mirror/php-adminer
1
0
Fork 0
mirror of https://github.com/vrana/adminer.git synced 2025-08-07 23:27:17 +02:00
Code Issues Releases Wiki Activity

Move $token to get_token()

Browse Source
This commit is contained in:
Jakub Vrana
2025-03-28 18:49:26 +01:00
parent 74457f0895
commit e219ef9ad1
7 changed files with 10 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
adminer/include/auth.inc.php
View File

@@ -7,7 +7,6 @@ $has_token = $_SESSION["token"];
if (!$has_token) { if (!$has_token) {
$_SESSION["token"] = rand(1, 1e6); // defense against cross-site request forgery $_SESSION["token"] = rand(1, 1e6); // defense against cross-site request forgery
} }
$token = get_token(); ///< @var string CSRF protection
$permanent = array(); $permanent = array();
if ($_COOKIE["adminer_permanent"]) { if ($_COOKIE["adminer_permanent"]) {
@@ -204,7 +203,7 @@ if ($_POST["logout"] && $has_token && !verify_token()) {
} }
if ($auth && $_POST["token"]) { if ($auth && $_POST["token"]) {
$_POST["token"] = $token; // reset token after explicit login $_POST["token"] = get_token(); // reset token after explicit login
} }
$error = ''; ///< @var string $error = ''; ///< @var string

2
adminer/include/bootstrap.inc.php
View File

@@ -39,7 +39,7 @@ if ($_GET["script"] == "version") {
exit; exit;
} }
global $adminer, $connection, $driver, $drivers, $error, $permanent, $has_token, $token, $translations; // allows including Adminer inside a function global $adminer, $connection, $driver, $drivers, $error, $permanent, $has_token, $translations; // allows including Adminer inside a function
if (!$_SERVER["REQUEST_URI"]) { // IIS 5 compatibility if (!$_SERVER["REQUEST_URI"]) { // IIS 5 compatibility
$_SERVER["REQUEST_URI"] = $_SERVER["ORIG_PATH_INFO"]; $_SERVER["REQUEST_URI"] = $_SERVER["ORIG_PATH_INFO"];

2
adminer/include/design.inc.php
View File

@@ -77,7 +77,7 @@ fQIDAQAB
} }
} }
echo script("mixin(document.body, {onkeydown: bodyKeydown, onclick: bodyClick" echo script("mixin(document.body, {onkeydown: bodyKeydown, onclick: bodyClick"
. (isset($_COOKIE["adminer_version"]) ? "" : ", onload: partial(verifyVersion, '" . VERSION . "', '" . js_escape(ME) . "', '" . get_token() . "')") // $token may be empty in auth.inc.php . (isset($_COOKIE["adminer_version"]) ? "" : ", onload: partial(verifyVersion, '" . VERSION . "', '" . js_escape(ME) . "', '" . get_token() . "')")
. "}); . "});
document.body.classList.replace('nojs', 'js'); document.body.classList.replace('nojs', 'js');
const offlineMessage = '" . js_escape(lang('You are offline.')) . "'; const offlineMessage = '" . js_escape(lang('You are offline.')) . "';

4
adminer/include/functions.inc.php
View File

@@ -850,7 +850,7 @@ function count_rows(string $table, array $where, bool $is_group, array $group):
* @return string[] * @return string[]
*/ */
function slow_query(string $query): array { function slow_query(string $query): array {
global $adminer, $token, $driver; global $adminer, $driver;
$db = $adminer->database(); $db = $adminer->database();
$timeout = $adminer->queryTimeout(); $timeout = $adminer->queryTimeout();
$slow_query = $driver->slowQuery($query, $timeout); $slow_query = $driver->slowQuery($query, $timeout);
@@ -859,7 +859,7 @@ function slow_query(string $query): array {
$connection2 = connect($adminer->credentials()); $connection2 = connect($adminer->credentials());
if (is_object($connection2) && ($db == "" || $connection2->select_db($db))) { if (is_object($connection2) && ($db == "" || $connection2->select_db($db))) {
$kill = get_val(connection_id(), 0, $connection2); // MySQL and MySQLi can use thread_id but it's not in PDO_MySQL $kill = get_val(connection_id(), 0, $connection2); // MySQL and MySQLi can use thread_id but it's not in PDO_MySQL
echo script("const timeout = setTimeout(() => { ajax('" . js_escape(ME) . "script=kill', function () {}, 'kill=$kill&token=$token'); }, 1000 * $timeout);"); echo script("const timeout = setTimeout(() => { ajax('" . js_escape(ME) . "script=kill', function () {}, 'kill=$kill&token=" . get_token() . "'); }, 1000 * $timeout);");
} }
} }
ob_flush(); ob_flush();

8
adminer/include/html.inc.php
View File

@@ -24,13 +24,11 @@ function input_hidden(string $name, $value = ""): string {
return "<input type='hidden' name='" . h($name) . "' value='" . h($value) . "'>\n"; return "<input type='hidden' name='" . h($name) . "' value='" . h($value) . "'>\n";
} }
/** Get <input type="hidden" name="token"> /** Get CSRF <input type="hidden" name="token">
* @param string $special token to use instead of global $token
* @return string HTML * @return string HTML
*/ */
function input_token(string $special = ""): string { function input_token(): string {
global $token; return input_hidden("token", get_token());
return input_hidden("token", ($special ?: $token));
} }
/** Get a target="_blank" attribute */ /** Get a target="_blank" attribute */

2
adminer/include/lang.inc.php
View File

@@ -92,7 +92,7 @@ function switch_lang(): void {
echo "<form action='' method='post'>\n<div id='lang'>"; echo "<form action='' method='post'>\n<div id='lang'>";
echo lang('Language') . ": " . html_select("lang", langs(), LANG, "this.form.submit();"); echo lang('Language') . ": " . html_select("lang", langs(), LANG, "this.form.submit();");
echo " <input type='submit' value='" . lang('Use') . "' class='hidden'>\n"; echo " <input type='submit' value='" . lang('Use') . "' class='hidden'>\n";
echo input_token(get_token()); // $token may be empty in auth.inc.php echo input_token();
echo "</div>\n</form>\n"; echo "</div>\n</form>\n";
} }

2
phpstan.neon
View File

@@ -12,7 +12,7 @@ parameters:
- identifier: includeOnce.fileNotFound # ./adminer-plugins.php - identifier: includeOnce.fileNotFound # ./adminer-plugins.php
- "~^Function (set_magic_quotes_runtime|mysql_)~" # PHP < 7 functions - "~^Function (set_magic_quotes_runtime|mysql_)~" # PHP < 7 functions
- "~an unknown class OCI-?Lob~" # this looks like PHPStan bug - "~an unknown class OCI-?Lob~" # this looks like PHPStan bug
- "~^Variable \\$(adminer|connection|driver|drivers|error|permanent|has_token|token|translations) might not be defined~" # declared in bootstrap.inc.php - "~^Variable \\$(adminer|connection|driver|drivers|error|permanent|has_token|translations) might not be defined~" # declared in bootstrap.inc.php
- "~expects int, float given~" # this will work - "~expects int, float given~" # this will work
- "~expects bool~" # truthy values - "~expects bool~" # truthy values
- "~fread expects int<1, max>, 100000~" # 1e6 - "~fread expects int<1, max>, 100000~" # 1e6