Merge branch 'login-fixes'

adminer/drivers/elastic.inc.php

@@ -8,64 +8,77 @@ if (isset($_GET["elastic"])) {
 		class Min_DB {
 			var $extension = "JSON", $server_info, $errno, $error, $_url, $_db;
 
-			/** Performs query
-			 * @param string
-			 * @param array
-			 * @param string
-			 * @return mixed
+			/**
+			 * @param string $path
+			 * @param array|null $content
+			 * @param string $method
+			 * @return array|false
 			 */
-			function rootQuery($path, $content = array(), $method = 'GET') {
+			function rootQuery($path, array $content = null, $method = 'GET') {
 				@ini_set('track_errors', 1); // @ - may be disabled
 				$file = @file_get_contents("$this->_url/" . ltrim($path, '/'), false, stream_context_create(array('http' => array(
 					'method' => $method,
-					'content' => $content === null ? $content : json_encode($content),
-					'header' => 'Content-Type: application/json',
-					'ignore_errors' => 1, // available since PHP 5.2.10
+					'content' => $content !== null ? json_encode($content) : null,
+					'header' => $content !== null ? 'Content-Type: application/json' : [],
+					'ignore_errors' => 1,
+					'follow_location' => 0,
+					'max_redirects' => 0,
 				))));
-				if (!$file) {
-					$this->error = $php_errormsg;
-					return $file;
-				}
-				if (!preg_match('~^HTTP/[0-9.]+ 2~i', $http_response_header[0])) {
-					$this->error = lang('Invalid credentials.') . " $http_response_header[0]";
+
+				if ($file === false) {
+					$this->error = lang('Invalid server or credentials.');
 					return false;
 				}
+
 				$return = json_decode($file, true);
 				if ($return === null) {
-					$this->errno = json_last_error();
-					if (function_exists('json_last_error_msg')) {
-						$this->error = json_last_error_msg();
-					} else {
-						$constants = get_defined_constants(true);
-						foreach ($constants['json'] as $name => $value) {
-							if ($value == $this->errno && preg_match('~^JSON_ERROR_~', $name)) {
-								$this->error = $name;
-								break;
-							}
-						}
-					}
+					$this->error = lang('Invalid server or credentials.');
+					return false;
 				}
+
+				if (!preg_match('~^HTTP/[0-9.]+ 2~i', $http_response_header[0])) {
+					if (isset($return['error']['root_cause'][0]['type'])) {
+						$this->error = $return['error']['root_cause'][0]['type'] . ": " . $return['error']['root_cause'][0]['reason'];
+					} else {
+						$this->error = lang('Invalid server or credentials.');
+					}
+					return false;
+				}
+
 				return $return;
 			}
 
 			/** Performs query relative to actual selected DB
-			 * @param string
-			 * @param array
-			 * @param string
-			 * @return mixed
+			 * @param string $path
+			 * @param array|null $content
+			 * @param string $method
+			 * @return array|false
 			 */
-			function query($path, $content = array(), $method = 'GET') {
+			function query($path, array $content = null, $method = 'GET') {
 				return $this->rootQuery(($this->_db != "" ? "$this->_db/" : "/") . ltrim($path, '/'), $content, $method);
 			}
 
+			/**
+			 * @param string $server
+			 * @param string $username
+			 * @param string $password
+			 * @return bool
+			 */
 			function connect($server, $username, $password) {
-				preg_match('~^(https?://)?(.*)~', $server, $match);
-				$this->_url = ($match[1] ? $match[1] : "http://") . "$username:$password@$match[2]";
+				$this->_url = build_http_url($server, $username, $password, "localhost", 9200);
+
 				$return = $this->query('');
-				if ($return) {
-					$this->server_info = $return['version']['number'];
+				if (!$return) {
+					return false;
 				}
-				return (bool) $return;
+
+				if (!isset($return['version']['number'])) {
+					$this->error = lang('Invalid server or credentials.');
+					return false;
+				}
+
+				$this->server_info = $return['version']['number'];
+				return true;
 			}
 
 			function select_db($database) {

adminer/include/auth.inc.php

@@ -15,6 +15,58 @@ if ($_COOKIE["adminer_permanent"]) {
 	}
 }
 
+function validate_server_input() {
+	if (SERVER == "") {
+		return;
+	}
+
+	$parts = parse_url(SERVER);
+	if (!$parts) {
+		auth_error(lang('Invalid server or credentials.'));
+	}
+
+	// Check proper URL parts.
+	if (isset($parts['user']) || isset($parts['pass']) || isset($parts['query']) || isset($parts['fragment'])) {
+		auth_error(lang('Invalid server or credentials.'));
+	}
+
+	// Allow only HTTP/S scheme.
+	if (isset($parts['scheme']) && !preg_match('~^(https?)$~i', $parts['scheme'])) {
+		auth_error(lang('Invalid server or credentials.'));
+	}
+
+	// Allow only host without a path. Note that "localhost" is parsed as path.
+	$host = (isset($parts['host']) ? $parts['host'] : '') . (isset($parts['path']) ? $parts['path'] : '');
+	if (strpos(rtrim($host, '/'), '/') !== false) {
+		auth_error(lang('Invalid server or credentials.'));
+	}
+
+	// Check privileged ports.
+	if (isset($parts['port']) && ($parts['port'] < 1024 || $parts['port'] > 65535)) {
+		auth_error(lang('Connecting to privileged ports is not allowed.'));
+	}
+}
+
+/**
+ * @param string $server
+ * @param string $username
+ * @param string $password
+ * @param string $defaultServer
+ * @param int|null $defaultPort
+ * @return string
+ */
+function build_http_url($server, $username, $password, $defaultServer, $defaultPort = null) {
+	if (!preg_match('~^(https?://)?([^:]*)(:\d+)?$~', rtrim($server, '/'), $matches)) {
+		$this->error = lang('Invalid server or credentials.');
+		return false;
+	}
+
+	return ($matches[1] ?: "http://") .
+		($username !== "" || $password !== "" ? "$username:$password@" : "") .
+		($matches[2] !== "" ? $matches[2] : $defaultServer) .
+		(isset($matches[3]) ? $matches[3] : ($defaultPort ? ":$defaultPort" : ""));
+}
+
 function add_invalid_login() {
 	global $adminer;
 	$fp = file_open_lock(get_temp_dir() . "/adminer.invalid");
@@ -52,7 +104,7 @@ $auth = $_POST["auth"];
 if ($auth) {
 	session_regenerate_id(); // defense against session fixation
 	$vendor = $auth["driver"];
-	$server = $auth["server"];
+	$server = trim($auth["server"]);
 	$username = $auth["username"];
 	$password = (string) $auth["password"];
 	$db = $auth["db"];
@@ -155,18 +207,16 @@ if (isset($_GET["username"]) && !class_exists("Min_DB")) {
 stop_session(true);
 
 if (isset($_GET["username"]) && is_string(get_password())) {
-	list($host, $port) = explode(":", SERVER, 2);
-	if (preg_match('~^\s*([-+]?\d+)~', $port, $match) && ($match[1] < 1024 || $match[1] > 65535)) { // is_numeric('80#') would still connect to port 80
-		auth_error(lang('Connecting to privileged ports is not allowed.'));
-	}
+	validate_server_input();
 	check_invalid_login();
+
 	$connection = connect();
 	$driver = new Min_Driver($connection);
 }
 
 $login = null;
 if (!is_object($connection) || ($login = $adminer->login($_GET["username"], get_password())) !== true) {
-	$error = (is_string($connection) ? h($connection) : (is_string($login) ? $login : lang('Invalid credentials.')));
+	$error = (is_string($connection) ? h($connection) : (is_string($login) ? $login : lang('Invalid server or credentials.')));
 	auth_error($error . (preg_match('~^ | $~', get_password()) ? '<br>' . lang('There is a space in the input password which might be the cause.') : ''));
 }
 

adminer/lang/ar.inc.php

@@ -2,7 +2,7 @@
 $translations = array(
 	'Login' => 'تسجيل الدخول',
 	'Logout successful.' => 'تم تسجيل الخروج بنجاح.',
-	'Invalid credentials.' => 'بيانات الدخول غير صالحة.',
+	'Invalid server or credentials.' => null,
 	'Server' => 'الخادم',
 	'Username' => 'اسم المستخدم',
 	'Password' => 'كلمة المرور',

adminer/lang/bg.inc.php

@@ -10,7 +10,7 @@ $translations = array(
 	'Logout' => 'Изход',
 	'Logged as: %s' => 'Текущ потребител: %s',
 	'Logout successful.' => 'Излизането е успешно.',
-	'Invalid credentials.' => 'Невалидни потребителски данни.',
+	'Invalid server or credentials.' => null,
 	'Too many unsuccessful logins, try again in %d minute(s).' => array('Прекалено много неуспешни опити за вход, опитайте пак след %d минута.', 'Прекалено много неуспешни опити за вход, опитайте пак след %d минути.'),
 	'Master password expired. <a href="https://www.adminer.org/en/extension/"%s>Implement</a> %s method to make it permanent.' => 'Главната парола вече е невалидна. <a href="https://www.adminer.org/en/extension/"%s>Изберете</a> %s метод, за да я направите постоянна.',
 	'Language' => 'Език',

adminer/lang/bn.inc.php

@@ -2,7 +2,7 @@
 $translations = array(
 	'Login' => 'লগইন',
 	'Logout successful.' => 'সফলভাবে লগআউট হয়েছে।',
-	'Invalid credentials.' => 'ভুল পাসওয়ার্ড।',
+	'Invalid server or credentials.' => null,
 	'Server' => 'সার্ভার',
 	'Username' => 'ইউজারের নাম',
 	'Password' => 'পাসওয়ার্ড',

adminer/lang/bs.inc.php

@@ -10,7 +10,7 @@ $translations = array(
 	'Logout' => 'Odjava',
 	'Logged as: %s' => 'Prijavi se kao: %s',
 	'Logout successful.' => 'Uspešna odjava.',
-	'Invalid credentials.' => 'Nevažeće dozvole.',
+	'Invalid server or credentials.' => null,
 	'Language' => 'Jezik',
 	'Invalid CSRF token. Send the form again.' => 'Nevažeći CSRF kod. Proslijedite ponovo formu.',
 	'No extension' => 'Bez dodataka',

adminer/lang/ca.inc.php

@@ -2,7 +2,7 @@
 $translations = array(
 	'Login' => 'Inicia la sessió',
 	'Logout successful.' => 'Desconnexió correcta.',
-	'Invalid credentials.' => 'Credencials invàlides.',
+	'Invalid server or credentials.' => null,
 	'Server' => 'Servidor',
 	'Username' => 'Nom d\'usuari',
 	'Password' => 'Contrasenya',

adminer/lang/cs.inc.php

@@ -11,7 +11,7 @@ $translations = array(
 	'Logged as: %s' => 'Přihlášen jako: %s',
 	'Logout successful.' => 'Odhlášení proběhlo v pořádku.',
 	'Thanks for using Adminer, consider <a href="https://www.adminer.org/en/donation/">donating</a>.' => 'Díky za použití Admineru, <a href="https://www.adminer.org/cs/donation/">přispějte</a> na vývoj.',
-	'Invalid credentials.' => 'Neplatné přihlašovací údaje.',
+	'Invalid server or credentials.' => 'Neplatný server nebo přihlašovací údaje.',
 	'There is a space in the input password which might be the cause.' => 'Problém může být, že je v zadaném hesle mezera.',
 	'Adminer does not support accessing a database without a password, <a href="https://www.adminer.org/en/password/"%s>more information</a>.' => 'Adminer nepodporuje přístup k databázi bez hesla, <a href="https://www.adminer.org/cs/password/"%s>více informací</a>.',
 	'Database does not support password.' => 'Databáze nepodporuje heslo.',

adminer/lang/da.inc.php

@@ -9,7 +9,7 @@ $translations = array(
 	'Logout' => 'Log ud',
 	'Logged as: %s' => 'Logget ind som: %s',
 	'Logout successful.' => 'Log af vellykket.',
-	'Invalid credentials.' => 'Ugyldige log ind oplysninger.',
+	'Invalid server or credentials.' => null,
 	'Master password expired. <a href="https://www.adminer.org/en/extension/"%s>Implement</a> %s method to make it permanent.' => 'Master-kodeordet er udløbet. <a href="https://www.adminer.org/en/extension/"%s>Implementer</a> en metode for %s for at gøre det permanent.',
 	'Language' => 'Sprog',
 	'Invalid CSRF token. Send the form again.' => 'Ugyldigt CSRF-token - Genindsend formen.',

adminer/lang/de.inc.php

@@ -3,7 +3,7 @@ $translations = array(
 	'Login' => 'Login',
 	'Logout successful.' => 'Abmeldung erfolgreich.',
 	'Thanks for using Adminer, consider <a href="https://www.adminer.org/en/donation/">donating</a>.' => 'Danke, dass Sie Adminer genutzt haben. <a href="https://www.adminer.org/de/donation/">Spenden willkommen!</a>',
-	'Invalid credentials.' => 'Ungültige Anmelde-Informationen.',
+	'Invalid server or credentials.' => 'Ungültige Server oder Anmelde-Informationen.',
 	'Server' => 'Server',
 	'Username' => 'Benutzer',
 	'Password' => 'Passwort',

adminer/lang/el.inc.php

@@ -10,7 +10,7 @@ $translations = array(
 	'Logout' => 'Αποσύνδεση',
 	'Logged as: %s' => 'Συνδεθήκατε ως %s',
 	'Logout successful.' => 'Αποσυνδεθήκατε με επιτυχία.',
-	'Invalid credentials.' => 'Εσφαλμένα Διαπιστευτήρια.',
+	'Invalid server or credentials.' => null,
 	'Too many unsuccessful logins, try again in %d minute(s).' => array('Επανειλημμένες ανεπιτυχείς προσπάθειες σύνδεσης, δοκιμάστε ξανά σε %s λεπτό.', 'Επανειλημμένες ανεπιτυχείς προσπάθειες σύνδεσης, δοκιμάστε ξανά σε %s λεπτά.'),
 	'Master password expired. <a href="https://www.adminer.org/en/extension/"%s>Implement</a> %s method to make it permanent.' => 'Έληξε ο Κύριος Κωδικός. <a href="https://www.adminer.org/en/extension/"%s>Ενεργοποιήστε</a> τη μέθοδο %s για να τον κάνετε μόνιμο.',
 	'Language' => 'Γλώσσα',

adminer/lang/es.inc.php

@@ -2,7 +2,7 @@
 $translations = array(
 	'Login' => 'Login',
 	'Logout successful.' => 'Sesión finalizada con éxito.',
-	'Invalid credentials.' => 'Usuario y/o clave de acceso incorrecta.',
+	'Invalid server or credentials.' => null,
 	'Server' => 'Servidor',
 	'Username' => 'Usuario',
 	'Password' => 'Contraseña',

adminer/lang/et.inc.php

@@ -2,7 +2,7 @@
 $translations = array(
 	'Login' => 'Logi sisse',
 	'Logout successful.' => 'Väljalogimine õnnestus.',
-	'Invalid credentials.' => 'Ebakorrektsed andmed.',
+	'Invalid server or credentials.' => null,
 	'Server' => 'Server',
 	'Username' => 'Kasutajanimi',
 	'Password' => 'Parool',

adminer/lang/fa.inc.php

@@ -10,7 +10,7 @@ $translations = array(
 	'Logout' => 'خروج',
 	'Logged as: %s' => 'ورود به عنوان: %s',
 	'Logout successful.' => 'با موفقیت خارج شدید.',
-	'Invalid credentials.' => 'اعتبار سنجی نامعتبر.',
+	'Invalid server or credentials.' => null,
 	'Too many unsuccessful logins, try again in %d minute(s).' => array('ورودهای ناموفق بیش از حد، %d دقیقه دیگر تلاش نمایید.', 'ورودهای ناموفق بیش از حد، %d دقیقه دیگر تلاش نمایید.'),
 	'Master password expired. <a href="https://www.adminer.org/en/extension/"%s>Implement</a> %s method to make it permanent.' => 'رمز اصلی باطل شده است. روش %s را <a href="https://www.adminer.org/en/extension/"%s>پیاده سازی</a> کرده تا آن را دائمی سازید.',
 	'Language' => 'زبان',

adminer/lang/fi.inc.php

@@ -10,7 +10,7 @@ $translations = array(
 	'Logout' => 'Kirjaudu ulos',
 	'Logged as: %s' => 'Olet kirjautunut käyttäjänä: %s',
 	'Logout successful.' => 'Uloskirjautuminen onnistui.',
-	'Invalid credentials.' => 'Virheelliset kirjautumistiedot.',
+	'Invalid server or credentials.' => null,
 	'Too many unsuccessful logins, try again in %d minute(s).' => array('Liian monta epäonnistunutta sisäänkirjautumisyritystä, kokeile uudestaan %d minuutin kuluttua.', 'Liian monta epäonnistunutta sisäänkirjautumisyritystä, kokeile uudestaan %d minuutin kuluttua.'),
 	'Master password expired. <a href="https://www.adminer.org/en/extension/"%s>Implement</a> %s method to make it permanent.' => 'Master-salasana ei ole enää voimassa. <a href="https://www.adminer.org/en/extension/"%s>Toteuta</a> %s-metodi sen tekemiseksi pysyväksi.',
 	'Language' => 'Kieli',

adminer/lang/fr.inc.php

@@ -2,7 +2,7 @@
 $translations = array(
 	'Login' => 'Authentification',
 	'Logout successful.' => 'Au revoir !',
-	'Invalid credentials.' => 'Authentification échouée.',
+	'Invalid server or credentials.' => null,
 	'Server' => 'Serveur',
 	'Username' => 'Utilisateur',
 	'Password' => 'Mot de passe',

adminer/lang/gl.inc.php

@@ -2,7 +2,7 @@
 $translations = array(
 	'Login' => 'Conectar',
 	'Logout successful.' => 'Pechouse a sesión con éxito.',
-	'Invalid credentials.' => 'Credenciais (usuario e/ou contrasinal) inválidos.',
+	'Invalid server or credentials.' => null,
 	'Server' => 'Servidor',
 	'Username' => 'Usuario',
 	'Password' => 'Contrasinal',

adminer/lang/he.inc.php

@@ -2,7 +2,7 @@
 $translations = array(
 	'Login' => 'התחברות',
 	'Logout successful.' => 'ההתחברות הצליחה',
-	'Invalid credentials.' => 'פרטי התחברות שגויים',
+	'Invalid server or credentials.' => null,
 	'Server' => 'שרת',
 	'Username' => 'שם משתמש',
 	'Password' => 'סיסמה',

adminer/lang/hu.inc.php

@@ -2,7 +2,7 @@
 $translations = array(
 	'Login' => 'Belépés',
 	'Logout successful.' => 'Sikeres kilépés.',
-	'Invalid credentials.' => 'Érvénytelen adatok.',
+	'Invalid server or credentials.' => null,
 	'Server' => 'Szerver',
 	'Username' => 'Felhasználó',
 	'Password' => 'Jelszó',

adminer/lang/id.inc.php

@@ -10,7 +10,7 @@ $translations = array(
 	'Logout' => 'Keluar',
 	'Logged as: %s' => 'Masuk sebagai: %s',
 	'Logout successful.' => 'Berhasil keluar.',
-	'Invalid credentials.' => 'Akses tidak sah.',
+	'Invalid server or credentials.' => null,
 	'Language' => 'Bahasa',
 	'Invalid CSRF token. Send the form again.' => 'Token CSRF tidak sah. Kirim ulang formulir.',
 	'No extension' => 'Ekstensi tidak ada',

adminer/lang/it.inc.php

@@ -2,7 +2,7 @@
 $translations = array(
 	'Login' => 'Autenticazione',
 	'Logout successful.' => 'Uscita effettuata con successo.',
-	'Invalid credentials.' => 'Credenziali non valide.',
+	'Invalid server or credentials.' => 'Server o credenziali non valide.',
 	'Server' => 'Server',
 	'Username' => 'Utente',
 	'Password' => 'Password',

adminer/lang/ja.inc.php

@@ -2,7 +2,7 @@
 $translations = array(
 	'Login' => 'ログイン',
 	'Logout successful.' => 'ログアウト',
-	'Invalid credentials.' => '不正なログイン',
+	'Invalid server or credentials.' => null,
 	'Server' => 'サーバ',
 	'Username' => 'ユーザ名',
 	'Password' => 'パスワード',

adminer/lang/ka.inc.php

@@ -2,7 +2,7 @@
 $translations = array(
 	'Login' => 'შესვლა',
 	'Logout successful.' => 'გამოხვედით სისტემიდან.',
-	'Invalid credentials.' => 'არასწორი მომხმარებელი ან პაროლი.',
+	'Invalid server or credentials.' => null,
 	'Server' => 'სერვერი',
 	'Username' => 'მომხმარებელი',
 	'Password' => 'პაროლი',

adminer/lang/ko.inc.php

@@ -121,7 +121,7 @@ $translations = array(
 	'Indexes have been altered.' => '색인을 변경했습니다.',
 	'Indexes' => '색인',
 	'Insert' => '삽입',
-	'Invalid credentials.' => '잘못된 로그인',
+	'Invalid server or credentials.' => null,
 	'Invalid CSRF token. Send the form again.' => '잘못된 CSRF 토큰입니다. 다시 보내주십시오.',
 	'Invalid database.' => '잘못된 데이터베이스입니다.',
 	'Invalid schema.' => '잘못된 스키마입니다.',

adminer/lang/lt.inc.php

@@ -10,7 +10,7 @@ $translations = array(
 	'Logout' => 'Atsijungti',
 	'Logged as: %s' => 'Prisijungęs kaip: %s',
 	'Logout successful.' => 'Jūs atsijungėte nuo sistemos.',
-	'Invalid credentials.' => 'Neteisingi prisijungimo duomenys.',
+	'Invalid server or credentials.' => null,
 	'Language' => 'Kalba',
 	'Invalid CSRF token. Send the form again.' => 'Neteisingas CSRF tokenas. Bandykite siųsti formos duomenis dar kartą.',
 	'No extension' => 'Nėra plėtiio',

adminer/lang/lv.inc.php

@@ -2,7 +2,7 @@
 $translations = array(
 	'Login' => 'Ieiet',
 	'Logout successful.' => 'Jūs veiksmīgi izgājāt no sistēmas.',
-	'Invalid credentials.' => 'Nepareizs lietotāja vārds vai parole.',
+	'Invalid server or credentials.' => null,
 	'Server' => 'Serveris',
 	'Username' => 'Lietotājs',
 	'Password' => 'Parole',

adminer/lang/ms.inc.php

@@ -11,7 +11,7 @@ $translations = array(
 	'Logged as: %s' => 'Log masuk sebagai: %s',
 	'Logout successful.' => 'Log keluar berjaya.',
 	'Thanks for using Adminer, consider <a href="https://www.adminer.org/en/donation/">donating</a>.' => 'Terima kasih kerana menggunakan Adminer, pertimbangkan untuk <a href="https://www.adminer.org/en/donation/">menderma</a>.',
-	'Invalid credentials.' => 'Akses tidak sah.',
+	'Invalid server or credentials.' => null,
 	'Too many unsuccessful logins, try again in %d minute(s).' => 'Terlalu banyak percubaan log masuk yang gagal, sila cuba lagi dalam masa %d minit.',
 	'Master password expired. <a href="https://www.adminer.org/en/extension/"%s>Implement</a> %s method to make it permanent.' => 'Kata laluan utama telah luput. <a href="https://www.adminer.org/en/extension/"%s>Gunakan</a> cara %s untuk mengekalkannya.',
 	'Language' => 'Bahasa',

adminer/lang/nl.inc.php

@@ -2,7 +2,7 @@
 $translations = array(
 	'Login' => 'Aanmelden',
 	'Logout successful.' => 'Successvol afgemeld.',
-	'Invalid credentials.' => 'Ongeldige gebruikersgegevens.',
+	'Invalid server or credentials.' => null,
 	'Server' => 'Server',
 	'Username' => 'Gebruikersnaam',
 	'Password' => 'Wachtwoord',

adminer/lang/no.inc.php

@@ -9,7 +9,7 @@ $translations = array(
 	'Logout' => 'Logg ut',
 	'Logged as: %s' => 'Logget inn som: %s',
 	'Logout successful.' => 'Utlogging vellykket.',
-	'Invalid credentials.' => 'Ugylding innloggingsinformasjon.',
+	'Invalid server or credentials.' => null,
 	'Master password expired. <a href="https://www.adminer.org/en/extension/"%s>Implement</a> %s method to make it permanent.' => 'Master-passord er utløpt. <a href="https://www.adminer.org/en/extension/"%s>Implementer</a> en metode for %s for å gjøre det permanent.',
 	'Language' => 'Språk',
 	'Invalid CSRF token. Send the form again.' => 'Ugylding CSRF-token - Send inn skjemaet igjen.',

adminer/lang/pl.inc.php

@@ -11,7 +11,7 @@ $translations = array(
 	'Logged as: %s' => 'Zalogowany jako: %s',
 	'Logout successful.' => 'Wylogowano pomyślnie.',
 	'Thanks for using Adminer, consider <a href="https://www.adminer.org/en/donation/">donating</a>.' => 'Dziękujemy za używanie Adminera, rozważ proszę <a href="https://www.adminer.org/pl/donation/">dotację</a>.',
-	'Invalid credentials.' => 'Nieprawidłowe dane logowania.',
+	'Invalid server or credentials.' => 'Nieprawidłowy serwer lub dane logowania.',
 	'Too many unsuccessful logins, try again in %d minute(s).' => array('Za dużo nieudanych prób logowania, spróbuj ponownie za %d minutę.', 'Za dużo nieudanych prób logowania, spróbuj ponownie za %d minuty.', 'Za dużo nieudanych prób logowania, spróbuj ponownie za %d minut.'),
 	'Master password expired. <a href="https://www.adminer.org/en/extension/"%s>Implement</a> %s method to make it permanent.' => 'Ważność hasła głównego wygasła. <a href="https://www.adminer.org/pl/extension/"%s>Zaimplementuj</a> własną metodę %s, aby ustawić je na stałe.',
 	'Language' => 'Język',

adminer/lang/pt-br.inc.php

@@ -2,7 +2,7 @@
 $translations = array(
 	'Login' => 'Entrar',
 	'Logout successful.' => 'Saída bem sucedida.',
-	'Invalid credentials.' => 'Identificação inválida.',
+	'Invalid server or credentials.' => null,
 	'Server' => 'Servidor',
 	'Username' => 'Usuário',
 	'Password' => 'Senha',

adminer/lang/pt.inc.php

@@ -2,7 +2,7 @@
 $translations = array(
 	'Login' => 'Entrar',
 	'Logout successful.' => 'Sessão terminada com sucesso.',
-	'Invalid credentials.' => 'Identificação inválida.',
+	'Invalid server or credentials.' => null,
 	'Server' => 'Servidor',
 	'Username' => 'Nome de utilizador',
 	'Password' => 'Senha',

adminer/lang/ro.inc.php

@@ -2,7 +2,7 @@
 $translations = array(
 	'Login' => 'Intră',
 	'Logout successful.' => 'Ați ieșit cu succes.',
-	'Invalid credentials.' => 'Numele de utilizator sau parola este greșită.',
+	'Invalid server or credentials.' => null,
 	'Server' => 'Server',
 	'Username' => 'Nume de utilizator',
 	'Password' => 'Parola',

adminer/lang/ru.inc.php

@@ -2,7 +2,7 @@
 $translations = array(
 	'Login' => 'Войти',
 	'Logout successful.' => 'Вы успешно покинули систему.',
-	'Invalid credentials.' => 'Неправильное имя пользователя или пароль.',
+	'Invalid server or credentials.' => null,
 	'Server' => 'Сервер',
 	'Username' => 'Имя пользователя',
 	'Password' => 'Пароль',

adminer/lang/sk.inc.php

@@ -2,7 +2,7 @@
 $translations = array(
 	'Login' => 'Prihlásiť sa',
 	'Logout successful.' => 'Odhlásenie prebehlo v poriadku.',
-	'Invalid credentials.' => 'Neplatné prihlasovacie údaje.',
+	'Invalid server or credentials.' => 'Neplatný server alebo prihlasovacie údaje.',
 	'Server' => 'Server',
 	'Username' => 'Používateľ',
 	'Password' => 'Heslo',

adminer/lang/sl.inc.php

@@ -10,7 +10,7 @@ $translations = array(
 	'Logout' => 'Odjavi se',
 	'Logged as: %s' => 'Prijavljen kot: %s',
 	'Logout successful.' => 'Prijava uspešna.',
-	'Invalid credentials.' => 'Neveljavne pravice.',
+	'Invalid server or credentials.' => 'Neveljaven strežnik ali pravice.',
 	'Language' => 'Jezik',
 	'Invalid CSRF token. Send the form again.' => 'Neveljaven token CSRF. Pošljite formular še enkrat.',
 	'No extension' => 'Brez dodatkov',

adminer/lang/sr.inc.php

@@ -10,7 +10,7 @@ $translations = array(
 	'Logout' => 'Одјава',
 	'Logged as: %s' => 'Пријави се као: %s',
 	'Logout successful.' => 'Успешна одјава.',
-	'Invalid credentials.' => 'Неважеће дозволе.',
+	'Invalid server or credentials.' => null,
 	'Language' => 'Језик',
 	'Invalid CSRF token. Send the form again.' => 'Неважећи CSRF код. Проследите поново форму.',
 	'No extension' => 'Без додатака',

adminer/lang/sv.inc.php

@@ -11,7 +11,7 @@ $translations = array(
 	'Logged as: %s' => 'Inloggad som: %s',
 	'Logout successful.' => 'Du är nu utloggad.',
 	'Thanks for using Adminer, consider <a href="https://www.adminer.org/en/donation/">donating</a>.' => 'Tack för att du använder Adminer, vänligen fundera över att <a href="https://www.adminer.org/en/donation/">donera</a>.',
-	'Invalid credentials.' => 'Ogiltiga inloggningsuppgifter.',
+	'Invalid server or credentials.' => null,
 	'There is a space in the input password which might be the cause.' => 'Det finns ett mellanslag i lösenordet, vilket kan vara anledningen.',
 	'Adminer does not support accessing a database without a password, <a href="https://www.adminer.org/en/password/"%s>more information</a>.' => 'Adminer tillåter inte att ansluta till en databas utan lösenord. <a href="https://www.adminer.org/en/password/"%s>Mer information</a>.',
 	'Database does not support password.' => 'Databasen stödjer inte lösenord.',

adminer/lang/ta.inc.php

@@ -2,7 +2,7 @@
 $translations = array(
 	'Login' => 'நுழை',
 	'Logout successful.' => 'வெற்றிக‌ர‌மாய் வெளியேறியாயிற்று.',
-	'Invalid credentials.' => 'ச‌ரியான‌ விப‌ர‌ங்க‌ள் இல்லை.',
+	'Invalid server or credentials.' => null,
 	'Server' => 'வ‌ழ‌ங்கி (Server)',
 	'Username' => 'ப‌ய‌னாள‌ர் (User)',
 	'Password' => 'க‌ட‌வுச்சொல்',

adminer/lang/th.inc.php

@@ -2,7 +2,7 @@
 $translations = array(
 	'Login' => 'เข้าสู่ระบบ',
 	'Logout successful.' => 'ออกจากระบบเรียบร้อยแล้ว.',
-	'Invalid credentials.' => 'ข้อมูลไม่ถูกต้อง.',
+	'Invalid server or credentials.' => null,
 	'Server' => 'เซอเวอร์',
 	'Username' => 'ชื่อผู้ใช้งาน',
 	'Password' => 'รหัสผ่าน',

adminer/lang/tr.inc.php

@@ -11,7 +11,7 @@ $translations = array(
 	'Logged as: %s' => '%s olarak giriş yapıldı.',
 	'Logout successful.' => 'Oturum başarıyla sonlandı.',
 	'Thanks for using Adminer, consider <a href="https://www.adminer.org/en/donation/">donating</a>.' => 'Adminer kullandığınız için teşekkür ederiz <a href="https://www.adminer.org/en/donation/">bağış yapmayı düşünün</a>.',
-	'Invalid credentials.' => 'Geçersiz kimlik bilgileri.',
+	'Invalid server or credentials.' => null,
 	'Too many unsuccessful logins, try again in %d minute(s).' => array('Çok fazla oturum açma denemesi yapıldı.', '%d Dakika sonra tekrar deneyiniz.'),
 	'Master password expired. <a href="https://www.adminer.org/en/extension/"%s>Implement</a> %s method to make it permanent.' => 'Ana şifrenin süresi doldu. Kalıcı olması için <a href="https://www.adminer.org/en/extension/"%s>%s medodunu</a> kullanın.',
 	'Language' => 'Dil',

adminer/lang/uk.inc.php

@@ -10,7 +10,7 @@ $translations = array(
 	'Logout' => 'Вийти',
 	'Logged as: %s' => 'Ви увійшли як: %s',
 	'Logout successful.' => 'Ви вдало вийшли з системи.',
-	'Invalid credentials.' => 'Неправильні дані входу.',
+	'Invalid server or credentials.' => null,
 	'Language' => 'Мова',
 	'Invalid CSRF token. Send the form again.' => 'Недійсний CSRF токен. Надішліть форму ще раз.',
 	'No extension' => 'Нема розширень',

adminer/lang/vi.inc.php

@@ -10,7 +10,7 @@ $translations = array(
 	'Logout' => 'Thoát',
 	'Logged as: %s' => 'Vào dưới tên: %s',
 	'Logout successful.' => 'Đã thoát xong.',
-	'Invalid credentials.' => 'Tài khoản sai.',
+	'Invalid server or credentials.' => null,
 	'Too many unsuccessful logins, try again in %d minute(s).' => 'Bạn gõ sai tài khoản quá nhiều lần, hãy thử lại sau %d phút nữa.',
 	'Master password expired. <a href="https://www.adminer.org/en/extension/"%s>Implement</a> %s method to make it permanent.' => 'Mật khẩu đã hết hạn. <a href="https://www.adminer.org/en/extension/"%s>Thử cách làm</a> để giữ cố định.',
 	'Language' => 'Ngôn ngữ',

adminer/lang/xx.inc.php

@@ -11,7 +11,7 @@ $translations = array(
 	'Logged as: %s' => 'Xx: %s',
 	'Logout successful.' => 'Xx.',
 	'Thanks for using Adminer, consider <a href="https://www.adminer.org/en/donation/">donating</a>.' => 'Xx <a href="https://www.adminer.org/en/donation/">xx</a>.',
-	'Invalid credentials.' => 'Xx.',
+	'Invalid server or credentials.' => 'Xx.',
 	'There is a space in the input password which might be the cause.' => 'Xx.',
 	'Adminer does not support accessing a database without a password, <a href="https://www.adminer.org/en/password/"%s>more information</a>.' => 'Xx, <a href="https://www.adminer.org/en/password/"%s>xx</a>.',
 	'Database does not support password.' => 'Xx.',

adminer/lang/zh-tw.inc.php

@@ -11,7 +11,7 @@ $translations = array(
 	'Logged as: %s' => '登錄為： %s',
 	'Logout successful.' => '成功登出。',
 	'Thanks for using Adminer, consider <a href="https://www.adminer.org/en/donation/">donating</a>.' => '感謝使用Adminer，請考慮為我們<a href="https://www.adminer.org/en/donation/">捐款（英文網頁）</a>.',
-	'Invalid credentials.' => '無效的憑證。',
+	'Invalid server or credentials.' => null,
 	'There is a space in the input password which might be the cause.' => '您輸入的密碼中有一個空格，這可能是導致問題的原因。',
 	'Adminer does not support accessing a database without a password, <a href="https://www.adminer.org/en/password/"%s>more information</a>.' => 'Adminer預設不支援訪問沒有密碼的資料庫，<a href="https://www.adminer.org/en/password/"%s>詳情見這裡</a>.',
 	'Database does not support password.' => '資料庫不支援密碼。',

adminer/lang/zh.inc.php

@@ -11,7 +11,7 @@ $translations = array(
 	'Logged as: %s' => '登录用户：%s',
 	'Logout successful.' => '成功登出。',
 	'Thanks for using Adminer, consider <a href="https://www.adminer.org/en/donation/">donating</a>.' => '感谢使用Adminer，请考虑为我们<a href="https://www.adminer.org/en/donation/">捐款（英文页面）</a>.',
-	'Invalid credentials.' => '无效凭据。',
+	'Invalid server or credentials.' => null,
 	'There is a space in the input password which might be the cause.' => '您输入的密码中有一个空格，这可能是导致问题的原因。',
 	'Adminer does not support accessing a database without a password, <a href="https://www.adminer.org/en/password/"%s>more information</a>.' => 'Adminer默认不支持访问没有密码的数据库，<a href="https://www.adminer.org/en/password/"%s>详情见这里</a>.',
 	'Database does not support password.' => '数据库不支持密码。',

changes.txt

@@ -1,3 +1,7 @@
+Adminer 4.9.0-dev:
+- Validate server input in login form.
+- Validate connection to server in HTTP based drivers.
+
 Adminer 4.8.2 (released 2024-03-16):
 Support multi-line table comments
 MySQL: Use ST_SRID() instead of SRID() for MySQL 8 (PR #418)

plugins/drivers/clickhouse.php

@@ -8,56 +8,78 @@ if (isset($_GET["clickhouse"])) {
 		var $extension = "JSON", $server_info, $errno, $_result, $error, $_url;
 		var $_db = 'default';
 
+		/**
+		 * @param string $db
+		 * @param string $query
+		 * @return Min_Result|bool
+		 */
 		function rootQuery($db, $query) {
 			@ini_set('track_errors', 1); // @ - may be disabled
 			$file = @file_get_contents("$this->_url/?database=$db", false, stream_context_create(array('http' => array(
 				'method' => 'POST',
 				'content' => $this->isQuerySelectLike($query) ? "$query FORMAT JSONCompact" : $query,
 				'header' => 'Content-type: application/x-www-form-urlencoded',
-				'ignore_errors' => 1, // available since PHP 5.2.10
+				'ignore_errors' => 1,
+				'follow_location' => 0,
+				'max_redirects' => 0,
 			))));
 
 			if ($file === false) {
-				$this->error = $php_errormsg;
-				return $file;
-			}
-			if (!preg_match('~^HTTP/[0-9.]+ 2~i', $http_response_header[0])) {
-				$this->error = lang('Invalid credentials.') . " $http_response_header[0]";
+				$this->error = lang('Invalid server or credentials.');
 				return false;
 			}
-			$return = json_decode($file, true);
-			if ($return === null) {
-				if (!$this->isQuerySelectLike($query) && $file === '') {
-					return true;
-				}
 
-				$this->errno = json_last_error();
-				if (function_exists('json_last_error_msg')) {
-					$this->error = json_last_error_msg();
-				} else {
-					$constants = get_defined_constants(true);
-					foreach ($constants['json'] as $name => $value) {
-						if ($value == $this->errno && preg_match('~^JSON_ERROR_~', $name)) {
-							$this->error = $name;
-							break;
-						}
+			if (!preg_match('~^HTTP/[0-9.]+ 2~i', $http_response_header[0])) {
+				foreach ($http_response_header as $header) {
+					if (preg_match('~^X-ClickHouse-Exception-Code:~i', $header)) {
+						$this->error = preg_replace('~\(version [^(]+\(.+$~', '', $file);
+						return false;
 					}
 				}
+
+				$this->error = lang('Invalid server or credentials.');
+				return false;
 			}
-			return new Min_Result($return);
+
+			if (!$this->isQuerySelectLike($query) && $file === '') {
+				return true;
+			}
+
+			$return = json_decode($file, true);
+			if ($return === null) {
+				$this->error = lang('Invalid server or credentials.');
+				return false;
+			}
+
+			if (!isset($return['rows']) || !isset($return['data']) || !isset($return['meta'])) {
+				$this->error = lang('Invalid server or credentials.');
+				return false;
+			}
+
+			return new Min_Result($return['rows'], $return['data'], $return['meta']);
 		}
 
 		function isQuerySelectLike($query) {
 			return (bool) preg_match('~^(select|show)~i', $query);
 		}
 
+		/**
+		 * @param string $query
+		 * @return bool|Min_Result
+		 */
 		function query($query) {
 			return $this->rootQuery($this->_db, $query);
 		}
 
+		/**
+		 * @param string $server
+		 * @param string $username
+		 * @param string $password
+		 * @return bool
+		 */
 		function connect($server, $username, $password) {
-			preg_match('~^(https?://)?(.*)~', $server, $match);
-			$this->_url = ($match[1] ? $match[1] : "http://") . "$username:$password@$match[2]";
+			$this->_url = build_http_url($server, $username, $password, "localhost", 8123);
+
 			$return = $this->query('SELECT 1');
 			return (bool) $return;
 		}
@@ -92,11 +114,17 @@ if (isset($_GET["clickhouse"])) {
 	class Min_Result {
 		var $num_rows, $_rows, $columns, $meta, $_offset = 0;
 
-		function __construct($result) {
-			$this->num_rows = $result['rows'];
-			$this->_rows = $result['data'];
-			$this->meta = $result['meta'];
-			$this->columns = array_column($this->meta, 'name');
+		/**
+		 * @param int $rows
+		 * @param array[] $data
+		 * @param array[] $meta
+		 */
+		function __construct($rows, array $data, array $meta) {
+			$this->num_rows = $rows;
+			$this->_rows = $data;
+			$this->meta = $meta;
+			$this->columns = array_column($meta, 'name');
+
 			reset($this->_rows);
 		}
 

plugins/drivers/simpledb.php

@@ -6,13 +6,49 @@ if (isset($_GET["simpledb"])) {
 
 	if (class_exists('SimpleXMLElement') && ini_bool('allow_url_fopen')) {
 		class Min_DB {
-			var $extension = "SimpleXML", $server_info = '2009-04-15', $error, $timeout, $next, $affected_rows, $_result;
+			var $extension = "SimpleXML", $server_info = '2009-04-15', $error, $timeout, $next, $affected_rows, $_url, $_result;
+
+			/**
+			 * @param string $server
+			 * @param string $password
+			 * @return bool
+			 */
+			function connect($server, $password) {
+				if ($server == '' || $password == '') {
+					$this->error = lang('Invalid server or credentials.');
+					return false;
+				}
+
+				$parts = parse_url($server);
+
+				if (!$parts || !isset($parts['host']) || !preg_match('~^sdb\.([a-z0-9-]+\.)?amazonaws\.com$~i', $parts['host']) ||
+					isset($parts['port'])
+				) {
+					$this->error = lang('Invalid server or credentials.');
+					return false;
+				}
+
+				$this->_url = build_http_url($server, '', '', '');
+
+				return (bool) $this->workaroundLoginRequest('ListDomains', ['MaxNumberOfDomains' => 1]);
+			}
+
+			// FIXME: This is so wrong :-( Move sdb_request to Min_DB!
+			private function workaroundLoginRequest($action, $params = array()) {
+				global $connection;
+
+				$connection = $this;
+				$result = sdb_request($action, $params);
+				$connection = null;
+
+				return $result;
+			}
 
 			function select_db($database) {
 				return ($database == "domain");
 			}
 
-			function query($query, $unbuffered = false) {
+			function query($query) {
 				$params = array('SelectExpression' => $query, 'ConsistentRead' => 'true');
 				if ($this->next) {
 					$params['NextToken'] = $this->next;
@@ -248,11 +284,15 @@ if (isset($_GET["simpledb"])) {
 
 	function connect() {
 		global $adminer;
-		list(, , $password) = $adminer->credentials();
-		if ($password != "") {
-			return lang('Database does not support password.');
+
+		$connection = new Min_DB;
+
+		list($server, , $password) = $adminer->credentials();
+		if ($connection->connect($server, $password)) {
+			return $connection;
 		}
-		return new Min_DB;
+
+		return $connection->error;
 	}
 
 	function support($feature) {
@@ -422,13 +462,16 @@ if (isset($_GET["simpledb"])) {
 		$query = str_replace('%7E', '~', substr($query, 1));
 		$query .= "&Signature=" . urlencode(base64_encode(hmac('sha1', "POST\n" . preg_replace('~^https?://~', '', $host) . "\n/\n$query", $secret, true)));
 		@ini_set('track_errors', 1); // @ - may be disabled
-		$file = @file_get_contents((preg_match('~^https?://~', $host) ? $host : "http://$host"), false, stream_context_create(array('http' => array(
+
+		$file = @file_get_contents($connection->_url, false, stream_context_create(array('http' => array(
 			'method' => 'POST', // may not fit in URL with GET
 			'content' => $query,
-			'ignore_errors' => 1, // available since PHP 5.2.10
+			'ignore_errors' => 1,
+			'follow_location' => 0,
+			'max_redirects' => 0,
 		))));
 		if (!$file) {
-			$connection->error = $php_errormsg;
+			$connection->error = error_get_last()['message'];
 			return false;
 		}
 		libxml_use_internal_errors(true);