Skip to content

Commit 276577c

Browse files
kamil-tekielakamil-tekiela
authored
Remove $GLOBALS['PMA_PHP_SELF'] (#18149)
* Remove $GLOBALS['PMA_PHP_SELF'] Signed-off-by: Kamil Tekiela <tekiela246@gmail.com> * Remove $GLOBALS['PMA_PHP_SELF'] from tests Signed-off-by: Kamil Tekiela <tekiela246@gmail.com> * Moved cleanupPathInfo to Routing Signed-off-by: Kamil Tekiela <tekiela246@gmail.com> * Remove parse_url from getRootPath Signed-off-by: Kamil Tekiela <tekiela246@gmail.com> * Update baselines Signed-off-by: Kamil Tekiela <tekiela246@gmail.com> * Remove invalid tests Surely, we never expect PATH to be backslash delimited. The code is not designed to handle this and the tests for this don't make much sense. Signed-off-by: Kamil Tekiela <tekiela246@gmail.com> * Fix trailing slash in path Signed-off-by: Kamil Tekiela <tekiela246@gmail.com> --------- Signed-off-by: Kamil Tekiela <tekiela246@gmail.com>
1 parent 342ab3f commit 276577c

104 files changed

Lines changed: 183 additions & 312 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

libraries/classes/Common.php

Lines changed: 0 additions & 59 deletions
Original file line numberDiff line numberDiff line change
@@ -22,34 +22,25 @@
2222
use Symfony\Component\DependencyInjection\ContainerInterface;
2323

2424
use function __;
25-
use function array_pop;
2625
use function count;
2726
use function date_default_timezone_get;
2827
use function date_default_timezone_set;
2928
use function define;
30-
use function explode;
3129
use function extension_loaded;
3230
use function function_exists;
3331
use function hash_equals;
34-
use function htmlspecialchars;
35-
use function implode;
3632
use function ini_get;
3733
use function ini_set;
3834
use function is_array;
3935
use function is_scalar;
4036
use function is_string;
4137
use function mb_internal_encoding;
42-
use function mb_strlen;
43-
use function mb_strpos;
44-
use function mb_strrpos;
45-
use function mb_substr;
4638
use function ob_start;
4739
use function restore_error_handler;
4840
use function session_id;
4941
use function sprintf;
5042
use function strlen;
5143
use function trigger_error;
52-
use function urldecode;
5344

5445
use const CONFIG_FILE;
5546
use const E_USER_ERROR;
@@ -113,7 +104,6 @@ public static function run(bool $isSetupPage = false): void
113104
}
114105

115106
self::configurePhpSettings();
116-
self::cleanupPathInfo();
117107

118108
/** @var Config $config */
119109
$config = $container->get('config');
@@ -402,55 +392,6 @@ private static function configurePhpSettings(): void
402392
date_default_timezone_set(@date_default_timezone_get());
403393
}
404394

405-
/**
406-
* PATH_INFO could be compromised if set, so remove it from PHP_SELF
407-
* and provide a clean PHP_SELF here
408-
*/
409-
public static function cleanupPathInfo(): void
410-
{
411-
$GLOBALS['PMA_PHP_SELF'] = Core::getenv('PHP_SELF');
412-
if (empty($GLOBALS['PMA_PHP_SELF'])) {
413-
$GLOBALS['PMA_PHP_SELF'] = urldecode(Core::getenv('REQUEST_URI'));
414-
}
415-
416-
$_PATH_INFO = Core::getenv('PATH_INFO');
417-
if (! empty($_PATH_INFO) && ! empty($GLOBALS['PMA_PHP_SELF'])) {
418-
$question_pos = mb_strpos($GLOBALS['PMA_PHP_SELF'], '?');
419-
if ($question_pos != false) {
420-
$GLOBALS['PMA_PHP_SELF'] = mb_substr($GLOBALS['PMA_PHP_SELF'], 0, $question_pos);
421-
}
422-
423-
$path_info_pos = mb_strrpos($GLOBALS['PMA_PHP_SELF'], $_PATH_INFO);
424-
if ($path_info_pos !== false) {
425-
$path_info_part = mb_substr($GLOBALS['PMA_PHP_SELF'], $path_info_pos, mb_strlen($_PATH_INFO));
426-
if ($path_info_part === $_PATH_INFO) {
427-
$GLOBALS['PMA_PHP_SELF'] = mb_substr($GLOBALS['PMA_PHP_SELF'], 0, $path_info_pos);
428-
}
429-
}
430-
}
431-
432-
$path = [];
433-
foreach (explode('/', $GLOBALS['PMA_PHP_SELF']) as $part) {
434-
// ignore parts that have no value
435-
if (empty($part) || $part === '.') {
436-
continue;
437-
}
438-
439-
if ($part !== '..') {
440-
// cool, we found a new part
441-
$path[] = $part;
442-
} elseif (count($path) > 0) {
443-
// going back up? sure
444-
array_pop($path);
445-
}
446-
447-
// Here we intentionall ignore case where we go too up
448-
// as there is nothing sane to do
449-
}
450-
451-
$GLOBALS['PMA_PHP_SELF'] = htmlspecialchars('/' . implode('/', $path));
452-
}
453-
454395
private static function setGotoAndBackGlobals(ContainerInterface $container, Config $config): void
455396
{
456397
$GLOBALS['back'] ??= null;

libraries/classes/Config.php

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@
1111

1212
use function __;
1313
use function array_filter;
14+
use function array_key_last;
1415
use function array_merge;
1516
use function array_replace_recursive;
1617
use function array_slice;
@@ -52,7 +53,6 @@
5253
use function setcookie;
5354
use function sprintf;
5455
use function str_contains;
55-
use function str_replace;
5656
use function stripos;
5757
use function strtolower;
5858
use function substr;
@@ -837,11 +837,11 @@ public function getRootPath(): string
837837
}
838838
}
839839

840-
$parsedUrlPath = parse_url($GLOBALS['PMA_PHP_SELF'], PHP_URL_PATH);
840+
$parsedUrlPath = Routing::getCleanPathInfo();
841841

842842
$parts = explode(
843843
'/',
844-
rtrim(str_replace('\\', '/', $parsedUrlPath), '/'),
844+
$parsedUrlPath,
845845
);
846846

847847
/* Remove filename */
@@ -854,7 +854,10 @@ public function getRootPath(): string
854854
$parts = array_slice($parts, 0, count($parts) - 1);
855855
}
856856

857-
$parts[] = '';
857+
// Add one more part to make the path end in slash unless it already ends with slash
858+
if (count($parts) < 2 || $parts[array_key_last($parts)] !== '') {
859+
$parts[] = '';
860+
}
858861

859862
return implode('/', $parts);
860863
}

libraries/classes/Controllers/AbstractController.php

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,6 @@
1313
use PhpMyAdmin\Url;
1414

1515
use function __;
16-
use function basename;
1716
use function defined;
1817

1918
abstract class AbstractController
@@ -105,7 +104,6 @@ protected function redirect(string $route, array $params = []): void
105104
*/
106105
protected function checkParameters(array $params, bool $request = false): void
107106
{
108-
$reportedScriptName = basename($GLOBALS['PMA_PHP_SELF']);
109107
$foundError = false;
110108
$errorMessage = '';
111109
if ($request) {
@@ -119,8 +117,8 @@ protected function checkParameters(array $params, bool $request = false): void
119117
continue;
120118
}
121119

122-
$errorMessage .= $reportedScriptName
123-
. ': ' . __('Missing parameter:') . ' '
120+
$errorMessage .=
121+
__('Missing parameter:') . ' '
124122
. $param
125123
. MySQLDocumentation::showDocumentation('faq', 'faqmissingparameters', true)
126124
. '[br]';

libraries/classes/Routing.php

Lines changed: 58 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,15 +17,23 @@
1717
use Psr\Container\ContainerInterface;
1818

1919
use function __;
20+
use function array_pop;
21+
use function explode;
2022
use function file_exists;
2123
use function file_put_contents;
2224
use function htmlspecialchars;
25+
use function implode;
2326
use function is_array;
2427
use function is_readable;
2528
use function is_writable;
29+
use function mb_strlen;
30+
use function mb_strpos;
31+
use function mb_strrpos;
32+
use function mb_substr;
2633
use function rawurldecode;
2734
use function sprintf;
2835
use function trigger_error;
36+
use function urldecode;
2937
use function var_export;
3038

3139
use const CACHE_DIR;
@@ -208,4 +216,54 @@ public static function callSetupController(ServerRequest $request): void
208216
)),
209217
]);
210218
}
219+
220+
/**
221+
* PATH_INFO could be compromised if set, so remove it from PHP_SELF
222+
* and provide a clean PHP_SELF here
223+
*/
224+
public static function getCleanPathInfo(): string
225+
{
226+
$pmaPhpSelf = Core::getenv('PHP_SELF');
227+
if ($pmaPhpSelf === '') {
228+
$pmaPhpSelf = urldecode(Core::getenv('REQUEST_URI'));
229+
}
230+
231+
$_PATH_INFO = Core::getenv('PATH_INFO');
232+
if ($_PATH_INFO !== '' && $pmaPhpSelf !== '') {
233+
$question_pos = mb_strpos($pmaPhpSelf, '?');
234+
if ($question_pos != false) {
235+
$pmaPhpSelf = mb_substr($pmaPhpSelf, 0, $question_pos);
236+
}
237+
238+
$path_info_pos = mb_strrpos($pmaPhpSelf, $_PATH_INFO);
239+
if ($path_info_pos !== false) {
240+
$path_info_part = mb_substr($pmaPhpSelf, $path_info_pos, mb_strlen($_PATH_INFO));
241+
if ($path_info_part === $_PATH_INFO) {
242+
$pmaPhpSelf = mb_substr($pmaPhpSelf, 0, $path_info_pos);
243+
}
244+
}
245+
}
246+
247+
$path = [];
248+
foreach (explode('/', $pmaPhpSelf) as $part) {
249+
// ignore parts that have no value
250+
if ($part === '' || $part === '.') {
251+
continue;
252+
}
253+
254+
if ($part !== '..') {
255+
// cool, we found a new part
256+
$path[] = $part;
257+
} elseif ($path !== []) {
258+
// going back up? sure
259+
array_pop($path);
260+
}
261+
262+
// Here we intentionall ignore case where we go too up
263+
// as there is nothing sane to do
264+
}
265+
266+
/** TODO: Do we really need htmlspecialchars here? */
267+
return htmlspecialchars('/' . implode('/', $path));
268+
}
211269
}

libraries/classes/Server/Status/Data.php

Lines changed: 8 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -8,12 +8,12 @@
88

99
namespace PhpMyAdmin\Server\Status;
1010

11+
use PhpMyAdmin\Config;
1112
use PhpMyAdmin\DatabaseInterface;
1213
use PhpMyAdmin\ReplicationInfo;
1314
use PhpMyAdmin\Url;
1415

1516
use function __;
16-
use function basename;
1717
use function mb_strtolower;
1818
use function str_contains;
1919

@@ -51,8 +51,6 @@ class Data
5151
/** @var array */
5252
public array $sectionUsed;
5353

54-
public string $selfUrl;
55-
5654
public bool $dataLoaded;
5755

5856
private ReplicationInfo $replicationInfo;
@@ -168,18 +166,20 @@ private function getLinks(): array
168166
$primaryInfo = $this->replicationInfo->getPrimaryInfo();
169167
$replicaInfo = $this->replicationInfo->getReplicaInfo();
170168

169+
$selfUrl = $this->config->getRootPath();
170+
171171
$links = [];
172172
// variable or section name => (name => url)
173173

174174
$links['table'][__('Flush (close) all tables')] = [
175-
'url' => $this->selfUrl,
175+
'url' => $selfUrl,
176176
'params' => Url::getCommon(['flush' => 'TABLES'], ''),
177177
];
178178
$links['table'][__('Show open tables')] = [
179179
'url' => Url::getFromRoute('/sql'),
180180
'params' => Url::getCommon([
181181
'sql_query' => 'SHOW OPEN TABLES',
182-
'goto' => $this->selfUrl,
182+
'goto' => $selfUrl,
183183
], ''),
184184
];
185185

@@ -188,7 +188,7 @@ private function getLinks(): array
188188
'url' => Url::getFromRoute('/sql'),
189189
'params' => Url::getCommon([
190190
'sql_query' => 'SHOW SLAVE HOSTS',
191-
'goto' => $this->selfUrl,
191+
'goto' => $selfUrl,
192192
], ''),
193193
];
194194
$links['repl'][__('Show primary status')] = [
@@ -207,7 +207,7 @@ private function getLinks(): array
207207
$links['repl']['doc'] = 'replication';
208208

209209
$links['qcache'][__('Flush query cache')] = [
210-
'url' => $this->selfUrl,
210+
'url' => $selfUrl,
211211
'params' => Url::getCommon(['flush' => 'QUERY CACHE'], ''),
212212
];
213213
$links['qcache']['doc'] = 'query_cache';
@@ -344,13 +344,11 @@ private function sortVariables(
344344
];
345345
}
346346

347-
public function __construct(private DatabaseInterface $dbi)
347+
public function __construct(private DatabaseInterface $dbi, private Config $config)
348348
{
349349
$this->replicationInfo = new ReplicationInfo($this->dbi);
350350
$this->replicationInfo->load($_POST['primary_connection'] ?? null);
351351

352-
$this->selfUrl = basename($GLOBALS['PMA_PHP_SELF']);
353-
354352
// get status from server
355353
$server_status_result = $this->dbi->tryQuery('SHOW GLOBAL STATUS');
356354
if ($server_status_result === false) {

libraries/classes/UserPreferences.php

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,6 @@
1313
use function __;
1414
use function array_flip;
1515
use function array_merge;
16-
use function basename;
1716
use function htmlspecialchars;
1817
use function http_build_query;
1918
use function is_array;
@@ -304,8 +303,7 @@ public function autoloadGetHeader(): string
304303
return '';
305304
}
306305

307-
$script_name = basename(basename($GLOBALS['PMA_PHP_SELF']));
308-
$return_url = $script_name . '?' . http_build_query($_GET, '', '&');
306+
$return_url = '?' . http_build_query($_GET, '', '&');
309307

310308
return $this->template->render('preferences/autoload', [
311309
'hidden_inputs' => Url::getHiddenInputs(),

libraries/services.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -205,7 +205,7 @@
205205
],
206206
'status_data' => [
207207
'class' => PhpMyAdmin\Server\Status\Data::class,
208-
'arguments' => ['@dbi'],
208+
'arguments' => ['@dbi', '@config'],
209209
],
210210
'status_monitor' => [
211211
'class' => PhpMyAdmin\Server\Status\Monitor::class,

0 commit comments

Comments
 (0)