TABLE AND CHANGE PREFIX PATTERN
if (substr($current, 0, strlen($from_prefix)) == $from_prefix) {
$newtablename = $to_prefix . substr($current, strlen($from_prefix));
} else {
$newtablename = $current;
}
$newtablename = $to_prefix . substr($current, strlen($from_prefix));
$a_query = 'CREATE TABLE '
. PMA_Util::backquote($newtablename)
. ' SELECT * FROM '
. PMA_Util::backquote($selected[$i]) ; // COPY TABLE AND CHANGE PREFIX PATTERN
$run_parts = true;
break;

Expand Down
18 changes: 14 additions & 4 deletions libraries/sanitizing.lib.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -159,20 +159,30 @@ function PMA_sanitize($message, $escape = false, $safe = false)


/**
* Sanitize a filename by removing anything besides A-Za-z0-9_.-
* Sanitize a filename by removing anything besides legit characters
*
* Intended usecase:
* When using a filename in a Content-Disposition header
* the value should not contain ; or "
*
* @param string $filename The filename
* When exporting, avoiding generation of an unexpected double-extension file
*
* @param string $filename The filename
* @param boolean $replaceDots Whether to also replace dots
*
* @return string the sanitized filename
*
*/
function PMA_sanitizeFilename($filename)
function PMA_sanitizeFilename($filename, $replaceDots = false)
{
$filename = preg_replace('/[^A-Za-z0-9_.-]/', '_', $filename);
$pattern = '/[^A-Za-z0-9_';
// if we don't have to replace dots
if (! $replaceDots) {
// then add the dot to the list of legit characters
$pattern .= '.';
}
$pattern .= '-]/';
$filename = preg_replace($pattern, '_', $filename);
return $filename;
}

Expand Down

0 comments on commit 849eeb4

Please sign in to comment.