1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
|
<?php
declare(strict_types=1);
namespace PhpMyAdmin;
use PhpMyAdmin\ConfigStorage\Relation;
use PhpMyAdmin\Dbal\DatabaseName;
use PhpMyAdmin\Dbal\TableName;
use PhpMyAdmin\Http\Factory\ServerRequestFactory;
use PhpMyAdmin\Http\ServerRequest;
use PhpMyAdmin\Plugins\AuthenticationPlugin;
use PhpMyAdmin\SqlParser\Lexer;
use Symfony\Component\DependencyInjection\ContainerInterface;
use Webmozart\Assert\Assert;
use Webmozart\Assert\InvalidArgumentException;
use function __;
use function array_pop;
use function count;
use function date_default_timezone_get;
use function date_default_timezone_set;
use function define;
use function defined;
use function explode;
use function extension_loaded;
use function function_exists;
use function hash_equals;
use function htmlspecialchars;
use function implode;
use function ini_get;
use function ini_set;
use function is_array;
use function is_scalar;
use function mb_internal_encoding;
use function mb_strlen;
use function mb_strpos;
use function mb_strrpos;
use function mb_substr;
use function register_shutdown_function;
use function session_id;
use function str_replace;
use function strlen;
use function trigger_error;
use function urldecode;
use const E_USER_ERROR;
final class Common
{
/**
* Misc stuff and REQUIRED by ALL the scripts.
* MUST be included by every script
*
* Among other things, it contains the advanced authentication work.
*
* Order of sections:
*
* the authentication libraries must be before the connection to db
*
* ... so the required order is:
*
* LABEL_variables_init
* - initialize some variables always needed
* LABEL_parsing_config_file
* - parsing of the configuration file
* LABEL_loading_language_file
* - loading language file
* LABEL_setup_servers
* - check and setup configured servers
* LABEL_theme_setup
* - setting up themes
*
* - load of MySQL extension (if necessary)
* - loading of an authentication library
* - db connection
* - authentication work
*/
public static function run(): void
{
global $containerBuilder, $errorHandler, $config, $server, $dbi, $request;
global $lang, $cfg, $isConfigLoading, $auth_plugin, $route, $theme;
global $urlParams, $isMinimumCommon, $sql_query, $token_mismatch;
$request = ServerRequestFactory::createFromGlobals();
$route = Routing::getCurrentRoute();
if ($route === '/import-status') {
$isMinimumCommon = true;
}
$containerBuilder = Core::getContainerBuilder();
/** @var ErrorHandler $errorHandler */
$errorHandler = $containerBuilder->get('error_handler');
self::checkRequiredPhpExtensions();
self::configurePhpSettings();
self::cleanupPathInfo();
/* parsing configuration file LABEL_parsing_config_file */
/** @var bool $isConfigLoading Indication for the error handler */
$isConfigLoading = false;
register_shutdown_function([Config::class, 'fatalErrorHandler']);
/**
* Force reading of config file, because we removed sensitive values
* in the previous iteration.
*
* @var Config $config
*/
$config = $containerBuilder->get('config');
/**
* include session handling after the globals, to prevent overwriting
*/
if (! defined('PMA_NO_SESSION')) {
Session::setUp($config, $errorHandler);
}
$request = Core::populateRequestWithEncryptedQueryParams($request);
/**
* init some variables LABEL_variables_init
*/
/**
* holds parameters to be passed to next page
*
* @global array $urlParams
*/
$urlParams = [];
$containerBuilder->setParameter('url_params', $urlParams);
self::setGotoAndBackGlobals($containerBuilder, $config);
self::checkTokenRequestParam();
self::setDatabaseAndTableFromRequest($containerBuilder, $request);
/**
* SQL query to be executed
*
* @global string $sql_query
*/
$sql_query = '';
if ($request->isPost()) {
$sql_query = $request->getParsedBodyParam('sql_query', '');
}
$containerBuilder->setParameter('sql_query', $sql_query);
//$_REQUEST['set_theme'] // checked later in this file LABEL_theme_setup
//$_REQUEST['server']; // checked later in this file
//$_REQUEST['lang']; // checked by LABEL_loading_language_file
/* loading language file LABEL_loading_language_file */
/**
* lang detection is done here
*/
$language = LanguageManager::getInstance()->selectLanguage();
$language->activate();
/**
* check for errors occurred while loading configuration
* this check is done here after loading language files to present errors in locale
*/
$config->checkPermissions();
$config->checkErrors();
self::checkServerConfiguration();
self::checkRequest();
/* setup servers LABEL_setup_servers */
$config->checkServers();
/**
* current server
*
* @global integer $server
*/
$server = $config->selectServer();
$urlParams['server'] = $server;
$containerBuilder->setParameter('server', $server);
$containerBuilder->setParameter('url_params', $urlParams);
$cfg = $config->settings;
/* setup themes LABEL_theme_setup */
$theme = ThemeManager::initializeTheme();
/** @var DatabaseInterface $dbi */
$dbi = null;
if (isset($isMinimumCommon)) {
$config->loadUserPreferences();
$containerBuilder->set('theme_manager', ThemeManager::getInstance());
Tracker::enable();
return;
}
/**
* save some settings in cookies
*
* @todo should be done in PhpMyAdmin\Config
*/
$config->setCookie('pma_lang', (string) $lang);
ThemeManager::getInstance()->setThemeCookie();
$dbi = DatabaseInterface::load();
$containerBuilder->set(DatabaseInterface::class, $dbi);
$containerBuilder->setAlias('dbi', DatabaseInterface::class);
if (! empty($cfg['Server'])) {
$config->getLoginCookieValidityFromCache($server);
$auth_plugin = Plugins::getAuthPlugin();
$auth_plugin->authenticate();
/* Enable LOAD DATA LOCAL INFILE for LDI plugin */
if ($route === '/import' && ($_POST['format'] ?? '') === 'ldi') {
// Switch this before the DB connection is done
// phpcs:disable PSR1.Files.SideEffects
define('PMA_ENABLE_LDI', 1);
// phpcs:enable
}
self::connectToDatabaseServer($dbi, $auth_plugin);
$auth_plugin->rememberCredentials();
$auth_plugin->checkTwoFactor();
/* Log success */
Logging::logUser($cfg['Server']['user']);
if ($dbi->getVersion() < $cfg['MysqlMinVersion']['internal']) {
Core::fatalError(
__('You should upgrade to %s %s or later.'),
[
'MySQL',
$cfg['MysqlMinVersion']['human'],
]
);
}
// Sets the default delimiter (if specified).
$sqlDelimiter = $request->getParam('sql_delimiter', '');
if (strlen($sqlDelimiter) > 0) {
// phpcs:ignore Squiz.NamingConventions.ValidVariableName.MemberNotCamelCaps
Lexer::$DEFAULT_DELIMITER = $sqlDelimiter;
}
// TODO: Set SQL modes too.
} else { // end server connecting
$response = ResponseRenderer::getInstance();
$response->getHeader()->disableMenuAndConsole();
$response->getFooter()->setMinimal();
}
$response = ResponseRenderer::getInstance();
/**
* There is no point in even attempting to process
* an ajax request if there is a token mismatch
*/
if ($response->isAjax() && $request->isPost() && $token_mismatch) {
$response->setRequestStatus(false);
$response->addJSON(
'message',
Message::error(__('Error: Token mismatch'))
);
exit;
}
Profiling::check($dbi, $response);
$containerBuilder->set('response', ResponseRenderer::getInstance());
// load user preferences
$config->loadUserPreferences();
$containerBuilder->set('theme_manager', ThemeManager::getInstance());
/* Tell tracker that it can actually work */
Tracker::enable();
if (empty($server) || ! isset($cfg['ZeroConf']) || $cfg['ZeroConf'] !== true) {
return;
}
/** @var Relation $relation */
$relation = $containerBuilder->get('relation');
$dbi->postConnectControl($relation);
}
/**
* Checks that required PHP extensions are there.
*/
private static function checkRequiredPhpExtensions(): void
{
/**
* Warning about mbstring.
*/
if (! function_exists('mb_detect_encoding')) {
Core::warnMissingExtension('mbstring');
}
/**
* We really need this one!
*/
if (! function_exists('preg_replace')) {
Core::warnMissingExtension('pcre', true);
}
/**
* JSON is required in several places.
*/
if (! function_exists('json_encode')) {
Core::warnMissingExtension('json', true);
}
/**
* ctype is required for Twig.
*/
if (! function_exists('ctype_alpha')) {
Core::warnMissingExtension('ctype', true);
}
/**
* hash is required for cookie authentication.
*/
if (function_exists('hash_hmac')) {
return;
}
Core::warnMissingExtension('hash', true);
}
/**
* Applies changes to PHP configuration.
*/
private static function configurePhpSettings(): void
{
/**
* Set utf-8 encoding for PHP
*/
ini_set('default_charset', 'utf-8');
mb_internal_encoding('utf-8');
/**
* Set precision to sane value, with higher values
* things behave slightly unexpectedly, for example
* round(1.2, 2) returns 1.199999999999999956.
*/
ini_set('precision', '14');
/**
* check timezone setting
* this could produce an E_WARNING - but only once,
* if not done here it will produce E_WARNING on every date/time function
*/
date_default_timezone_set(@date_default_timezone_get());
}
/**
* PATH_INFO could be compromised if set, so remove it from PHP_SELF
* and provide a clean PHP_SELF here
*/
public static function cleanupPathInfo(): void
{
global $PMA_PHP_SELF;
$PMA_PHP_SELF = Core::getenv('PHP_SELF');
if (empty($PMA_PHP_SELF)) {
$PMA_PHP_SELF = urldecode(Core::getenv('REQUEST_URI'));
}
$_PATH_INFO = Core::getenv('PATH_INFO');
if (! empty($_PATH_INFO) && ! empty($PMA_PHP_SELF)) {
$question_pos = mb_strpos($PMA_PHP_SELF, '?');
if ($question_pos != false) {
$PMA_PHP_SELF = mb_substr($PMA_PHP_SELF, 0, $question_pos);
}
$path_info_pos = mb_strrpos($PMA_PHP_SELF, $_PATH_INFO);
if ($path_info_pos !== false) {
$path_info_part = mb_substr($PMA_PHP_SELF, $path_info_pos, mb_strlen($_PATH_INFO));
if ($path_info_part == $_PATH_INFO) {
$PMA_PHP_SELF = mb_substr($PMA_PHP_SELF, 0, $path_info_pos);
}
}
}
$path = [];
foreach (explode('/', $PMA_PHP_SELF) as $part) {
// ignore parts that have no value
if (empty($part) || $part === '.') {
continue;
}
if ($part !== '..') {
// cool, we found a new part
$path[] = $part;
} elseif (count($path) > 0) {
// going back up? sure
array_pop($path);
}
// Here we intentionall ignore case where we go too up
// as there is nothing sane to do
}
$PMA_PHP_SELF = htmlspecialchars('/' . implode('/', $path));
}
private static function setGotoAndBackGlobals(ContainerInterface $container, Config $config): void
{
global $goto, $back, $urlParams;
// Holds page that should be displayed.
$goto = '';
$container->setParameter('goto', $goto);
if (isset($_REQUEST['goto']) && Core::checkPageValidity($_REQUEST['goto'])) {
$goto = $_REQUEST['goto'];
$urlParams['goto'] = $goto;
$container->setParameter('goto', $goto);
$container->setParameter('url_params', $urlParams);
} else {
if ($config->issetCookie('goto')) {
$config->removeCookie('goto');
}
unset($_REQUEST['goto'], $_GET['goto'], $_POST['goto']);
}
if (isset($_REQUEST['back']) && Core::checkPageValidity($_REQUEST['back'])) {
// Returning page.
$back = $_REQUEST['back'];
$container->setParameter('back', $back);
return;
}
if ($config->issetCookie('back')) {
$config->removeCookie('back');
}
unset($_REQUEST['back'], $_GET['back'], $_POST['back']);
}
/**
* Check whether user supplied token is valid, if not remove any possibly
* dangerous stuff from request.
*
* Check for token mismatch only if the Request method is POST.
* GET Requests would never have token and therefore checking
* mis-match does not make sense.
*/
public static function checkTokenRequestParam(): void
{
global $token_mismatch, $token_provided;
$token_mismatch = true;
$token_provided = false;
if (($_SERVER['REQUEST_METHOD'] ?? 'GET') !== 'POST') {
return;
}
if (isset($_POST['token']) && is_scalar($_POST['token']) && strlen((string) $_POST['token']) > 0) {
$token_provided = true;
$token_mismatch = ! @hash_equals($_SESSION[' PMA_token '], (string) $_POST['token']);
}
if (! $token_mismatch) {
return;
}
// Warn in case the mismatch is result of failed setting of session cookie
if (isset($_POST['set_session']) && $_POST['set_session'] !== session_id()) {
trigger_error(
__(
'Failed to set session cookie. Maybe you are using HTTP instead of HTTPS to access phpMyAdmin.'
),
E_USER_ERROR
);
}
/**
* We don't allow any POST operation parameters if the token is mismatched
* or is not provided.
*/
$allowList = ['ajax_request'];
Sanitize::removeRequestVars($allowList);
}
private static function setDatabaseAndTableFromRequest(
ContainerInterface $containerBuilder,
ServerRequest $request
): void {
global $db, $table, $urlParams;
try {
$db = DatabaseName::fromValue($request->getParam('db'))->getName();
} catch (InvalidArgumentException $exception) {
$db = '';
}
try {
Assert::stringNotEmpty($db);
$table = TableName::fromValue($request->getParam('table'))->getName();
} catch (InvalidArgumentException $exception) {
$table = '';
}
if (! is_array($urlParams)) {
$urlParams = [];
}
$urlParams['db'] = $db;
$urlParams['table'] = $table;
// If some parameter value includes the % character, you need to escape it by adding
// another % so Symfony doesn't consider it a reference to a parameter name.
$containerBuilder->setParameter('db', str_replace('%', '%%', $db));
$containerBuilder->setParameter('table', str_replace('%', '%%', $table));
$containerBuilder->setParameter('url_params', $urlParams);
}
/**
* Check whether PHP configuration matches our needs.
*/
private static function checkServerConfiguration(): void
{
/**
* As we try to handle charsets by ourself, mbstring overloads just
* break it, see bug 1063821.
*
* We specifically use empty here as we are looking for anything else than
* empty value or 0.
*/
if (extension_loaded('mbstring') && ! empty(ini_get('mbstring.func_overload'))) {
Core::fatalError(
__(
'You have enabled mbstring.func_overload in your PHP '
. 'configuration. This option is incompatible with phpMyAdmin '
. 'and might cause some data to be corrupted!'
)
);
}
/**
* The ini_set and ini_get functions can be disabled using
* disable_functions but we're relying quite a lot of them.
*/
if (function_exists('ini_get') && function_exists('ini_set')) {
return;
}
Core::fatalError(
__(
'The ini_get and/or ini_set functions are disabled in php.ini. phpMyAdmin requires these functions!'
)
);
}
/**
* Checks request and fails with fatal error if something problematic is found
*/
private static function checkRequest(): void
{
if (isset($_REQUEST['GLOBALS']) || isset($_FILES['GLOBALS'])) {
Core::fatalError(__('GLOBALS overwrite attempt'));
}
/**
* protect against possible exploits - there is no need to have so much variables
*/
if (count($_REQUEST) <= 1000) {
return;
}
Core::fatalError(__('possible exploit'));
}
private static function connectToDatabaseServer(DatabaseInterface $dbi, AuthenticationPlugin $auth): void
{
global $cfg;
/**
* Try to connect MySQL with the control user profile (will be used to get the privileges list for the current
* user but the true user link must be open after this one so it would be default one for all the scripts).
*/
$controlLink = false;
if ($cfg['Server']['controluser'] !== '') {
$controlLink = $dbi->connect(DatabaseInterface::CONNECT_CONTROL);
}
// Connects to the server (validates user's login)
$userLink = $dbi->connect(DatabaseInterface::CONNECT_USER);
if ($userLink === false) {
$auth->showFailure('mysql-denied');
}
if ($controlLink) {
return;
}
/**
* Open separate connection for control queries, this is needed to avoid problems with table locking used in
* main connection and phpMyAdmin issuing queries to configuration storage, which is not locked by that time.
*/
$dbi->connect(DatabaseInterface::CONNECT_USER, null, DatabaseInterface::CONNECT_CONTROL);
}
}
|
