mirror of
https://github.com/vrana/adminer.git
synced 2025-08-07 15:16:44 +02:00
Move $token to get_token()
This commit is contained in:
Jakub Vrana
@@ -7,7 +7,6 @@ $has_token = $_SESSION["token"];
|
||||
if (!$has_token) {
|
||||
$_SESSION["token"] = rand(1, 1e6); // defense against cross-site request forgery
|
||||
}
|
||||
$token = get_token(); ///< @var string CSRF protection
|
||||
|
||||
$permanent = array();
|
||||
if ($_COOKIE["adminer_permanent"]) {
|
||||
@@ -204,7 +203,7 @@ if ($_POST["logout"] && $has_token && !verify_token()) {
|
||||
}
|
||||
|
||||
if ($auth && $_POST["token"]) {
|
||||
$_POST["token"] = $token; // reset token after explicit login
|
||||
$_POST["token"] = get_token(); // reset token after explicit login
|
||||
}
|
||||
|
||||
$error = ''; ///< @var string
|
||||
|
||||
@@ -39,7 +39,7 @@ if ($_GET["script"] == "version") {
|
||||
exit;
|
||||
}
|
||||
|
||||
global $adminer, $connection, $driver, $drivers, $error, $permanent, $has_token, $token, $translations; // allows including Adminer inside a function
|
||||
global $adminer, $connection, $driver, $drivers, $error, $permanent, $has_token, $translations; // allows including Adminer inside a function
|
||||
|
||||
if (!$_SERVER["REQUEST_URI"]) { // IIS 5 compatibility
|
||||
$_SERVER["REQUEST_URI"] = $_SERVER["ORIG_PATH_INFO"];
|
||||
|
||||
@@ -77,7 +77,7 @@ fQIDAQAB
|
||||
}
|
||||
}
|
||||
echo script("mixin(document.body, {onkeydown: bodyKeydown, onclick: bodyClick"
|
||||
. (isset($_COOKIE["adminer_version"]) ? "" : ", onload: partial(verifyVersion, '" . VERSION . "', '" . js_escape(ME) . "', '" . get_token() . "')") // $token may be empty in auth.inc.php
|
||||
. (isset($_COOKIE["adminer_version"]) ? "" : ", onload: partial(verifyVersion, '" . VERSION . "', '" . js_escape(ME) . "', '" . get_token() . "')")
|
||||
. "});
|
||||
document.body.classList.replace('nojs', 'js');
|
||||
const offlineMessage = '" . js_escape(lang('You are offline.')) . "';
|
||||
|
||||
@@ -850,7 +850,7 @@ function count_rows(string $table, array $where, bool $is_group, array $group):
|
||||
* @return string[]
|
||||
*/
|
||||
function slow_query(string $query): array {
|
||||
global $adminer, $token, $driver;
|
||||
global $adminer, $driver;
|
||||
$db = $adminer->database();
|
||||
$timeout = $adminer->queryTimeout();
|
||||
$slow_query = $driver->slowQuery($query, $timeout);
|
||||
@@ -859,7 +859,7 @@ function slow_query(string $query): array {
|
||||
$connection2 = connect($adminer->credentials());
|
||||
if (is_object($connection2) && ($db == "" || $connection2->select_db($db))) {
|
||||
$kill = get_val(connection_id(), 0, $connection2); // MySQL and MySQLi can use thread_id but it's not in PDO_MySQL
|
||||
echo script("const timeout = setTimeout(() => { ajax('" . js_escape(ME) . "script=kill', function () {}, 'kill=$kill&token=$token'); }, 1000 * $timeout);");
|
||||
echo script("const timeout = setTimeout(() => { ajax('" . js_escape(ME) . "script=kill', function () {}, 'kill=$kill&token=" . get_token() . "'); }, 1000 * $timeout);");
|
||||
}
|
||||
}
|
||||
ob_flush();
|
||||
|
||||
@@ -24,13 +24,11 @@ function input_hidden(string $name, $value = ""): string {
|
||||
return "<input type='hidden' name='" . h($name) . "' value='" . h($value) . "'>\n";
|
||||
}
|
||||
|
||||
/** Get <input type="hidden" name="token">
|
||||
* @param string $special token to use instead of global $token
|
||||
/** Get CSRF <input type="hidden" name="token">
|
||||
* @return string HTML
|
||||
*/
|
||||
function input_token(string $special = ""): string {
|
||||
global $token;
|
||||
return input_hidden("token", ($special ?: $token));
|
||||
function input_token(): string {
|
||||
return input_hidden("token", get_token());
|
||||
}
|
||||
|
||||
/** Get a target="_blank" attribute */
|
||||
|
||||
@@ -92,7 +92,7 @@ function switch_lang(): void {
|
||||
echo "<form action='' method='post'>\n<div id='lang'>";
|
||||
echo lang('Language') . ": " . html_select("lang", langs(), LANG, "this.form.submit();");
|
||||
echo " <input type='submit' value='" . lang('Use') . "' class='hidden'>\n";
|
||||
echo input_token(get_token()); // $token may be empty in auth.inc.php
|
||||
echo input_token();
|
||||
echo "</div>\n</form>\n";
|
||||
}
|
||||
|
||||
|
||||
@@ -12,7 +12,7 @@ parameters:
|
||||
- identifier: includeOnce.fileNotFound # ./adminer-plugins.php
|
||||
- "~^Function (set_magic_quotes_runtime|mysql_)~" # PHP < 7 functions
|
||||
- "~an unknown class OCI-?Lob~" # this looks like PHPStan bug
|
||||
- "~^Variable \\$(adminer|connection|driver|drivers|error|permanent|has_token|token|translations) might not be defined~" # declared in bootstrap.inc.php
|
||||
- "~^Variable \\$(adminer|connection|driver|drivers|error|permanent|has_token|translations) might not be defined~" # declared in bootstrap.inc.php
|
||||
- "~expects int, float given~" # this will work
|
||||
- "~expects bool~" # truthy values
|
||||
- "~fread expects int<1, max>, 100000~" # 1e6
|
||||
|
||||
Reference in New Issue
Block a user