diff --git a/adminer/include/bootstrap.inc.php b/adminer/include/bootstrap.inc.php index f43fbee9..e8009b90 100644 --- a/adminer/include/bootstrap.inc.php +++ b/adminer/include/bootstrap.inc.php @@ -24,11 +24,12 @@ include "../adminer/include/functions.inc.php"; if (!isset($_SERVER["REQUEST_URI"])) { $_SERVER["REQUEST_URI"] = $_SERVER["ORIG_PATH_INFO"] . ($_SERVER["QUERY_STRING"] != "" ? "?$_SERVER[QUERY_STRING]" : ""); // IIS 5 compatibility } +$HTTPS = $_SERVER["HTTPS"] && strcasecmp($_SERVER["HTTPS"], "off"); @ini_set("session.use_trans_sid", false); // protect links in export, @ - may be disabled if (!ini_bool("session.auto_start")) { session_name("adminer_sid"); // use specific session name to get own namespace - $params = array(0, preg_replace('~\\?.*~', '', $_SERVER["REQUEST_URI"]), "", $_SERVER["HTTPS"] && strcasecmp($_SERVER["HTTPS"], "off")); + $params = array(0, preg_replace('~\\?.*~', '', $_SERVER["REQUEST_URI"]), "", $HTTPS); if (version_compare(PHP_VERSION, '5.2.0') >= 0) { $params[] = true; // HttpOnly } diff --git a/adminer/include/design.inc.php b/adminer/include/design.inc.php index 5c89085c..6cb3626f 100644 --- a/adminer/include/design.inc.php +++ b/adminer/include/design.inc.php @@ -7,11 +7,11 @@ * @return null */ function page_header($title, $error = "", $breadcrumb = array(), $title2 = "") { - global $LANG, $VERSION, $adminer, $connection, $drivers; + global $LANG, $VERSION, $HTTPS, $adminer, $connection, $drivers; header("Content-Type: text/html; charset=utf-8"); header("X-Frame-Options: deny"); // ClickJacking protection in IE8, Safari 4, Chrome 2, Firefox NoScript plugin $title_all = $title . ($title2 != "" ? ": " . h($title2) : ""); - $protocol = ($_SERVER["HTTPS"] && strcasecmp($_SERVER["HTTPS"], "off") ? "https" : "http"); + $protocol = ($HTTPS ? "https" : "http"); ?> diff --git a/adminer/include/functions.inc.php b/adminer/include/functions.inc.php index 74d1a4c7..ab06932b 100644 --- a/adminer/include/functions.inc.php +++ b/adminer/include/functions.inc.php @@ -245,13 +245,14 @@ function where_link($i, $column, $value, $operator = "=") { * @return bool */ function cookie($name, $value) { + global $HTTPS; $params = array( $name, (ereg("\n", $value) ? "" : $value), // HTTP Response Splitting protection in PHP < 5.1.2 time() + 2592000, // 2592000 - 30 days preg_replace('~\\?.*~', '', $_SERVER["REQUEST_URI"]), "", - $_SERVER["HTTPS"] && strcasecmp($_SERVER["HTTPS"], "off") + $HTTPS ); if (version_compare(PHP_VERSION, '5.2.0') >= 0) { $params[] = true; // HttpOnly @@ -703,11 +704,11 @@ function is_email($email) { /** Check whether the string is URL address * @param string -* @return bool +* @return string "http", "https" or "" */ function is_url($string) { - $domain = '[a-z0-9]([-a-z0-9]{0,61}[a-z0-9])'; // one domain component - return preg_match("~^https?://($domain?\\.)+$domain(:[0-9]+)?(/.*)?(\\?.*)?(#.*)?\$~i", $string); //! restrict path, query and fragment characters + $domain = '[a-z0-9]([-a-z0-9]{0,61}[a-z0-9])'; // one domain component //! IDN + return (preg_match("~^(https?)://($domain?\\.)+$domain(:[0-9]+)?(/.*)?(\\?.*)?(#.*)?\$~i", $string, $match) ? strtolower($match[1]) : ""); //! restrict path, query and fragment characters } /** Print header for hidden fieldset (close by ) diff --git a/adminer/select.inc.php b/adminer/select.inc.php index eed76f94..2380fa26 100644 --- a/adminer/select.inc.php +++ b/adminer/select.inc.php @@ -315,11 +315,16 @@ if (!$columns) { } } } - if (!$link && is_email($val)) { - $link = "mailto:$val"; - } - if (!$link && is_url($row[$key])) { - $link = "http://www.adminer.org/redirect/?url=" . urlencode($row[$key]); // intermediate page to hide Referer, may be changed to rel="noreferrer" in HTML5 + if (!$link) { + if (is_email($val)) { + $link = "mailto:$val"; + } + if ($protocol = is_url($row[$key])) { + $link = ($protocol == "http" && $HTTPS + ? $row[$key] // HTTP links from HTTPS pages don't receive Referer automatically + : "$protocol://www.adminer.org/redirect/?url=" . urlencode($row[$key]) // intermediate page to hide Referer, may be changed to rel="noreferrer" in HTML5 + ); + } } $id = h("val[$unique_idf][" . bracket_escape($key) . "]"); $value = $_POST["val"][$unique_idf][bracket_escape($key)];