Fix server URL validation for Oracle connections

Every driver can validate URL host and path by its own rules. Path is forbidden by default, HTTP-based drivers allow only '/' as path and Oracle driver validates path according to the EasyConnect URL format.
2025-09-03 03:13:00 +02:00 · 2024-08-13 19:32:36 +02:00
parent bff6f8ca93
commit 43a0305a23
5 changed files with 50 additions and 5 deletions
--- a/adminer/drivers/oracle.inc.php
+++ b/adminer/drivers/oracle.inc.php
@@ -167,7 +167,14 @@ if (isset($_GET["oracle"])) {
 		}
 	}

-
+	/**
+	 * @param string $hostPath
+	 * @return bool
+	 */
+	function is_server_host_valid($hostPath) {
+		// EasyConnect host+path format: host[/[service_name][:server_type][/instance_name]]
+		return (bool)preg_match('~^[^/]+(/([^/:]+)?(:[^/:]+)?(/[^/:]+)?)?$~', $hostPath);
+	}

 	function idf_escape($idf) {
 		return '"' . str_replace('"', '""', $idf) . '"';
--- a/adminer/include/auth.inc.php
+++ b/adminer/include/auth.inc.php
@@ -35,9 +35,11 @@ function validate_server_input() {
 		auth_error(lang('Invalid server or credentials.'));
 	}

-	// Allow only host without a path. Note that "localhost" is parsed as path.
-	$host = (isset($parts['host']) ? $parts['host'] : '') . (isset($parts['path']) ? $parts['path'] : '');
-	if (strpos(rtrim($host, '/'), '/') !== false) {
+	// Note that "localhost" and IP address without a scheme is parsed as a path.
+	$hostPath = (isset($parts['host']) ? $parts['host'] : '') . (isset($parts['path']) ? $parts['path'] : '');
+
+	// Validate host.
+	if (!is_server_host_valid($hostPath)) {
 		auth_error(lang('Invalid server or credentials.'));
 	}

@@ -47,6 +49,17 @@ function validate_server_input() {
 	}
 }

+if (!function_exists('is_server_host_valid')) {
+	/**
+	 * @param string $hostPath
+	 * @return bool
+	 */
+	function is_server_host_valid($hostPath)
+	{
+		return strpos($hostPath, '/') === false;
+	}
+}
+
 /**
 * @param string $server
 * @param string $username