Skip to content

Commit

Permalink
Fix XSS Vulnerability
Browse files Browse the repository at this point in the history 
Potential changes for abuse are limited
  • Loading branch information
@jaapmarcus
jaapmarcus committed Sep 18, 2023
2 parents 5d7c5a4 + ca494f6 commit 270995b
Show file tree
Hide file tree
Showing 15 changed files with 791 additions and 389 deletions.
349 changes: 338 additions & 11 deletions LICENSE
View file

Large diffs are not rendered by default.

90 changes: 44 additions & 46 deletions admin.php
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
<?php

$script = ''; // init global value script

/**
* Show confirmation of cluster and perform cluster
*/
Expand All @@ -20,17 +20,17 @@ function doCluster($type, $confirm=false) {

echo "<form action=\"{$script}\" method=\"post\">\n";
foreach($_REQUEST['ma'] as $v) {
$a = unserialize(htmlspecialchars_decode($v, ENT_QUOTES));
$a = safeUnserialize(htmlspecialchars_decode($v, ENT_QUOTES));
echo "<p>", sprintf($lang['strconfclustertable'], $misc->printVal($a['table'])), "</p>\n";
echo "<input type=\"hidden\" name=\"table[]\" value=\"", htmlspecialchars($a['table']), "\" />\n";
}
} // END if multi cluster
else {
$misc->printTrail($type);
$misc->printTitle($lang['strclusterindex'], 'pg.index.cluster');

echo "<form action=\"{$script}\" method=\"post\">\n";

if ($type == 'table') {
echo "<p>", sprintf($lang['strconfclustertable'], $misc->printVal($_REQUEST['object'])), "</p>\n";
echo "<input type=\"hidden\" name=\"table\" value=\"", htmlspecialchars($_REQUEST['object']), "\" />\n";
Expand All @@ -41,7 +41,7 @@ function doCluster($type, $confirm=false) {
}
}
echo "<input type=\"hidden\" name=\"action\" value=\"cluster\" />\n";

echo $misc->form;

echo "<input type=\"submit\" name=\"cluster\" value=\"{$lang['strcluster']}\" />\n"; //TODO
Expand Down Expand Up @@ -84,7 +84,7 @@ function doCluster($type, $confirm=false) {
}
}
}

/**
* Show confirmation of reindex and perform reindex
*/
Expand All @@ -103,17 +103,17 @@ function doReindex($type, $confirm=false) {

echo "<form action=\"{$script}\" method=\"post\">\n";
foreach($_REQUEST['ma'] as $v) {
$a = unserialize(htmlspecialchars_decode($v, ENT_QUOTES));
$a = safeUnserialize(htmlspecialchars_decode($v, ENT_QUOTES));
echo "<p>", sprintf($lang['strconfreindextable'], $misc->printVal($a['table'])), "</p>\n";
echo "<input type=\"hidden\" name=\"table[]\" value=\"", htmlspecialchars($a['table']), "\" />\n";
}
} // END if multi reindex
else {
$misc->printTrail($type);
$misc->printTitle($lang['strreindex'], 'pg.reindex');

echo "<form action=\"{$script}\" method=\"post\">\n";

if ($type == 'table') {
echo "<p>", sprintf($lang['strconfreindextable'], $misc->printVal($_REQUEST['object'])), "</p>\n";
echo "<input type=\"hidden\" name=\"table\" value=\"", htmlspecialchars($_REQUEST['object']), "\" />\n";
Expand All @@ -124,10 +124,10 @@ function doReindex($type, $confirm=false) {
}
}
echo "<input type=\"hidden\" name=\"action\" value=\"reindex\" />\n";

if ($data->hasForceReindex())
echo "<p><input type=\"checkbox\" id=\"reindex_force\" name=\"reindex_force\" /><label for=\"reindex_force\">{$lang['strforce']}</label></p>\n";

echo $misc->form;

echo "<input type=\"submit\" name=\"reindex\" value=\"{$lang['strreindex']}\" />\n"; //TODO
Expand Down Expand Up @@ -162,7 +162,7 @@ function doReindex($type, $confirm=false) {
}
}
}

/**
* Show confirmation of analyze and perform analyze
*/
Expand All @@ -181,17 +181,17 @@ function doAnalyze($type, $confirm=false) {

echo "<form action=\"{$script}\" method=\"post\">\n";
foreach($_REQUEST['ma'] as $v) {
$a = unserialize(htmlspecialchars_decode($v, ENT_QUOTES));
$a = safeUnserialize(htmlspecialchars_decode($v, ENT_QUOTES));
echo "<p>", sprintf($lang['strconfanalyzetable'], $misc->printVal($a['table'])), "</p>\n";
echo "<input type=\"hidden\" name=\"table[]\" value=\"", htmlspecialchars($a['table']), "\" />\n";
}
} // END if multi analyze
else {
$misc->printTrail($type);
$misc->printTitle($lang['stranalyze'], 'pg.analyze');

echo "<form action=\"{$script}\" method=\"post\">\n";

if ($type == 'table') {
echo "<p>", sprintf($lang['strconfanalyzetable'], $misc->printVal($_REQUEST['object'])), "</p>\n";
echo "<input type=\"hidden\" name=\"table\" value=\"", htmlspecialchars($_REQUEST['object']), "\" />\n";
Expand Down Expand Up @@ -256,7 +256,7 @@ function doVacuum($type, $confirm = false) {

echo "<form action=\"{$script}\" method=\"post\">\n";
foreach($_REQUEST['ma'] as $v) {
$a = unserialize(htmlspecialchars_decode($v, ENT_QUOTES));
$a = safeUnserialize(htmlspecialchars_decode($v, ENT_QUOTES));
echo "<p>", sprintf($lang['strconfvacuumtable'], $misc->printVal($a['table'])), "</p>\n";
echo "<input type=\"hidden\" name=\"table[]\" value=\"", htmlspecialchars($a['table']), "\" />\n";
}
Expand All @@ -266,7 +266,7 @@ function doVacuum($type, $confirm = false) {
$misc->printTitle($lang['strvacuum'], 'pg.vacuum');

echo "<form action=\"{$script}\" method=\"post\">\n";

if ($type == 'table') {
echo "<p>", sprintf($lang['strconfvacuumtable'], $misc->printVal($_REQUEST['object'])), "</p>\n";
echo "<input type=\"hidden\" name=\"table\" value=\"", htmlspecialchars($_REQUEST['object']), "\" />\n";
Expand Down Expand Up @@ -320,14 +320,14 @@ function doVacuum($type, $confirm = false) {
*/
function doEditAutovacuum($type, $confirm, $msg='') {
global $script, $data, $misc, $lang;

if (empty($_REQUEST['table'])) {
doAdmin($type, '', $lang['strspecifyeditvacuumtable']);
return;
}

$script = ($type == 'database')? 'database.php' : 'tables.php';

if ($confirm) {
$misc->printTrail($type);
$misc->printTitle(sprintf($lang['streditvacuumtable'], $misc->printVal($_REQUEST['table'])));
Expand All @@ -337,7 +337,7 @@ function doEditAutovacuum($type, $confirm, $msg='') {
doAdmin($type, '', $lang['strspecifyeditvacuumtable']);
return;
}

$old_val = $data->getTableAutovacuum($_REQUEST['table']);
$defaults = $data->getAutovacuum();
$old_val = $old_val->fields;
Expand Down Expand Up @@ -401,14 +401,14 @@ function doEditAutovacuum($type, $confirm, $msg='') {
$status = $data->saveAutovacuum($_REQUEST['table'], $_POST['autovacuum_enabled'], $_POST['autovacuum_vacuum_threshold'],
$_POST['autovacuum_vacuum_scale_factor'], $_POST['autovacuum_analyze_threshold'], $_POST['autovacuum_analyze_scale_factor'],
$_POST['autovacuum_vacuum_cost_delay'], $_POST['autovacuum_vacuum_cost_limit']);

if ($status == 0)
doAdmin($type, '', sprintf($lang['strsetvacuumtablesaved'], $_REQUEST['table']));
else
doEditAutovacuum($type, true, $lang['strsetvacuumtablefail']);
}
}

/**
* confirm drop autovacuum params for a table and drop it
*/
Expand All @@ -419,11 +419,11 @@ function doDropAutovacuum($type, $confirm) {
doAdmin($type, '', $lang['strspecifydelvacuumtable']);
return;
}

if ($confirm) {
$misc->printTrail($type);
$misc->printTabs($type,'admin');

$script = ($type == 'database')? 'database.php' : 'tables.php';

printf("<p>{$lang['strdelvacuumtable']}</p>\n",
Expand All @@ -436,7 +436,7 @@ function doDropAutovacuum($type, $confirm) {
echo "<input type=\"hidden\" name=\"rel\" value=\"", htmlspecialchars(serialize(array($_REQUEST['schema'], $_REQUEST['table']))), "\" />\n";
echo "<input type=\"submit\" name=\"yes\" value=\"{$lang['stryes']}\" />\n";
echo "</form>\n";

echo "<form action=\"{$script}\" method=\"post\">\n";
echo "<input type=\"hidden\" name=\"action\" value=\"admin\" />\n";
echo "<input type=\"hidden\" name=\"table\" value=\"", htmlspecialchars($_REQUEST['table']), "\" />\n";
Expand All @@ -445,9 +445,9 @@ function doDropAutovacuum($type, $confirm) {
echo "</form>\n";
}
else {

$status = $data->dropAutovacuum($_POST['table']);

if ($status == 0) {
doAdmin($type, '', sprintf($lang['strvacuumtablereset'], $misc->printVal($_POST['table'])));
}
Expand All @@ -461,19 +461,19 @@ function doDropAutovacuum($type, $confirm) {
*
* $Id: admin.php
*/

function doAdmin($type, $msg = '') {
global $script, $data, $misc, $lang;
global $script, $data, $misc, $lang;

$misc->printTrail($type);
$misc->printTabs($type,'admin');
$misc->printMsg($msg);

if ($type == 'database')
printf("<p>{$lang['stradminondatabase']}</p>\n", $misc->printVal($_REQUEST['object']));
else
printf("<p>{$lang['stradminontable']}</p>\n", $misc->printVal($_REQUEST['object']));

echo "<table style=\"width: 50%\">\n";
echo "<tr>\n";
echo "<th class=\"data\">";
Expand All @@ -490,21 +490,21 @@ function doAdmin($type, $msg = '') {
echo "<th class=\"data\">";
$misc->printHelp($lang['strreindex'],'pg.index.reindex');
echo "</th>";
echo "</tr>";
echo "</tr>";

// Vacuum
echo "<tr class=\"row1\">\n";
echo "<td style=\"text-align: center; vertical-align: bottom\">\n";
echo "<form action=\"{$script}\" method=\"post\">\n";

echo "<p><input type=\"hidden\" name=\"action\" value=\"confirm_vacuum\" />\n";
echo $misc->form;
if ($type == 'table') {
echo "<input type=\"hidden\" name=\"table\" value=\"", htmlspecialchars($_REQUEST['object']), "\" />\n";
echo "<input type=\"hidden\" name=\"subject\" value=\"table\" />\n";
}
echo "<input type=\"submit\" value=\"{$lang['strvacuum']}\" /></p>\n";
echo "</form>\n";
echo "</form>\n";
echo "</td>\n";

// Analyze
Expand All @@ -519,7 +519,7 @@ function doAdmin($type, $msg = '') {
echo "<input type=\"submit\" value=\"{$lang['stranalyze']}\" /></p>\n";
echo "</form>\n";
echo "</td>\n";

// Cluster
if ($data->hasRecluster()){
$disabled = '';
Expand All @@ -539,7 +539,7 @@ function doAdmin($type, $msg = '') {
echo "</form>\n";
echo "</td>\n";
}

// Reindex
echo "<td style=\"text-align: center; vertical-align: bottom\">\n";
echo "<form action=\"{$script}\" method=\"post\">\n";
Expand All @@ -566,20 +566,20 @@ function doAdmin($type, $msg = '') {
echo "<br /><br /><h2>{$lang['strvacuumpertable']}</h2>";
echo '<p>' . (($defaults['autovacuum'] == 'on') ? $lang['strturnedon'] : $lang['strturnedoff'] ) . '</p>';
echo "<p class=\"message\">{$lang['strnotdefaultinred']}</p>";

function enlight($f, $p) {
if ( isset($f[$p[0]]) and ($f[$p[0]] != $p[1]))
return "<span style=\"color:#F33;font-weight:bold\">". htmlspecialchars($f[$p[0]]) ."</span>";
return htmlspecialchars($p[1]);
}

$columns = array(
'namespace' => array(
'title' => $lang['strschema'],
'field' => field('nspname'),
'url' => "redirect.php?subject=schema&amp;{$misc->href}&amp;",
'vars' => array('schema' => 'nspname'),
),
),
'relname' => array(
'title' => $lang['strtable'],
'field' => field('relname'),
Expand Down Expand Up @@ -622,7 +622,7 @@ function enlight($f, $p) {
'type' => 'verbatim'
),
);

// Maybe we need to check permissions here?
$columns['actions'] = array('title' => $lang['stractions']);

Expand Down Expand Up @@ -666,18 +666,18 @@ function enlight($f, $p) {
}

$misc->printTable($autovac, $columns, $actions, 'admin-admin', $lang['strnovacuumconf']);

if (($type == 'table') and ($autovac->recordCount() == 0)) {
echo "<br />";
echo "<a href=\"tables.php?action=confeditautovac&amp;{$misc->href}&amp;table=", htmlspecialchars($_REQUEST['table'])
,"\">{$lang['straddvacuumtable']}</a>";
}
}
}

function adminActions($action, $type) {
global $script;

if ($type == 'database') {
$_REQUEST['object'] = $_REQUEST['database'];
$script = 'database.php';
Expand Down Expand Up @@ -749,5 +749,3 @@ function adminActions($action, $type) {
}
return true;
}

?>
Loading

0 comments on commit 270995b

Please sign in to comment.