Merge pull request #307 from phpmyadmin/security/302

Fix External Transformation RCE

3 files changed, 17 insertions, 6 deletions

diff --git a/libraries/classes/Error.php b/libraries/classes/Error.php
index ded3b4904a..d156f19095 100644
--- a/libraries/classes/Error.php
+++ b/libraries/classes/Error.php
@@ -467,7 +467,7 @@ class Error extends Message
     public function isUserError()
     {
         return $this->hide_location ||
-            ($this->getNumber() & (E_USER_WARNING | E_USER_ERROR | E_USER_NOTICE));
+            ($this->getNumber() & (E_USER_WARNING | E_USER_ERROR | E_USER_NOTICE | E_USER_DEPRECATED));
     }
 
     /**
diff --git a/libraries/classes/ErrorHandler.php b/libraries/classes/ErrorHandler.php
index 0c8ad34910..26b51b60ec 100644
--- a/libraries/classes/ErrorHandler.php
+++ b/libraries/classes/ErrorHandler.php
@@ -166,12 +166,12 @@ class ErrorHandler
             */
             if (error_reporting() == 0 &&
                 $this->error_reporting != 0 &&
-                ($errno & (E_USER_WARNING | E_USER_ERROR | E_USER_NOTICE)) == 0
+                ($errno & (E_USER_WARNING | E_USER_ERROR | E_USER_NOTICE | E_USER_DEPRECATED)) == 0
             ) {
                 return;
             }
         } else {
-            if (($errno & (E_USER_WARNING | E_USER_ERROR | E_USER_NOTICE)) == 0) {
+            if (($errno & (E_USER_WARNING | E_USER_ERROR | E_USER_NOTICE | E_USER_DEPRECATED)) == 0) {
                 return;
             }
         }
@@ -229,6 +229,7 @@ class ErrorHandler
         case E_USER_NOTICE:
         case E_USER_WARNING:
         case E_USER_ERROR:
+        case E_USER_DEPRECATED:
             // just collect the error
             // display is called from outside
             break;
diff --git a/libraries/classes/Plugins/Transformations/Abs/ExternalTransformationsPlugin.php b/libraries/classes/Plugins/Transformations/Abs/ExternalTransformationsPlugin.php
index d3286aa563..41c2a88a48 100644
--- a/libraries/classes/Plugins/Transformations/Abs/ExternalTransformationsPlugin.php
+++ b/libraries/classes/Plugins/Transformations/Abs/ExternalTransformationsPlugin.php
@@ -29,10 +29,10 @@ abstract class ExternalTransformationsPlugin extends TransformationsPlugin
             . ' data via standard input. Returns the standard output of the'
             . ' application. The default is Tidy, to pretty-print HTML code.'
             . ' For security reasons, you have to manually edit the file'
-            . ' libraries/classes/Plugins/Transformations/Output/Text_Plain_External'
-            . '.php and list the tools you want to make available.'
+            . ' libraries/classes/Plugins/Transformations/Abs/ExternalTransformationsPlugin.php'
+            . ' and list the tools you want to make available.'
             . ' The first option is then the number of the program you want to'
-            . ' use and the second option is the parameters for the program.'
+            . ' use. The second option should be blank for historical reasons.'
             . ' The third option, if set to 1, will convert the output using'
             . ' htmlspecialchars() (Default 1). The fourth option, if set to 1,'
             . ' will prevent wrapping and ensure that the output appears all on'
@@ -108,6 +108,16 @@ abstract class ExternalTransformationsPlugin extends TransformationsPlugin
             $program = $allowed_programs[0];
         }
 
+        if (isset($options[1]) && strlen((string) $options[1]) > 0) {
+            trigger_error(sprintf(
+                __(
+                    'You are using the external transformation command line options field, which has been deprecated for security reasons. '
+                    . 'Add all command line options directly to the definition in %s.'
+                ),
+                '[code]libraries/classes/Plugins/Transformations/Abs/ExternalTransformationsPlugin.php[/code]'
+            ), E_USER_DEPRECATED);
+        }
+
         // needs PHP >= 4.3.0
         $newstring = '';
         $descriptorspec = array(