Skip to content

Commit 270995b

Browse files
authored
Fix XSS Vulnerability
Potential changes for abuse are limited
2 parents 5d7c5a4 + ca494f6 commit 270995b

File tree

15 files changed

+791
-389
lines changed

15 files changed

+791
-389
lines changed

LICENSE

Lines changed: 338 additions & 11 deletions
Large diffs are not rendered by default.

admin.php

Lines changed: 44 additions & 46 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
<?php
22

33
$script = ''; // init global value script
4-
4+
55
/**
66
* Show confirmation of cluster and perform cluster
77
*/
@@ -20,17 +20,17 @@ function doCluster($type, $confirm=false) {
2020

2121
echo "<form action=\"{$script}\" method=\"post\">\n";
2222
foreach($_REQUEST['ma'] as $v) {
23-
$a = unserialize(htmlspecialchars_decode($v, ENT_QUOTES));
23+
$a = safeUnserialize(htmlspecialchars_decode($v, ENT_QUOTES));
2424
echo "<p>", sprintf($lang['strconfclustertable'], $misc->printVal($a['table'])), "</p>\n";
2525
echo "<input type=\"hidden\" name=\"table[]\" value=\"", htmlspecialchars($a['table']), "\" />\n";
2626
}
2727
} // END if multi cluster
2828
else {
2929
$misc->printTrail($type);
3030
$misc->printTitle($lang['strclusterindex'], 'pg.index.cluster');
31-
31+
3232
echo "<form action=\"{$script}\" method=\"post\">\n";
33-
33+
3434
if ($type == 'table') {
3535
echo "<p>", sprintf($lang['strconfclustertable'], $misc->printVal($_REQUEST['object'])), "</p>\n";
3636
echo "<input type=\"hidden\" name=\"table\" value=\"", htmlspecialchars($_REQUEST['object']), "\" />\n";
@@ -41,7 +41,7 @@ function doCluster($type, $confirm=false) {
4141
}
4242
}
4343
echo "<input type=\"hidden\" name=\"action\" value=\"cluster\" />\n";
44-
44+
4545
echo $misc->form;
4646

4747
echo "<input type=\"submit\" name=\"cluster\" value=\"{$lang['strcluster']}\" />\n"; //TODO
@@ -84,7 +84,7 @@ function doCluster($type, $confirm=false) {
8484
}
8585
}
8686
}
87-
87+
8888
/**
8989
* Show confirmation of reindex and perform reindex
9090
*/
@@ -103,17 +103,17 @@ function doReindex($type, $confirm=false) {
103103

104104
echo "<form action=\"{$script}\" method=\"post\">\n";
105105
foreach($_REQUEST['ma'] as $v) {
106-
$a = unserialize(htmlspecialchars_decode($v, ENT_QUOTES));
106+
$a = safeUnserialize(htmlspecialchars_decode($v, ENT_QUOTES));
107107
echo "<p>", sprintf($lang['strconfreindextable'], $misc->printVal($a['table'])), "</p>\n";
108108
echo "<input type=\"hidden\" name=\"table[]\" value=\"", htmlspecialchars($a['table']), "\" />\n";
109109
}
110110
} // END if multi reindex
111111
else {
112112
$misc->printTrail($type);
113113
$misc->printTitle($lang['strreindex'], 'pg.reindex');
114-
114+
115115
echo "<form action=\"{$script}\" method=\"post\">\n";
116-
116+
117117
if ($type == 'table') {
118118
echo "<p>", sprintf($lang['strconfreindextable'], $misc->printVal($_REQUEST['object'])), "</p>\n";
119119
echo "<input type=\"hidden\" name=\"table\" value=\"", htmlspecialchars($_REQUEST['object']), "\" />\n";
@@ -124,10 +124,10 @@ function doReindex($type, $confirm=false) {
124124
}
125125
}
126126
echo "<input type=\"hidden\" name=\"action\" value=\"reindex\" />\n";
127-
127+
128128
if ($data->hasForceReindex())
129129
echo "<p><input type=\"checkbox\" id=\"reindex_force\" name=\"reindex_force\" /><label for=\"reindex_force\">{$lang['strforce']}</label></p>\n";
130-
130+
131131
echo $misc->form;
132132

133133
echo "<input type=\"submit\" name=\"reindex\" value=\"{$lang['strreindex']}\" />\n"; //TODO
@@ -162,7 +162,7 @@ function doReindex($type, $confirm=false) {
162162
}
163163
}
164164
}
165-
165+
166166
/**
167167
* Show confirmation of analyze and perform analyze
168168
*/
@@ -181,17 +181,17 @@ function doAnalyze($type, $confirm=false) {
181181

182182
echo "<form action=\"{$script}\" method=\"post\">\n";
183183
foreach($_REQUEST['ma'] as $v) {
184-
$a = unserialize(htmlspecialchars_decode($v, ENT_QUOTES));
184+
$a = safeUnserialize(htmlspecialchars_decode($v, ENT_QUOTES));
185185
echo "<p>", sprintf($lang['strconfanalyzetable'], $misc->printVal($a['table'])), "</p>\n";
186186
echo "<input type=\"hidden\" name=\"table[]\" value=\"", htmlspecialchars($a['table']), "\" />\n";
187187
}
188188
} // END if multi analyze
189189
else {
190190
$misc->printTrail($type);
191191
$misc->printTitle($lang['stranalyze'], 'pg.analyze');
192-
192+
193193
echo "<form action=\"{$script}\" method=\"post\">\n";
194-
194+
195195
if ($type == 'table') {
196196
echo "<p>", sprintf($lang['strconfanalyzetable'], $misc->printVal($_REQUEST['object'])), "</p>\n";
197197
echo "<input type=\"hidden\" name=\"table\" value=\"", htmlspecialchars($_REQUEST['object']), "\" />\n";
@@ -256,7 +256,7 @@ function doVacuum($type, $confirm = false) {
256256

257257
echo "<form action=\"{$script}\" method=\"post\">\n";
258258
foreach($_REQUEST['ma'] as $v) {
259-
$a = unserialize(htmlspecialchars_decode($v, ENT_QUOTES));
259+
$a = safeUnserialize(htmlspecialchars_decode($v, ENT_QUOTES));
260260
echo "<p>", sprintf($lang['strconfvacuumtable'], $misc->printVal($a['table'])), "</p>\n";
261261
echo "<input type=\"hidden\" name=\"table[]\" value=\"", htmlspecialchars($a['table']), "\" />\n";
262262
}
@@ -266,7 +266,7 @@ function doVacuum($type, $confirm = false) {
266266
$misc->printTitle($lang['strvacuum'], 'pg.vacuum');
267267

268268
echo "<form action=\"{$script}\" method=\"post\">\n";
269-
269+
270270
if ($type == 'table') {
271271
echo "<p>", sprintf($lang['strconfvacuumtable'], $misc->printVal($_REQUEST['object'])), "</p>\n";
272272
echo "<input type=\"hidden\" name=\"table\" value=\"", htmlspecialchars($_REQUEST['object']), "\" />\n";
@@ -320,14 +320,14 @@ function doVacuum($type, $confirm = false) {
320320
*/
321321
function doEditAutovacuum($type, $confirm, $msg='') {
322322
global $script, $data, $misc, $lang;
323-
323+
324324
if (empty($_REQUEST['table'])) {
325325
doAdmin($type, '', $lang['strspecifyeditvacuumtable']);
326326
return;
327327
}
328-
328+
329329
$script = ($type == 'database')? 'database.php' : 'tables.php';
330-
330+
331331
if ($confirm) {
332332
$misc->printTrail($type);
333333
$misc->printTitle(sprintf($lang['streditvacuumtable'], $misc->printVal($_REQUEST['table'])));
@@ -337,7 +337,7 @@ function doEditAutovacuum($type, $confirm, $msg='') {
337337
doAdmin($type, '', $lang['strspecifyeditvacuumtable']);
338338
return;
339339
}
340-
340+
341341
$old_val = $data->getTableAutovacuum($_REQUEST['table']);
342342
$defaults = $data->getAutovacuum();
343343
$old_val = $old_val->fields;
@@ -401,14 +401,14 @@ function doEditAutovacuum($type, $confirm, $msg='') {
401401
$status = $data->saveAutovacuum($_REQUEST['table'], $_POST['autovacuum_enabled'], $_POST['autovacuum_vacuum_threshold'],
402402
$_POST['autovacuum_vacuum_scale_factor'], $_POST['autovacuum_analyze_threshold'], $_POST['autovacuum_analyze_scale_factor'],
403403
$_POST['autovacuum_vacuum_cost_delay'], $_POST['autovacuum_vacuum_cost_limit']);
404-
404+
405405
if ($status == 0)
406406
doAdmin($type, '', sprintf($lang['strsetvacuumtablesaved'], $_REQUEST['table']));
407407
else
408408
doEditAutovacuum($type, true, $lang['strsetvacuumtablefail']);
409409
}
410410
}
411-
411+
412412
/**
413413
* confirm drop autovacuum params for a table and drop it
414414
*/
@@ -419,11 +419,11 @@ function doDropAutovacuum($type, $confirm) {
419419
doAdmin($type, '', $lang['strspecifydelvacuumtable']);
420420
return;
421421
}
422-
422+
423423
if ($confirm) {
424424
$misc->printTrail($type);
425425
$misc->printTabs($type,'admin');
426-
426+
427427
$script = ($type == 'database')? 'database.php' : 'tables.php';
428428

429429
printf("<p>{$lang['strdelvacuumtable']}</p>\n",
@@ -436,7 +436,7 @@ function doDropAutovacuum($type, $confirm) {
436436
echo "<input type=\"hidden\" name=\"rel\" value=\"", htmlspecialchars(serialize(array($_REQUEST['schema'], $_REQUEST['table']))), "\" />\n";
437437
echo "<input type=\"submit\" name=\"yes\" value=\"{$lang['stryes']}\" />\n";
438438
echo "</form>\n";
439-
439+
440440
echo "<form action=\"{$script}\" method=\"post\">\n";
441441
echo "<input type=\"hidden\" name=\"action\" value=\"admin\" />\n";
442442
echo "<input type=\"hidden\" name=\"table\" value=\"", htmlspecialchars($_REQUEST['table']), "\" />\n";
@@ -445,9 +445,9 @@ function doDropAutovacuum($type, $confirm) {
445445
echo "</form>\n";
446446
}
447447
else {
448-
448+
449449
$status = $data->dropAutovacuum($_POST['table']);
450-
450+
451451
if ($status == 0) {
452452
doAdmin($type, '', sprintf($lang['strvacuumtablereset'], $misc->printVal($_POST['table'])));
453453
}
@@ -461,19 +461,19 @@ function doDropAutovacuum($type, $confirm) {
461461
*
462462
* $Id: admin.php
463463
*/
464-
464+
465465
function doAdmin($type, $msg = '') {
466-
global $script, $data, $misc, $lang;
466+
global $script, $data, $misc, $lang;
467467

468468
$misc->printTrail($type);
469469
$misc->printTabs($type,'admin');
470470
$misc->printMsg($msg);
471-
471+
472472
if ($type == 'database')
473473
printf("<p>{$lang['stradminondatabase']}</p>\n", $misc->printVal($_REQUEST['object']));
474474
else
475475
printf("<p>{$lang['stradminontable']}</p>\n", $misc->printVal($_REQUEST['object']));
476-
476+
477477
echo "<table style=\"width: 50%\">\n";
478478
echo "<tr>\n";
479479
echo "<th class=\"data\">";
@@ -490,21 +490,21 @@ function doAdmin($type, $msg = '') {
490490
echo "<th class=\"data\">";
491491
$misc->printHelp($lang['strreindex'],'pg.index.reindex');
492492
echo "</th>";
493-
echo "</tr>";
493+
echo "</tr>";
494494

495495
// Vacuum
496496
echo "<tr class=\"row1\">\n";
497497
echo "<td style=\"text-align: center; vertical-align: bottom\">\n";
498498
echo "<form action=\"{$script}\" method=\"post\">\n";
499-
499+
500500
echo "<p><input type=\"hidden\" name=\"action\" value=\"confirm_vacuum\" />\n";
501501
echo $misc->form;
502502
if ($type == 'table') {
503503
echo "<input type=\"hidden\" name=\"table\" value=\"", htmlspecialchars($_REQUEST['object']), "\" />\n";
504504
echo "<input type=\"hidden\" name=\"subject\" value=\"table\" />\n";
505505
}
506506
echo "<input type=\"submit\" value=\"{$lang['strvacuum']}\" /></p>\n";
507-
echo "</form>\n";
507+
echo "</form>\n";
508508
echo "</td>\n";
509509

510510
// Analyze
@@ -519,7 +519,7 @@ function doAdmin($type, $msg = '') {
519519
echo "<input type=\"submit\" value=\"{$lang['stranalyze']}\" /></p>\n";
520520
echo "</form>\n";
521521
echo "</td>\n";
522-
522+
523523
// Cluster
524524
if ($data->hasRecluster()){
525525
$disabled = '';
@@ -539,7 +539,7 @@ function doAdmin($type, $msg = '') {
539539
echo "</form>\n";
540540
echo "</td>\n";
541541
}
542-
542+
543543
// Reindex
544544
echo "<td style=\"text-align: center; vertical-align: bottom\">\n";
545545
echo "<form action=\"{$script}\" method=\"post\">\n";
@@ -566,20 +566,20 @@ function doAdmin($type, $msg = '') {
566566
echo "<br /><br /><h2>{$lang['strvacuumpertable']}</h2>";
567567
echo '<p>' . (($defaults['autovacuum'] == 'on') ? $lang['strturnedon'] : $lang['strturnedoff'] ) . '</p>';
568568
echo "<p class=\"message\">{$lang['strnotdefaultinred']}</p>";
569-
569+
570570
function enlight($f, $p) {
571571
if ( isset($f[$p[0]]) and ($f[$p[0]] != $p[1]))
572572
return "<span style=\"color:#F33;font-weight:bold\">". htmlspecialchars($f[$p[0]]) ."</span>";
573573
return htmlspecialchars($p[1]);
574574
}
575-
575+
576576
$columns = array(
577577
'namespace' => array(
578578
'title' => $lang['strschema'],
579579
'field' => field('nspname'),
580580
'url' => "redirect.php?subject=schema&amp;{$misc->href}&amp;",
581581
'vars' => array('schema' => 'nspname'),
582-
),
582+
),
583583
'relname' => array(
584584
'title' => $lang['strtable'],
585585
'field' => field('relname'),
@@ -622,7 +622,7 @@ function enlight($f, $p) {
622622
'type' => 'verbatim'
623623
),
624624
);
625-
625+
626626
// Maybe we need to check permissions here?
627627
$columns['actions'] = array('title' => $lang['stractions']);
628628

@@ -666,18 +666,18 @@ function enlight($f, $p) {
666666
}
667667

668668
$misc->printTable($autovac, $columns, $actions, 'admin-admin', $lang['strnovacuumconf']);
669-
669+
670670
if (($type == 'table') and ($autovac->recordCount() == 0)) {
671671
echo "<br />";
672672
echo "<a href=\"tables.php?action=confeditautovac&amp;{$misc->href}&amp;table=", htmlspecialchars($_REQUEST['table'])
673673
,"\">{$lang['straddvacuumtable']}</a>";
674674
}
675675
}
676676
}
677-
677+
678678
function adminActions($action, $type) {
679679
global $script;
680-
680+
681681
if ($type == 'database') {
682682
$_REQUEST['object'] = $_REQUEST['database'];
683683
$script = 'database.php';
@@ -749,5 +749,3 @@ function adminActions($action, $type) {
749749
}
750750
return true;
751751
}
752-
753-
?>

0 commit comments

Comments
 (0)