diff options
author | Isaac Bennetch <bennetch@gmail.com> | 2020-03-21 02:07:35 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-03-21 02:07:35 +0300 |
commit | 1aee403733dcf2ae7050d851480afb39c2f47bf0 (patch) | |
tree | 52bc74dbb34aa55a71b02763b551c088cc1672f1 /libraries | |
parent | 155f3b2b4117b08df9dc4fc8eae9f1054c9d9c1e (diff) | |
parent | 163f05cac106b603ae272fed9baddbff22b2cdc8 (diff) |
Merge pull request #307 from phpmyadmin/security/302
Fix External Transformation RCE
Diffstat (limited to 'libraries')
-rw-r--r-- | libraries/classes/Error.php | 2 | ||||
-rw-r--r-- | libraries/classes/ErrorHandler.php | 5 | ||||
-rw-r--r-- | libraries/classes/Plugins/Transformations/Abs/ExternalTransformationsPlugin.php | 16 |
3 files changed, 17 insertions, 6 deletions
diff --git a/libraries/classes/Error.php b/libraries/classes/Error.php index ded3b4904a..d156f19095 100644 --- a/libraries/classes/Error.php +++ b/libraries/classes/Error.php @@ -467,7 +467,7 @@ class Error extends Message public function isUserError() { return $this->hide_location || - ($this->getNumber() & (E_USER_WARNING | E_USER_ERROR | E_USER_NOTICE)); + ($this->getNumber() & (E_USER_WARNING | E_USER_ERROR | E_USER_NOTICE | E_USER_DEPRECATED)); } /** diff --git a/libraries/classes/ErrorHandler.php b/libraries/classes/ErrorHandler.php index 0c8ad34910..26b51b60ec 100644 --- a/libraries/classes/ErrorHandler.php +++ b/libraries/classes/ErrorHandler.php @@ -166,12 +166,12 @@ class ErrorHandler */ if (error_reporting() == 0 && $this->error_reporting != 0 && - ($errno & (E_USER_WARNING | E_USER_ERROR | E_USER_NOTICE)) == 0 + ($errno & (E_USER_WARNING | E_USER_ERROR | E_USER_NOTICE | E_USER_DEPRECATED)) == 0 ) { return; } } else { - if (($errno & (E_USER_WARNING | E_USER_ERROR | E_USER_NOTICE)) == 0) { + if (($errno & (E_USER_WARNING | E_USER_ERROR | E_USER_NOTICE | E_USER_DEPRECATED)) == 0) { return; } } @@ -229,6 +229,7 @@ class ErrorHandler case E_USER_NOTICE: case E_USER_WARNING: case E_USER_ERROR: + case E_USER_DEPRECATED: // just collect the error // display is called from outside break; diff --git a/libraries/classes/Plugins/Transformations/Abs/ExternalTransformationsPlugin.php b/libraries/classes/Plugins/Transformations/Abs/ExternalTransformationsPlugin.php index d3286aa563..41c2a88a48 100644 --- a/libraries/classes/Plugins/Transformations/Abs/ExternalTransformationsPlugin.php +++ b/libraries/classes/Plugins/Transformations/Abs/ExternalTransformationsPlugin.php @@ -29,10 +29,10 @@ abstract class ExternalTransformationsPlugin extends TransformationsPlugin . ' data via standard input. Returns the standard output of the' . ' application. The default is Tidy, to pretty-print HTML code.' . ' For security reasons, you have to manually edit the file' - . ' libraries/classes/Plugins/Transformations/Output/Text_Plain_External' - . '.php and list the tools you want to make available.' + . ' libraries/classes/Plugins/Transformations/Abs/ExternalTransformationsPlugin.php' + . ' and list the tools you want to make available.' . ' The first option is then the number of the program you want to' - . ' use and the second option is the parameters for the program.' + . ' use. The second option should be blank for historical reasons.' . ' The third option, if set to 1, will convert the output using' . ' htmlspecialchars() (Default 1). The fourth option, if set to 1,' . ' will prevent wrapping and ensure that the output appears all on' @@ -108,6 +108,16 @@ abstract class ExternalTransformationsPlugin extends TransformationsPlugin $program = $allowed_programs[0]; } + if (isset($options[1]) && strlen((string) $options[1]) > 0) { + trigger_error(sprintf( + __( + 'You are using the external transformation command line options field, which has been deprecated for security reasons. ' + . 'Add all command line options directly to the definition in %s.' + ), + '[code]libraries/classes/Plugins/Transformations/Abs/ExternalTransformationsPlugin.php[/code]' + ), E_USER_DEPRECATED); + } + // needs PHP >= 4.3.0 $newstring = ''; $descriptorspec = array( |