Do not process unauthorized requests.

Signed-off-by: Dan Ungureanu <udan1107@gmail.com>

1 files changed, 17 insertions, 0 deletions

diff --git a/lint.php b/lint.php
index 138156c806..b1d4bb414c 100644
--- a/lint.php
+++ b/lint.php
@@ -8,6 +8,19 @@
 
 define('PHPMYADMIN', true);
 
+// We load the minimum files required to check if the user is logged in.
+require_once 'libraries/core.lib.php';
+require_once 'libraries/Config.class.php';
+$GLOBALS['PMA_Config'] = new PMA_Config(CONFIG_FILE);
+require_once 'libraries/session.inc.php';
+
+// If user is not logged in, he should not send any requests, so we exit here to
+// avoid external requests.
+if (empty($_SESSION['encryption_key'])) {
+    // Unauthorized access detected.
+    exit;
+}
+
 /**
  * Loads the SQL lexer and parser, which are used to detect errors.
  */
@@ -18,4 +31,8 @@ require_once 'libraries/sql-parser/autoload.php';
  */
 require_once 'libraries/Linter.class.php';
 
+// The input of this function does not need to be checked again XSS or MySQL
+// injections because it is never executed, just parsed.
+// The client, which will recieve the JSON response will decode the message and
+// and any HTML fragments that are displayed to the user will be encoded anyway.
 PMA_Linter::lint($_REQUEST['sql_query']);