mirror/php-adminer
1
0
Fork 0
mirror of https://github.com/vrana/adminer.git synced 2025-08-08 15:47:00 +02:00
Code Issues Releases Wiki Activity

Security: Disallow writing temporary files to symlinks (bug #855)

Browse Source 
Cc @peterpp
This commit is contained in:
Jakub Vrana
2025-03-16 20:49:52 +01:00
parent 28535bf384
commit 6576fa6a73
3 changed files with 24 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
adminer/include/auth.inc.php
View File

@@ -19,7 +19,17 @@ if ($_COOKIE["adminer_permanent"]) {
function add_invalid_login() { function add_invalid_login() {
global $adminer; global $adminer;
$fp = file_open_lock(get_temp_dir() . "/adminer.invalid"); $base = get_temp_dir() . "/adminer.invalid";
// adminer.invalid may not be writable by us, try the files with random suffixes
foreach (glob("$base*") ?: array($base) as $filename) {
$fp = file_open_lock($filename);
if ($fp) {
break;
}
}
if (!$fp) {
$fp = file_open_lock("$base-" . rand_string());
}
if (!$fp) { if (!$fp) {
return; return;
} }
@@ -42,7 +52,15 @@ function add_invalid_login() {
function check_invalid_login() { function check_invalid_login() {
global $adminer; global $adminer;
$invalids = unserialize(@file_get_contents(get_temp_dir() . "/adminer.invalid")); // @ - may not exist $invalids = array();
foreach (glob(get_temp_dir() . "/adminer.invalid*") as $filename) {
$fp = file_open_lock($filename);
if ($fp) {
$invalids = unserialize(stream_get_contents($fp));
file_unlock($fp);
break;
}
}
$invalid = ($invalids ? $invalids[$adminer->bruteForceKey()] : array()); $invalid = ($invalids ? $invalids[$adminer->bruteForceKey()] : array());
$next_attempt = ($invalid[1] > 29 ? $invalid[0] - time() : 0); // allow 30 invalid attempts $next_attempt = ($invalid[1] > 29 ? $invalid[0] - time() : 0); // allow 30 invalid attempts
if ($next_attempt > 0) { //! do the same with permanent login if ($next_attempt > 0) { //! do the same with permanent login

3
adminer/include/functions.inc.php
View File

@@ -799,6 +799,9 @@ function get_temp_dir() {
* @return resource or null for error * @return resource or null for error
*/ */
function file_open_lock($filename) { function file_open_lock($filename) {
if (is_link($filename)) {
return; // https://cwe.mitre.org/data/definitions/61.html
}
$fp = @fopen($filename, "c+"); // @ - may not be writable $fp = @fopen($filename, "c+"); // @ - may not be writable
if (!$fp) { if (!$fp) {
return; return;

1
changes.txt
View File

@@ -2,6 +2,7 @@ Adminer dev:
Align numbers right (bug #912) Align numbers right (bug #912)
Remember export setting at SQL command Remember export setting at SQL command
SQL textarea: Open help on Ctrl+click SQL textarea: Open help on Ctrl+click
Security: Disallow writing temporary files to symlinks (bug #855)
MariaDB: Display MariaDB instead of MySQL MariaDB: Display MariaDB instead of MySQL
CSS: Dark mode syntax highlighting CSS: Dark mode syntax highlighting
Designs named adminer-dark.css use dark basic style Designs named adminer-dark.css use dark basic style