mirror/php-adminer
1
0
Fork 0
mirror of https://github.com/vrana/adminer.git synced 2025-09-03 11:22:35 +02:00
Code Issues Releases Wiki Activity

Fix server URL validation for Oracle connections

Browse Source 
Every driver can validate URL host and path by its own rules. Path is forbidden by default, HTTP-based drivers allow only '/' as path and Oracle driver validates path according to the EasyConnect URL format.
This commit is contained in:
Peter Knut
2024-08-13 19:32:36 +02:00
parent bff6f8ca93
commit 43a0305a23
5 changed files with 50 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
adminer/drivers/oracle.inc.php
View File

@@ -167,7 +167,14 @@ if (isset($_GET["oracle"])) {
}
}
/**
* @param string $hostPath
* @return bool
*/
function is_server_host_valid($hostPath) {
// EasyConnect host+path format: host[/[service_name][:server_type][/instance_name]]
return (bool)preg_match('~^[^/]+(/([^/:]+)?(:[^/:]+)?(/[^/:]+)?)?$~', $hostPath);
}
function idf_escape($idf) {
return '"' . str_replace('"', '""', $idf) . '"';

19
adminer/include/auth.inc.php
View File

@@ -35,9 +35,11 @@ function validate_server_input() {
auth_error(lang('Invalid server or credentials.'));
}
// Allow only host without a path. Note that "localhost" is parsed as path.
$host = (isset($parts['host']) ? $parts['host'] : '') . (isset($parts['path']) ? $parts['path'] : '');
if (strpos(rtrim($host, '/'), '/') !== false) {
// Note that "localhost" and IP address without a scheme is parsed as a path.
$hostPath = (isset($parts['host']) ? $parts['host'] : '') . (isset($parts['path']) ? $parts['path'] : '');
// Validate host.
if (!is_server_host_valid($hostPath)) {
auth_error(lang('Invalid server or credentials.'));
}
@@ -47,6 +49,17 @@ function validate_server_input() {
}
}
if (!function_exists('is_server_host_valid')) {
/**
* @param string $hostPath
* @return bool
*/
function is_server_host_valid($hostPath)
{
return strpos($hostPath, '/') === false;
}
}
/**
* @param string $server
* @param string $username

9
plugins/drivers/clickhouse.php
View File

@@ -240,6 +240,15 @@ if (isset($_GET["clickhouse"])) {
return apply_queries("DROP TABLE", $tables);
}
/**
* @param string $hostPath
* @return bool
*/
function is_server_host_valid($hostPath)
{
return strpos(rtrim($hostPath, '/'), '/') === false;
}
function connect() {
global $adminer;
$connection = new Min_DB;

9
plugins/drivers/elastic5.php
View File

@@ -273,6 +273,15 @@ if (isset($_GET["elastic5"])) {
}
}
/**
* @param string $hostPath
* @return bool
*/
function is_server_host_valid($hostPath)
{
return strpos(rtrim($hostPath, '/'), '/') === false;
}
function connect() {
$connection = new Min_DB;

9
plugins/drivers/simpledb.php
View File

@@ -280,7 +280,14 @@ if (isset($_GET["simpledb"])) {
}
/**
* @param string $hostPath
* @return bool
*/
function is_server_host_valid($hostPath)
{
return strpos(rtrim($hostPath, '/'), '/') === false;
}
function connect() {
global $adminer;