PageRenderTime 25ms CodeModel.GetById 0ms RepoModel.GetById 0ms app.codeStats 0ms

/sitemanager/phpmyadmin/libraries/grab_globals.lib.php

https://bitbucket.org/itoxable/chiron-gaming
PHP | 118 lines | 73 code | 13 blank | 32 comment | 15 complexity | 8b936beaf281f4718afdf5213c22e941 MD5 | raw file
Possible License(s): AGPL-1.0, GPL-2.0 
    

  1. <?php

    2. 

  2. /* vim: set expandtab sw=4 ts=4 sts=4: */

    3. 

  3. /**

    4. 

  4.  * This library grabs the names and values of the variables sent or posted to a

    5. 

  5.  * script in $_GET, $_POST and $_FILES superglobals and sets simple globals

    6. 

  6.  * variables from them. It does the same work for $HTTP_ACCEPT_LANGUAGE and

    7. 

  7.  * $HTTP_AUTHORIZATION.

    8. 

  8.  *

    9. 

  9.  * @package PhpMyAdmin

    10. 

  10.  */

    11. 

  11. if (! defined('PHPMYADMIN')) {

    12. 

  12.     exit;

    13. 

  13. }

    14. 

  14. 

    15. 

  15. /**

    16. 

  16.  * copy values from one array to another, usually from a superglobal into $GLOBALS

    17. 

  17.  *

    18. 

  18.  * @param array   $array      values from

    19. 

  19.  * @param array   &$target    values to

    20. 

  20.  * @param bool    $sanitize   prevent importing key names in $_import_blacklist

    21. 

  21.  * @return bool

    22. 

  22.  */

    23. 

  23. function PMA_recursive_extract($array, &$target, $sanitize = true)

    24. 

  24. {

    25. 

  25.     if (! is_array($array)) {

    26. 

  26.         return false;

    27. 

  27.     }

    28. 

  28. 

    29. 

  29.     if ($sanitize) {

    30. 

  30.         $valid_variables = preg_replace($GLOBALS['_import_blacklist'], '',

    31. 

  31.             array_keys($array));

    32. 

  32.         $valid_variables = array_unique($valid_variables);

    33. 

  33.     } else {

    34. 

  34.         $valid_variables = array_keys($array);

    35. 

  35.     }

    36. 

  36. 

    37. 

  37.     foreach ($valid_variables as $key) {

    38. 

  38. 

    39. 

  39.         if (strlen($key) === 0) {

    40. 

  40.             continue;

    41. 

  41.         }

    42. 

  42. 

    43. 

  43.         if (is_array($array[$key])) {

    44. 

  44.             // there could be a variable coming from a cookie of

    45. 

  45.             // another application, with the same name as this array

    46. 

  46.             unset($target[$key]);

    47. 

  47. 

    48. 

  48.             PMA_recursive_extract($array[$key], $target[$key], false);

    49. 

  49.         } else {

    50. 

  50.             $target[$key] = $array[$key];

    51. 

  51.         }

    52. 

  52.     }

    53. 

  53.     return true;

    54. 

  54. }

    55. 

  55. 

    56. 

  56. 

    57. 

  57. /**

    58. 

  58.  * @var array $_import_blacklist variable names that should NEVER be imported

    59. 

  59.  *                              from superglobals

    60. 

  60.  */

    61. 

  61. $_import_blacklist = array(

    62. 

  62.     '/^cfg$/i',         // PMA configuration

    63. 

  63.     '/^server$/i',      // selected server

    64. 

  64.     '/^db$/i',          // page to display

    65. 

  65.     '/^table$/i',       // page to display

    66. 

  66.     '/^goto$/i',        // page to display

    67. 

  67.     '/^back$/i',        // the page go back

    68. 

  68.     '/^lang$/i',        // selected language

    69. 

  69.     '/^collation_connection$/i', //

    70. 

  70.     '/^set_theme$/i',   //

    71. 

  71.     '/^sql_query$/i',   // the query to be executed

    72. 

  72.     '/^GLOBALS$/i',     // the global scope

    73. 

  73.     '/^str.*$/i',       // PMA localized strings

    74. 

  74.     '/^error_handler.*$/i',       // the error handler

    75. 

  75.     '/^_.*$/i',         // PMA does not use variables starting with _ from extern

    76. 

  76.     '/^.*\s+.*$/i',     // no whitespaces anywhere

    77. 

  77.     '/^[0-9]+.*$/i',    // numeric variable names

    78. 

  78.     //'/^PMA_.*$/i',      // other PMA variables

    79. 

  79. );

    80. 

  80. 

    81. 

  81. if (! empty($_GET)) {

    82. 

  82.     PMA_recursive_extract($_GET, $GLOBALS);

    83. 

  83. }

    84. 

  84. 

    85. 

  85. if (! empty($_POST)) {

    86. 

  86.     PMA_recursive_extract($_POST, $GLOBALS);

    87. 

  87. }

    88. 

  88. 

    89. 

  89. if (! empty($_FILES)) {

    90. 

  90.     $_valid_variables = preg_replace($GLOBALS['_import_blacklist'], '', array_keys($_FILES));

    91. 

  91.     foreach ($_valid_variables as $name) {

    92. 

  92.         if (strlen($name) != 0) {

    93. 

  93.             $$name = $_FILES[$name]['tmp_name'];

    94. 

  94.             ${$name . '_name'} = $_FILES[$name]['name'];

    95. 

  95.         }

    96. 

  96.     }

    97. 

  97.     unset($name, $value);

    98. 

  98. }

    99. 

  99. 

    100. 

  100. /**

    101. 

  101.  * globalize some environment variables

    102. 

  102.  */

    103. 

  103. $server_vars = array('HTTP_ACCEPT_LANGUAGE', 'HTTP_AUTHORIZATION');

    104. 

  104. foreach ($server_vars as $current) {

    105. 

  105.     // it's not important HOW we detect html tags

    106. 

  106.     // it's more important to prevent XSS

    107. 

  107.     // so it's not important if we result in an invalid string,

    108. 

  108.     // it's even better than a XSS capable string

    109. 

  109.     if (PMA_getenv($current) && false === strpos(PMA_getenv($current), '<')) {

    110. 

  110.         $$current = PMA_getenv($current);

    111. 

  111.     // already imported by register_globals?

    112. 

  112.     } elseif (! isset($$current) || false !== strpos($$current, '<')) {

    113. 

  113.         $$current = '';

    114. 

  114.     }

    115. 

  115. }

    116. 

  116. unset($server_vars, $current, $_import_blacklist);

    117. 

  117. 

    118. 

  118. ?>

    119. 

  119.