]> git.joonet.de Git - adminer.git/commitdiff
projects / adminer.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 644c355)
Disable creating SQLite databases with extension other than db, sdb, sqlite
authorJakub Vrana <jakub@vrana.cz>
Sun, 17 Oct 2010 06:22:36 +0000 (08:22 +0200)
committerJakub Vrana <jakub@vrana.cz>
Sun, 17 Oct 2010 06:22:36 +0000 (08:22 +0200)
adminer/drivers/sqlite.inc.php patch | blob | history
changes.txt patch | blob | history

diff --git a/adminer/drivers/sqlite.inc.php b/adminer/drivers/sqlite.inc.php
index 89ce2f15e98de46c335a868576042692b562988c..5418ac6c7eaca4fd94908e9a9a5ce93c06b11fd7 100644 (file)
--- a/adminer/drivers/sqlite.inc.php
+++ b/adminer/drivers/sqlite.inc.php
@@ -344,13 +344,27 @@ if (isset($_GET["sqlite"]) || isset($_GET["sqlite2"])) {
        function exact_value($val) {
                return q($val);
        }
-
+       
+       function check_sqlite_name($name) {
+               // avoid creating PHP files on unsecured servers
+               global $connection;
+               $extensions = "db|sdb|sqlite";
+               if (!preg_match("~^[^\\0]*\\.($extensions)\$~", $name)) {
+                       $connection->error = lang('Please use one of the extensions %s.', str_replace("|", ", ", $extensions));
+                       return false;
+               }
+               return true;
+       }
+       
        function create_database($db, $collation) {
                global $connection;
                if (file_exists($db)) {
                        $connection->error = lang('File exists.');
                        return false;
                }
+               if (!check_sqlite_name($db)) {
+                       return false;
+               }
                $link = new Min_SQLite($db); //! exception handler
                $link->query('PRAGMA encoding = "UTF-8"');
                $link->query('CREATE TABLE adminer (i)'); // otherwise creates empty file
@@ -372,6 +386,9 @@ if (isset($_GET["sqlite"]) || isset($_GET["sqlite2"])) {
        
        function rename_database($name, $collation) {
                global $connection;
+               if (!check_sqlite_name($name)) {
+                       return false;
+               }
                $connection->Min_SQLite(":memory:");
                $connection->error = lang('File exists.');
                return @rename(DB, $name);
diff --git a/changes.txt b/changes.txt
index 716b9d2ece30a67b234d7b24e10232c68501c0bb..094eda1436feaf27facc43363d7863eea7fb6b7d 100644 (file)
--- a/changes.txt
+++ b/changes.txt
@@ -1,5 +1,6 @@
 Adminer 3.0.1-dev:
 Send the form by Ctrl+Enter in all textareas
+Disable creating SQLite databases with extension other than db, sdb, sqlite
 Catalan translation
 
 Adminer 3.0.0 (released 2010-10-15):
Sources of adminer, a webclient for database management systems.