From e874e59b6933bd814b201641a4bb7dea493e5ad5 Mon Sep 17 00:00:00 2001
From: Madhura Jayaratne <madhura.cj@gmail.com>
Date: Tue, 12 May 2015 11:21:47 +0530
Subject: bug #4899 [security] CSRF vulnerability in setup

Signed-off-by: Madhura Jayaratne <madhura.cj@gmail.com>
---
 setup/frames/form.inc.php         |  4 ++--
 setup/frames/index.inc.php        | 11 +++++------
 setup/frames/menu.inc.php         |  7 ++++---
 setup/frames/servers.inc.php      |  4 ++--
 setup/index.php                   |  4 ++--
 setup/lib/form_processing.lib.php | 17 ++++++++++-------
 setup/validate.php                |  6 ++++--
 7 files changed, 29 insertions(+), 24 deletions(-)

(limited to 'setup')

diff --git a/setup/frames/form.inc.php b/setup/frames/form.inc.php
index 2fb2cda0f4..4e25bfe1d2 100644
--- a/setup/frames/form.inc.php
+++ b/setup/frames/form.inc.php
@@ -19,8 +19,8 @@ require_once './setup/lib/form_processing.lib.php';
 
 require './libraries/config/setup.forms.php';
 
-$formset_id = filter_input(INPUT_GET, 'formset');
-$mode = filter_input(INPUT_GET, 'mode');
+$formset_id = isset($_GET['formset']) ? $_GET['formset'] : null;
+$mode = isset($_GET['mode']) ? $_GET['mode'] : null;
 if (! isset($forms[$formset_id])) {
     PMA_fatalError(__('Incorrect formset, check $formsets array in setup/frames/form.inc.php!'));
 }
diff --git a/setup/frames/index.inc.php b/setup/frames/index.inc.php
index c291c3c327..2c341ec2c9 100644
--- a/setup/frames/index.inc.php
+++ b/setup/frames/index.inc.php
@@ -174,12 +174,12 @@ if ($cf->getServerCount() > 0) {
         echo '<td>' . htmlspecialchars($cf->getServerDSN($id)) . '</td>';
         echo '<td style="white-space: nowrap">';
         echo '<small>';
-        echo '<a href="?page=servers' . $separator
-            . 'mode=edit' . $separator . 'id=' . $id . '">'
+        echo '<a href="' . PMA_URL_getCommon() . $separator . 'page=servers'
+            . $separator . 'mode=edit' . $separator . 'id=' . $id . '">'
             . __('Edit') . '</a>';
         echo ' | ';
-        echo '<a href="?page=servers' . $separator
-            . 'mode=remove' . $separator . 'id=' . $id . '">'
+        echo '<a href="' . PMA_URL_getCommon() . $separator . 'page=servers'
+            . $separator . 'mode=remove' . $separator . 'id=' . $id . '">'
             . __('Delete') . '</a>';
         echo '</small>';
         echo '</td>';
@@ -308,7 +308,6 @@ echo '<div id="footer">';
 echo '<a href="http://www.phpmyadmin.net/">' . __('phpMyAdmin homepage') . '</a>';
 echo '<a href="http://sourceforge.net/donate/index.php?group_id=23067">'
     .  __('Donate') . '</a>';
-echo '<a href="?version_check=1' . $separator
-    . 'token=' . $_SESSION[' PMA_token '] . '">'
+echo '<a href="' .  PMA_URL_getCommon() . $separator . 'version_check=1">'
     . __('Check for latest version') . '</a>';
 echo '</div>';
diff --git a/setup/frames/menu.inc.php b/setup/frames/menu.inc.php
index d82dce07f2..a78c84d689 100644
--- a/setup/frames/menu.inc.php
+++ b/setup/frames/menu.inc.php
@@ -10,11 +10,11 @@ if (!defined('PHPMYADMIN')) {
     exit;
 }
 
-$formset_id = filter_input(INPUT_GET, 'formset');
+$formset_id = isset($_GET['formset']) ? $_GET['formset'] : null;
 
 $separator = PMA_URL_getArgSeparator('html');
 echo '<ul>';
-echo '<li><a href="index.php"'
+echo '<li><a href="index.php' . PMA_URL_getCommon() . '"'
     . ($formset_id === null ? ' class="active' : '')
     . '">' . __('Overview') . '</a></li>';
 
@@ -28,7 +28,8 @@ $formsets = array(
 );
 
 foreach ($formsets as $formset => $label) {
-    echo '<li><a href="?page=form' . $separator . 'formset=' . $formset . '" '
+    echo '<li><a href="' . PMA_URL_getCommon() . $separator . 'page=form'
+        . $separator . 'formset=' . $formset . '" '
         . ($formset_id === $formset ? ' class="active' : '')
         . '">' . $label . '</a></li>';
 }
diff --git a/setup/frames/servers.inc.php b/setup/frames/servers.inc.php
index 87c5cee1d7..859a784816 100644
--- a/setup/frames/servers.inc.php
+++ b/setup/frames/servers.inc.php
@@ -19,8 +19,8 @@ require_once './setup/lib/form_processing.lib.php';
 
 require './libraries/config/setup.forms.php';
 
-$mode = filter_input(INPUT_GET, 'mode');
-$id = filter_input(INPUT_GET, 'id', FILTER_VALIDATE_INT);
+$mode = isset($_GET['mode']) ? $_GET['mode'] : null;
+$id = PMA_isValid($_GET['id'], 'numeric') ? $_GET['id'] : null;
 
 $cf = $GLOBALS['ConfigFile'];
 $server_exists = !empty($id) && $cf->get("Servers/$id") !== null;
diff --git a/setup/index.php b/setup/index.php
index 53d333a63f..5ef68c268e 100644
--- a/setup/index.php
+++ b/setup/index.php
@@ -12,7 +12,7 @@
  */
 require './lib/common.inc.php';
 
-$page = filter_input(INPUT_GET, 'page');
+$page = isset($_GET['page']) ? $_GET['page'] : null;
 $page = preg_replace('/[^a-z]/', '', $page);
 if ($page === '') {
     $page = 'index';
@@ -23,7 +23,7 @@ if (!file_exists("./setup/frames/$page.inc.php")) {
 }
 
 // Handle done action info
-$action_done = filter_input(INPUT_GET, 'action_done');
+$action_done = isset($_GET['action_done']) ? $_GET['action_done'] : null;
 $action_done = preg_replace('/[^a-z_]/', '', $action_done);
 
 PMA_noCacheHeader();
diff --git a/setup/lib/form_processing.lib.php b/setup/lib/form_processing.lib.php
index 5d762e76c5..db80e44ec5 100644
--- a/setup/lib/form_processing.lib.php
+++ b/setup/lib/form_processing.lib.php
@@ -15,7 +15,7 @@
  */
 function PMA_Process_formset(FormDisplay $form_display)
 {
-    if (filter_input(INPUT_GET, 'mode') == 'revert') {
+    if (isset($_GET['mode']) && $_GET['mode'] == 'revert') {
         // revert erroneous fields to their default values
         $form_display->fixErrors();
         PMA_generateHeader303();
@@ -35,10 +35,10 @@ function PMA_Process_formset(FormDisplay $form_display)
 
     // form has errors, show warning
     $separator = PMA_URL_getArgSeparator('html');
-    $page = filter_input(INPUT_GET, 'page');
-    $formset = filter_input(INPUT_GET, 'formset');
+    $page = isset($_GET['page']) ? $_GET['page'] : null;
+    $formset = isset($_GET['formset']) ? $_GET['formset'] : null;
     $formset = $formset ? "{$separator}formset=$formset" : '';
-    $formId = filter_input(INPUT_GET, 'id', FILTER_VALIDATE_INT);
+    $formId = PMA_isValid($_GET['id'], 'numeric') ? $_GET['id'] : null;
     if ($formId === null && $page == 'servers') {
         // we've just added a new server, get its id
         $formId = $form_display->getConfigFile()->getServerCount();
@@ -48,15 +48,18 @@ function PMA_Process_formset(FormDisplay $form_display)
     <div class="error">
         <h4><?php echo __('Warning') ?></h4>
         <?php echo __('Submitted form contains errors') ?><br />
-        <a href="?page=<?php echo $page . $formset . $formId . $separator ?>mode=revert">
+        <a href="<?php echo PMA_URL_getCommon() . $separator ?>
+            page=<?php echo $page . $formset . $formId . $separator ?>mode=revert">
             <?php echo __('Try to revert erroneous fields to their default values')
             ?>
         </a>
     </div>
     <?php $form_display->displayErrors() ?>
-    <a class="btn" href="index.php"><?php echo __('Ignore errors') ?></a>
+    <a class="btn" href="index.php<?php echo PMA_URL_getCommon() ?>">
+        <?php echo __('Ignore errors') ?></a>
     &nbsp;
-    <a class="btn" href="?page=<?php echo $page . $formset . $formId
+    <a class="btn" href="<?php echo PMA_URL_getCommon() . $separator ?>
+        page=<?php echo $page . $formset . $formId
         . $separator ?>mode=edit"><?php echo __('Show form') ?></a>
     <?php
 }
diff --git a/setup/validate.php b/setup/validate.php
index fba2725dc3..3c070f29ab 100644
--- a/setup/validate.php
+++ b/setup/validate.php
@@ -16,8 +16,10 @@ require './libraries/config/Validator.class.php';
 
 header('Content-type: application/json');
 
-$vids = explode(',', filter_input(INPUT_POST, 'id'));
-$values = json_decode(filter_input(INPUT_POST, 'values'));
+$ids = isset($_POST['id']) ? $_POST['id'] : null;
+$vids = explode(',', $ids);
+$vals = isset($_POST['values']) ? $_POST['values'] : null;
+$values = json_decode($vals);
 if (!($values instanceof stdClass)) {
     PMA_fatalError(__('Wrong data'));
 }
-- 
cgit v1.2.3