Merge branch 'QA_4_6'

8 files changed, 67 insertions, 9 deletions

diff --git a/ChangeLog b/ChangeLog
index c223516045..d44a3a6357 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -72,6 +72,7 @@ phpMyAdmin - ChangeLog
 - issue #12872 Use same query for display and execution when dropping index
 - issue #12868 Fix check for user groups freatures being enabled
 - issue #12831 Fix table formatting on Insert tab, which mostly affected row highlighting
+- issue #12495 Reintroduced phpinfo page with limited capabilities
 
 4.6.5.2 (2016-12-05)
 - issue #12765 Fixed SQL export with newlines
diff --git a/doc/config.rst b/doc/config.rst
index 23904475d6..36b727a289 100644
--- a/doc/config.rst
+++ b/doc/config.rst
@@ -2038,6 +2038,11 @@ Main panel
     You can additionally hide more information by using
     :config:option:`$cfg['Servers'][$i]['verbose']`.
 
+.. config:option:: $cfg['ShowPhpInfo']
+
+    :type: boolean
+    :default: false
+
 .. config:option:: $cfg['ShowChgPassword']
 
     :type: boolean
@@ -2048,11 +2053,26 @@ Main panel
     :type: boolean
     :default: true
 
-    Defines whether to display the 
+    Defines whether to display the :guilabel:`PHP information` and
     :guilabel:`Change password` links and form for creating database or not at
     the starting main (right) frame. This setting does not check MySQL commands
     entered directly.
 
+    Please note that to block the usage of ``phpinfo()`` in scripts, you have to
+    put this in your :file:`php.ini`:
+
+    .. code-block:: ini
+
+        disable_functions = phpinfo()
+
+    .. warning::
+
+        Enabling phpinfo page will leak quite a lot of information about server
+        setup. Is it not recommended to enable this on shared installations.
+
+        This might also make easier some remote attacks on your installations,
+        so enable this only when needed.
+
     Also note that enabling the :guilabel:`Change password` link has no effect
     with config authentication mode: because of the hard coded password value
     in the configuration file, end users can't be allowed to change their
diff --git a/index.php b/index.php
index 2d9bb25e38..0ced453dd7 100644
--- a/index.php
+++ b/index.php
@@ -323,7 +323,7 @@ if ($server > 0 && $GLOBALS['cfg']['ShowServerInfo']) {
        . ' </div>';
 }
 
-if ($GLOBALS['cfg']['ShowServerInfo']) {
+if ($GLOBALS['cfg']['ShowServerInfo'] || $GLOBALS['cfg']['ShowPhpInfo']) {
     echo '<div class="group">';
     echo '<h2>' , __('Web server') , '</h2>';
     echo '<ul>';
@@ -363,6 +363,15 @@ if ($GLOBALS['cfg']['ShowServerInfo']) {
         }
     }
 
+    if ($cfg['ShowPhpInfo']) {
+        PMA_printListItem(
+            __('Show PHP information'),
+            'li_phpinfo',
+            'phpinfo.php' . $common_url_query,
+            null,
+            '_blank'
+        );
+    }
     echo '  </ul>';
     echo ' </div>';
 }
diff --git a/libraries/common.inc.php b/libraries/common.inc.php
index 60ae8fa7f0..53eb937f6a 100644
--- a/libraries/common.inc.php
+++ b/libraries/common.inc.php
@@ -262,9 +262,6 @@ $GLOBALS['url_params'] = array();
  * @global array $goto_whitelist
  */
 $goto_whitelist = array(
-    //'browse_foreigners.php',
-    //'changelog.php',
-    //'chk_rel.php',
     'db_datadict.php',
     'db_sql.php',
     'db_events.php',
@@ -278,9 +275,6 @@ $goto_whitelist = array(
     'db_routines.php',
     'export.php',
     'import.php',
-    //'index.php',
-    //'navigation.php',
-    //'license.php',
     'index.php',
     'pdf_pages.php',
     'pdf_schema.php',
@@ -313,7 +307,6 @@ $goto_whitelist = array(
     'tbl_row_action.php',
     'tbl_select.php',
     'tbl_zoom_select.php',
-    //'themes.php',
     'transformation_overview.php',
     'transformation_wrapper.php',
     'user_password.php',
diff --git a/libraries/config.default.php b/libraries/config.default.php
index c4b17993e9..d607783006 100644
--- a/libraries/config.default.php
+++ b/libraries/config.default.php
@@ -1059,6 +1059,13 @@ $cfg['NavigationTreeShowEvents'] = true;
 $cfg['ShowStats'] = true;
 
 /**
+ * show PHP info link
+ *
+ * @global boolean $cfg['ShowPhpInfo']
+ */
+$cfg['ShowPhpInfo'] = false;
+
+/**
  * show MySQL server and web server information
  *
  * @global boolean $cfg['ShowServerInfo']
diff --git a/libraries/config/messages.inc.php b/libraries/config/messages.inc.php
index 33bd8df169..151c9dfad8 100644
--- a/libraries/config/messages.inc.php
+++ b/libraries/config/messages.inc.php
@@ -869,6 +869,11 @@ $strConfigShowFunctionFields_desc = __(
 $strConfigShowFunctionFields_name = __('Show function fields');
 $strConfigShowHint_desc = __('Whether to show hint or not.');
 $strConfigShowHint_name = __('Show hint');
+$strConfigShowPhpInfo_desc = __(
+    'Shows link to [a@https://php.net/manual/function.phpinfo.php]phpinfo()[/a] ' .
+    'output.'
+);
+$strConfigShowPhpInfo_name = __('Show phpinfo() link');
 $strConfigShowServerInfo_name = __('Show detailed MySQL server information');
 $strConfigShowSQL_desc = __(
     'Defines whether SQL queries generated by phpMyAdmin should be displayed.'
diff --git a/libraries/config/setup.forms.php b/libraries/config/setup.forms.php
index d4034d9118..2fb37d6535 100644
--- a/libraries/config/setup.forms.php
+++ b/libraries/config/setup.forms.php
@@ -203,6 +203,7 @@ $forms['Main_panel']['Startup'] = array(
     'ShowCreateDb',
     'ShowStats',
     'ShowServerInfo',
+    'ShowPhpInfo',
     'ShowChgPassword');
 $forms['Main_panel']['DbStructure'] = array(
     'ShowDbStructureCharset',
diff --git a/phpinfo.php b/phpinfo.php
new file mode 100644
index 0000000000..0daa5f9f65
--- /dev/null
+++ b/phpinfo.php
@@ -0,0 +1,22 @@
+<?php
+/* vim: set expandtab sw=4 ts=4 sts=4: */
+/**
+ * phpinfo() wrapper to allow displaying only when configured to do so.
+ *
+ * @package PhpMyAdmin
+ */
+
+/**
+ * Gets core libraries and defines some variables
+ */
+require_once 'libraries/common.inc.php';
+$response = PMA\libraries\Response::getInstance();
+$response->disable();
+$response->getHeader()->sendHttpHeaders();
+
+/**
+ * Displays PHP information
+ */
+if ($GLOBALS['cfg']['ShowPhpInfo']) {
+    phpinfo(INFO_GENERAL | INFO_CONFIGURATION | INFO_MODULES);
+}