PHP PMA_securePath函数代码示例

/**
 * get all the export options and verify
 * call and include the appropriate Schema Class depending on $export_type
 *
 * @param string $export_type format of the export
 *
 * @return void
 */
function PMA_processExportSchema($export_type)
{
    /**
     * default is PDF, otherwise validate it's only letters a-z
     */
    if (!isset($export_type) || !preg_match('/^[a-zA-Z]+$/', $export_type)) {
        $export_type = 'pdf';
    }
    // sanitize this parameter which will be used below in a file inclusion
    $export_type = PMA_securePath($export_type);
    // get the specific plugin
    $export_plugin = PMA_getPlugin("schema", $export_type, 'libraries/plugins/schema/');
    // Check schema export type
    if (!isset($export_plugin)) {
        PMA_fatalError(__('Bad type!'));
    }
    $GLOBALS['dbi']->selectDb($GLOBALS['db']);
    $export_plugin->exportSchema($GLOBALS['db']);
}

    $err_url = 'server_export.php?' . PMA_generate_common_url();
} elseif ($export_type == 'database' && strlen($db)) {
    $err_url = 'db_export.php?' . PMA_generate_common_url($db);
    // Check if we have something to export
    if (isset($table_select)) {
        $tables = $table_select;
    } else {
        $tables = array();
    }
} elseif ($export_type == 'table' && strlen($db) && strlen($table)) {
    $err_url = 'tbl_export.php?' . PMA_generate_common_url($db, $table);
} else {
    die('Bad parameters!');
}
// Get the functions specific to the export type
require './libraries/export/' . PMA_securePath($type) . '.php';
/**
 * Increase time limit for script execution and initializes some variables
 */
@set_time_limit($cfg['ExecTimeLimit']);
if (!empty($cfg['MemoryLimit'])) {
    @ini_set('memory_limit', $cfg['MemoryLimit']);
}
// Start with empty buffer
$dump_buffer = '';
$dump_buffer_len = 0;
// We send fake headers to avoid browser timeout when buffering
$time_start = time();
/**
 * Output handler for all exports, if needed buffering, it stores data into
 * $dump_buffer, otherwise it prints thems out.

    /**
     *
     * @access  public
     * @uses    $GLOBALS['strFileCouldNotBeRead']
     * @uses    PMA_File::setName()
     * @uses    PMA_securePath()
     * @uses    PMA_userDir()
     * @uses    $GLOBALS['cfg']['UploadDir']
     * @param   string  $name
     * @return  boolean success
     */
    function setLocalSelectedFile($name)
    {
        if (empty($GLOBALS['cfg']['UploadDir'])) return false;

        $this->setName(PMA_userDir($GLOBALS['cfg']['UploadDir']) . PMA_securePath($name));
        if (! $this->isReadable()) {
            $this->_error_message = $GLOBALS['strFileCouldNotBeRead'];
            $this->setName(null);
            return false;
        }

        return true;
    }

 }
 /**
  * Sets globals from $_POST
  *
  * - Please keep the parameters in order of their appearance in the form
  * - Some of these parameters are not used, as the code below directly
  *   verifies from the superglobal $_POST or $_REQUEST
  */
 $post_params = array('db', 'table', 'single_table', 'export_type', 'export_method', 'quick_or_custom', 'db_select', 'table_select', 'limit_to', 'limit_from', 'allrows', 'output_format', 'filename_template', 'maxsize', 'remember_template', 'charset_of_file', 'compression', 'what', 'knjenc', 'xkana', 'htmlword_structure_or_data', 'htmlword_null', 'htmlword_columns', 'mediawiki_headers', 'mediawiki_structure_or_data', 'mediawiki_caption', 'pdf_structure_or_data', 'odt_structure_or_data', 'odt_relation', 'odt_comments', 'odt_mime', 'odt_columns', 'odt_null', 'codegen_structure_or_data', 'codegen_format', 'excel_null', 'excel_removeCRLF', 'excel_columns', 'excel_edition', 'excel_structure_or_data', 'yaml_structure_or_data', 'ods_null', 'ods_structure_or_data', 'ods_columns', 'json_structure_or_data', 'xml_structure_or_data', 'xml_export_events', 'xml_export_functions', 'xml_export_procedures', 'xml_export_tables', 'xml_export_triggers', 'xml_export_views', 'xml_export_contents', 'texytext_structure_or_data', 'texytext_columns', 'texytext_null', 'phparray_structure_or_data', 'sql_include_comments', 'sql_header_comment', 'sql_dates', 'sql_relation', 'sql_mime', 'sql_use_transaction', 'sql_disable_fk', 'sql_compatibility', 'sql_structure_or_data', 'sql_create_database', 'sql_drop_table', 'sql_procedure_function', 'sql_create_table_statements', 'sql_create_table', 'sql_create_view', 'sql_create_trigger', 'sql_if_not_exists', 'sql_auto_increment', 'sql_backquotes', 'sql_truncate', 'sql_delayed', 'sql_ignore', 'sql_type', 'sql_insert_syntax', 'sql_max_query_size', 'sql_hex_for_binary', 'sql_utc_time', 'sql_drop_database', 'sql_views_as_tables', 'csv_separator', 'csv_enclosed', 'csv_escaped', 'csv_terminated', 'csv_null', 'csv_removeCRLF', 'csv_columns', 'csv_structure_or_data', 'latex_caption', 'latex_structure_or_data', 'latex_structure_caption', 'latex_structure_continued_caption', 'latex_structure_label', 'latex_relation', 'latex_comments', 'latex_mime', 'latex_columns', 'latex_data_caption', 'latex_data_continued_caption', 'latex_data_label', 'latex_null');
 foreach ($post_params as $one_post_param) {
     if (isset($_POST[$one_post_param])) {
         $GLOBALS[$one_post_param] = $_POST[$one_post_param];
     }
 }
 // sanitize this parameter which will be used below in a file inclusion
 $what = PMA_securePath($what);
 PMA_Util::checkParameters(array('what', 'export_type'));
 // export class instance, not array of properties, as before
 $export_plugin = PMA_getPlugin("export", $what, 'libraries/plugins/export/', array('export_type' => $export_type, 'single_table' => isset($single_table)));
 // Backward compatibility
 $type = $what;
 // Check export type
 if (!isset($export_plugin)) {
     PMA_fatalError(__('Bad type!'));
 }
 /**
  * valid compression methods
  */
 $compression_methods = array('zip', 'gzip');
 /**
  * init and variable checking

                $ThemeDefaultOk = TRUE;
            }
        }
    }
    if ($ThemeDefaultOk == TRUE) {
        $GLOBALS['theme'] = $cfg['ThemeDefault'];
    } else {
        $GLOBALS['theme'] = 'original';
    }
} else {
    // if we just changed theme, we must take the new one so that
    // index.php takes the correct one for height computing
    if (isset($_POST['set_theme'])) {
        $GLOBALS['theme'] = PMA_securePath($_POST['set_theme']);
    } else {
        $GLOBALS['theme'] = PMA_securePath($_COOKIE[$theme_cookie_name]);
    }
}
// check for theme requires/name
unset($theme_name, $theme_generation, $theme_version);
@(include $cfg['ThemePath'] . '/' . $GLOBALS['theme'] . '/info.inc.php');
// did it set correctly?
if (!isset($theme_name, $theme_generation, $theme_version)) {
    $GLOBALS['theme'] = 'original';
    // invalid theme
} elseif ($theme_generation != PMA_THEME_GENERATION) {
    $GLOBALS['theme'] = 'original';
    // different generation
} elseif ($theme_version < PMA_THEME_VERSION) {
    $GLOBALS['theme'] = 'original';
    // too old version

    PMA_DBI_free_result($result);
    unset($result);
}
if ($total_affected_rows != 0) {
    $message .= $total_affected_rows;
} else {
    $message .= $strModifications;
}
$message .= $last_message;
if (!empty($warning_message)) {
    // TODO: use a <div class="warning"> in PMA_showMessage()
    // for this part of the message
    $message .= '[br]' . $warning_message;
}
if ($is_gotofile) {
    if ($goto == 'db_details.php' && isset($table)) {
        unset($table);
    }
    $js_to_run = 'functions.js';
    $active_page = $goto;
    require_once './libraries/header.inc.php';
    require './' . PMA_securePath($goto);
} else {
    // if we have seen binary,
    // we do not append the query to the Location so it won't be displayed
    // on the resulting page
    // Nijel: we also need to limit size of url...
    $add_query = !$seen_binary && strlen($sql_query) < 1024 ? '&disp_query=' . urlencode($sql_query) : '';
    PMA_sendHeaderLocation($cfg['PmaAbsoluteUri'] . $goto . '&disp_message=' . urlencode($message) . $add_query);
}
exit;

// Calculate value of the limit
if (strtolower(substr($memory_limit, -1)) == 'm') {
    $memory_limit = (int) substr($memory_limit, 0, -1) * 1024 * 1024;
} elseif (strtolower(substr($memory_limit, -1)) == 'k') {
    $memory_limit = (int) substr($memory_limit, 0, -1) * 1024;
} elseif (strtolower(substr($memory_limit, -1)) == 'g') {
    $memory_limit = (int) substr($memory_limit, 0, -1) * 1024 * 1024 * 1024;
} else {
    $memory_limit = (int) $memory_limit;
}
$read_limit = $memory_limit / 8;
// Just to be sure, there might be lot of memory needed for uncompression
// handle filenames
if (!empty($local_import_file) && !empty($cfg['UploadDir'])) {
    // sanitize $local_import_file as it comes from a POST
    $local_import_file = PMA_securePath($local_import_file);
    $import_file = PMA_userDir($cfg['UploadDir']) . $local_import_file;
} elseif (empty($import_file) || !is_uploaded_file($import_file)) {
    $import_file = 'none';
}
// Do we have file to import?
if ($import_file != 'none' && !$error) {
    // work around open_basedir and other limitations
    $open_basedir = @ini_get('open_basedir');
    // If we are on a server with open_basedir, we must move the file
    // before opening it. The doc explains how to create the "./tmp"
    // directory
    if (!empty($open_basedir)) {
        $tmp_subdir = PMA_IS_WINDOWS ? '.\\tmp\\' : './tmp/';
        if (is_writable($tmp_subdir)) {
            $import_file_new = $tmp_subdir . basename($import_file);

         if (!empty($_ENV) && isset($_ENV['DOCUMENT_ROOT'])) {
             $DOCUMENT_ROOT = $_ENV['DOCUMENT_ROOT'];
         } else {
             if (@getenv('DOCUMENT_ROOT')) {
                 $DOCUMENT_ROOT = getenv('DOCUMENT_ROOT');
             } else {
                 $DOCUMENT_ROOT = '.';
             }
         }
     }
 }
 // end if
 if (substr($cfg['UploadDir'], -1) != '/') {
     $cfg['UploadDir'] .= '/';
 }
 $textfile = $DOCUMENT_ROOT . dirname($PHP_SELF) . '/' . preg_replace('@^./@s', '', $cfg['UploadDir']) . PMA_securePath($local_textfile);
 if (file_exists($textfile)) {
     $open_basedir = @ini_get('open_basedir');
     // If we are on a server with open_basedir, we must move the file
     // before opening it. The doc explains how to create the "./tmp"
     // directory
     if (!empty($open_basedir)) {
         $tmp_subdir = PMA_IS_WINDOWS ? '.\\tmp\\' : './tmp/';
         // function is_writeable() is valid on PHP3 and 4
         if (!is_writeable($tmp_subdir)) {
             echo $strWebServerUploadDirectoryError . ': ' . $tmp_subdir . '<br />';
             exit;
         } else {
             $textfile_new = $tmp_subdir . basename($textfile);
             move_uploaded_file($textfile, $textfile_new);
             $textfile = $textfile_new;

             $docsql_text = PMA_readFile($sql_file, $sql_file_compression);
         }
         // Convert the file's charset if necessary
         if ($cfg['AllowAnywhereRecoding'] && $allow_recoding && isset($charset_of_file) && $charset_of_file != $charset) {
             $docsql_text = PMA_convert_string($charset_of_file, $charset, $docsql_text);
         }
         if (!isset($docsql_text) || $docsql_text == FALSE || $docsql_text == '') {
             echo '<p><font color="red">' . $GLOBALS['strFileCouldNotBeRead'] . '</font></p>' . "\n";
         } else {
             docsql_check('', $sql_file_name, $sql_file_name, $docsql_text);
         }
     }
     // end uploaded file stuff
 } else {
     // echo '<h1>Starting Import</h1>';
     $docpath = $cfg['docSQLDir'] . PMA_securePath($docpath);
     if (substr($docpath, -1) != '/') {
         $docpath .= '/';
     }
     $matched_files = 0;
     if (is_dir($docpath)) {
         // Do the work
         $handle = opendir($docpath);
         while ($file = @readdir($handle)) {
             $filename = basename($file);
             // echo '<p>Working on file ' . $filename . '</p>';
             $matched_files += docsql_check($docpath, $file, $filename);
         }
         // end while
     } else {
         echo '<p><font color="red">' . $docpath . ': ' . $strThisNotDirectory . "</font></p>\n";

 /**
  * get all the export options and verify
  * call and include the appropriate Schema Class depending on $export_type
  *
  * @return void
  * @access private
  */
 private function _processExportSchema()
 {
     /**
      * Settings for relation stuff
      */
     include_once './libraries/transformations.lib.php';
     include_once './libraries/Index.class.php';
     /**
      * default is PDF, otherwise validate it's only letters a-z
      */
     global $db, $export_type;
     if (!isset($export_type) || !preg_match('/^[a-zA-Z]+$/', $export_type)) {
         $export_type = 'pdf';
     }
     $GLOBALS['dbi']->selectDb($db);
     $path = PMA_securePath(ucfirst($export_type));
     $filename = 'libraries/schema/' . $path . '_Relation_Schema.class.php';
     if (!file_exists($filename)) {
         PMA_Export_Relation_Schema::dieSchema($_POST['chpage'], $export_type, __('File doesn\'t exist'));
     }
     $GLOBALS['skip_import'] = false;
     include $filename;
     if ($GLOBALS['skip_import']) {
         PMA_Export_Relation_Schema::dieSchema($_POST['chpage'], $export_type, __('Plugin is disabled'));
     }
     $class_name = 'PMA_' . $path . '_Relation_Schema';
     $obj_schema = new $class_name();
     $obj_schema->showOutput();
 }

/**
 * Defines the url to return to in case of error in a sql statement
 */
if (!isset($goto) || !preg_match('@^(db_details|tbl_properties)(_[a-z]*)?\\.php$@i', $goto)) {
    $goto = 'db_details.php';
}
$err_url = $goto . '?' . PMA_generate_common_url($db) . (preg_match('@^tbl_properties(_[a-z]*)?\\.php$@', $goto) ? '&table=' . urlencode($table) : '');
/**
 * Set up default values for some variables
 */
$view_bookmark = 0;
$sql_bookmark = isset($sql_bookmark) ? $sql_bookmark : '';
$sql_query = isset($sql_query) ? $sql_query : '';
if (!empty($sql_localfile) && !empty($cfg['UploadDir'])) {
    // sanitize $sql_localfile as it comes from a POST
    $sql_localfile = PMA_securePath($sql_localfile);
    if (substr($cfg['UploadDir'], -1) != '/') {
        $cfg['UploadDir'] .= '/';
    }
    $sql_file = $cfg['UploadDir'] . $sql_localfile;
} else {
    if (empty($sql_file)) {
        $sql_file = 'none';
    }
}
/**
 * Bookmark Support: get a query back from bookmark if required
 */
if (!empty($id_bookmark)) {
    require_once './libraries/bookmark.lib.php';
    switch ($action_bookmark) {

/**
 * Gets some core libraries
 */
require_once './libraries/common.inc.php';
require './libraries/StorageEngine.class.php';
/**
 * Include settings for relation stuff
 * get all variables needed for exporting relational schema
 * in $cfgRelation
 */
require_once './libraries/relation.lib.php';
$cfgRelation = PMA_getRelationsParam();
require_once './libraries/transformations.lib.php';
require_once './libraries/Index.class.php';
require_once "./libraries/schema/Export_Relation_Schema.class.php";
/**
 * get all the export options and verify
 * call and include the appropriate Schema Class depending on $export_type
 * default is PDF
 */
global $db, $export_type;
if (!isset($export_type) || !preg_match('/^[a-zA-Z]+$/', $export_type)) {
    $export_type = 'pdf';
}
PMA_DBI_select_db($db);
$path = PMA_securePath(ucfirst($export_type));
if (!file_exists('./libraries/schema/' . $path . '_Relation_Schema.class.php')) {
    PMA_Export_Relation_Schema::dieSchema($_POST['chpage'], $export_type, __('File doesn\'t exist'));
}
require "./libraries/schema/" . $path . "_Relation_Schema.class.php";
$obj_schema = eval("new PMA_" . $path . "_Relation_Schema();");

 /**
  * Test for replacing dots.
  *
  * @return void
  */
 public function testReplaceDots()
 {
     $this->assertEquals(PMA_securePath('../../../etc/passwd'), './././etc/passwd');
     $this->assertEquals(PMA_securePath('/var/www/../phpmyadmin'), '/var/www/./phpmyadmin');
     $this->assertEquals(PMA_securePath('./path/with..dots/../../file..php'), './path/with.dots/././file.php');
 }

$message .= $total_affected_rows . $last_message;
if (!empty($warning_message)) {
    /**
     * @todo use a <div class="warning"> in PMA_showMessage() for this part of
     * the message
     */
    $message .= '[br]' . $warning_message;
}
unset($warning_message, $total_affected_rows, $last_message);
if (isset($return_to_sql_query)) {
    $disp_query = $GLOBALS['sql_query'];
    $disp_message = $message;
    unset($message);
    $GLOBALS['sql_query'] = $return_to_sql_query;
}
// if user asked to "Insert another new row", we need tbl_change.js
// otherwise the calendar icon does not work
if ($goto_include == 'tbl_change.php') {
    /**
     * @todo if we really need to run many different js at header time,
     * $js_to_run would become an array and header.inc.php would iterate
     * thru it, instead of the bunch of if/elseif it does now
     */
    $js_to_run = 'tbl_change.js';
} else {
    $js_to_run = 'functions.js';
}
$active_page = $goto_include;
require_once './libraries/header.inc.php';
require './' . PMA_securePath($goto_include);
exit;

 /**
  * Sets globals from $_POST
  *
  * - Please keep the parameters in order of their appearance in the form
  * - Some of these parameters are not used, as the code below directly
  *   verifies from the superglobal $_POST or $_REQUEST
  */
 $post_params = array('db', 'table', 'single_table', 'export_type', 'export_method', 'quick_or_custom', 'db_select', 'table_select', 'table_structure', 'table_data', 'limit_to', 'limit_from', 'allrows', 'lock_tables', 'output_format', 'filename_template', 'maxsize', 'remember_template', 'charset', 'compression', 'as_separate_files', 'knjenc', 'xkana', 'htmlword_structure_or_data', 'htmlword_null', 'htmlword_columns', 'mediawiki_headers', 'mediawiki_structure_or_data', 'mediawiki_caption', 'pdf_structure_or_data', 'odt_structure_or_data', 'odt_relation', 'odt_comments', 'odt_mime', 'odt_columns', 'odt_null', 'codegen_structure_or_data', 'codegen_format', 'excel_null', 'excel_removeCRLF', 'excel_columns', 'excel_edition', 'excel_structure_or_data', 'yaml_structure_or_data', 'ods_null', 'ods_structure_or_data', 'ods_columns', 'json_structure_or_data', 'json_pretty_print', 'xml_structure_or_data', 'xml_export_events', 'xml_export_functions', 'xml_export_procedures', 'xml_export_tables', 'xml_export_triggers', 'xml_export_views', 'xml_export_contents', 'texytext_structure_or_data', 'texytext_columns', 'texytext_null', 'phparray_structure_or_data', 'sql_include_comments', 'sql_header_comment', 'sql_dates', 'sql_relation', 'sql_mime', 'sql_use_transaction', 'sql_disable_fk', 'sql_compatibility', 'sql_structure_or_data', 'sql_create_database', 'sql_drop_table', 'sql_procedure_function', 'sql_create_table_statements', 'sql_create_table', 'sql_create_view', 'sql_create_trigger', 'sql_if_not_exists', 'sql_auto_increment', 'sql_backquotes', 'sql_truncate', 'sql_delayed', 'sql_ignore', 'sql_type', 'sql_insert_syntax', 'sql_max_query_size', 'sql_hex_for_binary', 'sql_utc_time', 'sql_drop_database', 'sql_views_as_tables', 'sql_metadata', 'csv_separator', 'csv_enclosed', 'csv_escaped', 'csv_terminated', 'csv_null', 'csv_removeCRLF', 'csv_columns', 'csv_structure_or_data', 'latex_caption', 'latex_structure_or_data', 'latex_structure_caption', 'latex_structure_continued_caption', 'latex_structure_label', 'latex_relation', 'latex_comments', 'latex_mime', 'latex_columns', 'latex_data_caption', 'latex_data_continued_caption', 'latex_data_label', 'latex_null', 'aliases');
 foreach ($post_params as $one_post_param) {
     if (isset($_POST[$one_post_param])) {
         $GLOBALS[$one_post_param] = $_POST[$one_post_param];
     }
 }
 $table = $GLOBALS['table'];
 // sanitize this parameter which will be used below in a file inclusion
 $what = PMA_securePath($_POST['what']);
 PMA_Util::checkParameters(array('what', 'export_type'));
 // export class instance, not array of properties, as before
 /* @var $export_plugin ExportPlugin */
 $export_plugin = PMA_getPlugin("export", $what, 'libraries/plugins/export/', array('export_type' => $export_type, 'single_table' => isset($single_table)));
 // Backward compatibility
 $type = $what;
 // Check export type
 if (!isset($export_plugin)) {
     PMA_fatalError(__('Bad type!'));
 }
 // Avoid warning from PHP Analyzer
 if (is_null($export_plugin)) {
     $export_plugin = new stdClass();
 }
 /**