diff options
author | Madhura Jayaratne <madhura.cj@gmail.com> | 2015-05-12 08:51:47 +0300 |
---|---|---|
committer | Marc Delisle <marc@infomarc.info> | 2015-05-13 18:36:06 +0300 |
commit | e874e59b6933bd814b201641a4bb7dea493e5ad5 (patch) | |
tree | 6bf5eae8c888abae5fae35a8ad5bb3068c84e2b8 /setup | |
parent | 53b55954bdf9d06c3b6e5d94f01fc50c4f0c0903 (diff) |
bug #4899 [security] CSRF vulnerability in setup
Signed-off-by: Madhura Jayaratne <madhura.cj@gmail.com>
Diffstat (limited to 'setup')
-rw-r--r-- | setup/frames/form.inc.php | 4 | ||||
-rw-r--r-- | setup/frames/index.inc.php | 11 | ||||
-rw-r--r-- | setup/frames/menu.inc.php | 7 | ||||
-rw-r--r-- | setup/frames/servers.inc.php | 4 | ||||
-rw-r--r-- | setup/index.php | 4 | ||||
-rw-r--r-- | setup/lib/form_processing.lib.php | 17 | ||||
-rw-r--r-- | setup/validate.php | 6 |
7 files changed, 29 insertions, 24 deletions
diff --git a/setup/frames/form.inc.php b/setup/frames/form.inc.php index 2fb2cda0f4..4e25bfe1d2 100644 --- a/setup/frames/form.inc.php +++ b/setup/frames/form.inc.php @@ -19,8 +19,8 @@ require_once './setup/lib/form_processing.lib.php'; require './libraries/config/setup.forms.php'; -$formset_id = filter_input(INPUT_GET, 'formset'); -$mode = filter_input(INPUT_GET, 'mode'); +$formset_id = isset($_GET['formset']) ? $_GET['formset'] : null; +$mode = isset($_GET['mode']) ? $_GET['mode'] : null; if (! isset($forms[$formset_id])) { PMA_fatalError(__('Incorrect formset, check $formsets array in setup/frames/form.inc.php!')); } diff --git a/setup/frames/index.inc.php b/setup/frames/index.inc.php index c291c3c327..2c341ec2c9 100644 --- a/setup/frames/index.inc.php +++ b/setup/frames/index.inc.php @@ -174,12 +174,12 @@ if ($cf->getServerCount() > 0) { echo '<td>' . htmlspecialchars($cf->getServerDSN($id)) . '</td>'; echo '<td style="white-space: nowrap">'; echo '<small>'; - echo '<a href="?page=servers' . $separator - . 'mode=edit' . $separator . 'id=' . $id . '">' + echo '<a href="' . PMA_URL_getCommon() . $separator . 'page=servers' + . $separator . 'mode=edit' . $separator . 'id=' . $id . '">' . __('Edit') . '</a>'; echo ' | '; - echo '<a href="?page=servers' . $separator - . 'mode=remove' . $separator . 'id=' . $id . '">' + echo '<a href="' . PMA_URL_getCommon() . $separator . 'page=servers' + . $separator . 'mode=remove' . $separator . 'id=' . $id . '">' . __('Delete') . '</a>'; echo '</small>'; echo '</td>'; @@ -308,7 +308,6 @@ echo '<div id="footer">'; echo '<a href="http://www.phpmyadmin.net/">' . __('phpMyAdmin homepage') . '</a>'; echo '<a href="http://sourceforge.net/donate/index.php?group_id=23067">' . __('Donate') . '</a>'; -echo '<a href="?version_check=1' . $separator - . 'token=' . $_SESSION[' PMA_token '] . '">' +echo '<a href="' . PMA_URL_getCommon() . $separator . 'version_check=1">' . __('Check for latest version') . '</a>'; echo '</div>'; diff --git a/setup/frames/menu.inc.php b/setup/frames/menu.inc.php index d82dce07f2..a78c84d689 100644 --- a/setup/frames/menu.inc.php +++ b/setup/frames/menu.inc.php @@ -10,11 +10,11 @@ if (!defined('PHPMYADMIN')) { exit; } -$formset_id = filter_input(INPUT_GET, 'formset'); +$formset_id = isset($_GET['formset']) ? $_GET['formset'] : null; $separator = PMA_URL_getArgSeparator('html'); echo '<ul>'; -echo '<li><a href="index.php"' +echo '<li><a href="index.php' . PMA_URL_getCommon() . '"' . ($formset_id === null ? ' class="active' : '') . '">' . __('Overview') . '</a></li>'; @@ -28,7 +28,8 @@ $formsets = array( ); foreach ($formsets as $formset => $label) { - echo '<li><a href="?page=form' . $separator . 'formset=' . $formset . '" ' + echo '<li><a href="' . PMA_URL_getCommon() . $separator . 'page=form' + . $separator . 'formset=' . $formset . '" ' . ($formset_id === $formset ? ' class="active' : '') . '">' . $label . '</a></li>'; } diff --git a/setup/frames/servers.inc.php b/setup/frames/servers.inc.php index 87c5cee1d7..859a784816 100644 --- a/setup/frames/servers.inc.php +++ b/setup/frames/servers.inc.php @@ -19,8 +19,8 @@ require_once './setup/lib/form_processing.lib.php'; require './libraries/config/setup.forms.php'; -$mode = filter_input(INPUT_GET, 'mode'); -$id = filter_input(INPUT_GET, 'id', FILTER_VALIDATE_INT); +$mode = isset($_GET['mode']) ? $_GET['mode'] : null; +$id = PMA_isValid($_GET['id'], 'numeric') ? $_GET['id'] : null; $cf = $GLOBALS['ConfigFile']; $server_exists = !empty($id) && $cf->get("Servers/$id") !== null; diff --git a/setup/index.php b/setup/index.php index 53d333a63f..5ef68c268e 100644 --- a/setup/index.php +++ b/setup/index.php @@ -12,7 +12,7 @@ */ require './lib/common.inc.php'; -$page = filter_input(INPUT_GET, 'page'); +$page = isset($_GET['page']) ? $_GET['page'] : null; $page = preg_replace('/[^a-z]/', '', $page); if ($page === '') { $page = 'index'; @@ -23,7 +23,7 @@ if (!file_exists("./setup/frames/$page.inc.php")) { } // Handle done action info -$action_done = filter_input(INPUT_GET, 'action_done'); +$action_done = isset($_GET['action_done']) ? $_GET['action_done'] : null; $action_done = preg_replace('/[^a-z_]/', '', $action_done); PMA_noCacheHeader(); diff --git a/setup/lib/form_processing.lib.php b/setup/lib/form_processing.lib.php index 5d762e76c5..db80e44ec5 100644 --- a/setup/lib/form_processing.lib.php +++ b/setup/lib/form_processing.lib.php @@ -15,7 +15,7 @@ */ function PMA_Process_formset(FormDisplay $form_display) { - if (filter_input(INPUT_GET, 'mode') == 'revert') { + if (isset($_GET['mode']) && $_GET['mode'] == 'revert') { // revert erroneous fields to their default values $form_display->fixErrors(); PMA_generateHeader303(); @@ -35,10 +35,10 @@ function PMA_Process_formset(FormDisplay $form_display) // form has errors, show warning $separator = PMA_URL_getArgSeparator('html'); - $page = filter_input(INPUT_GET, 'page'); - $formset = filter_input(INPUT_GET, 'formset'); + $page = isset($_GET['page']) ? $_GET['page'] : null; + $formset = isset($_GET['formset']) ? $_GET['formset'] : null; $formset = $formset ? "{$separator}formset=$formset" : ''; - $formId = filter_input(INPUT_GET, 'id', FILTER_VALIDATE_INT); + $formId = PMA_isValid($_GET['id'], 'numeric') ? $_GET['id'] : null; if ($formId === null && $page == 'servers') { // we've just added a new server, get its id $formId = $form_display->getConfigFile()->getServerCount(); @@ -48,15 +48,18 @@ function PMA_Process_formset(FormDisplay $form_display) <div class="error"> <h4><?php echo __('Warning') ?></h4> <?php echo __('Submitted form contains errors') ?><br /> - <a href="?page=<?php echo $page . $formset . $formId . $separator ?>mode=revert"> + <a href="<?php echo PMA_URL_getCommon() . $separator ?> + page=<?php echo $page . $formset . $formId . $separator ?>mode=revert"> <?php echo __('Try to revert erroneous fields to their default values') ?> </a> </div> <?php $form_display->displayErrors() ?> - <a class="btn" href="index.php"><?php echo __('Ignore errors') ?></a> + <a class="btn" href="index.php<?php echo PMA_URL_getCommon() ?>"> + <?php echo __('Ignore errors') ?></a> - <a class="btn" href="?page=<?php echo $page . $formset . $formId + <a class="btn" href="<?php echo PMA_URL_getCommon() . $separator ?> + page=<?php echo $page . $formset . $formId . $separator ?>mode=edit"><?php echo __('Show form') ?></a> <?php } diff --git a/setup/validate.php b/setup/validate.php index fba2725dc3..3c070f29ab 100644 --- a/setup/validate.php +++ b/setup/validate.php @@ -16,8 +16,10 @@ require './libraries/config/Validator.class.php'; header('Content-type: application/json'); -$vids = explode(',', filter_input(INPUT_POST, 'id')); -$values = json_decode(filter_input(INPUT_POST, 'values')); +$ids = isset($_POST['id']) ? $_POST['id'] : null; +$vids = explode(',', $ids); +$vals = isset($_POST['values']) ? $_POST['values'] : null; +$values = json_decode($vals); if (!($values instanceof stdClass)) { PMA_fatalError(__('Wrong data')); } |