Fix open redirect if Adminer is accessible at //adminer.php%2F@ (thanks to Prakash Sharma)

2020-05-11 11:49:46 +02:00 · 2020-05-11 11:49:46 +02:00 · 6a2de873e1
parent a9c1004232
commit 6a2de873e1
3 changed files with 10 additions and 2 deletions
--- a/adminer/include/bootstrap.inc.php
+++ b/adminer/include/bootstrap.inc.php
@ -84,7 +84,7 @@ include "../adminer/drivers/mysql.inc.php"; // must be included as last driver

 define("SERVER", $_GET[DRIVER]); // read from pgsql=localhost
 define("DB", $_GET["db"]); // for the sake of speed and size
-define("ME", str_replace(":", "%3a", preg_replace('~^[^?]*/([^?]*).*~', '\1', $_SERVER["REQUEST_URI"])) . '?'
+define("ME", str_replace(":", "%3a", preg_replace('~\?.*~', '', relative_uri())) . '?'
 	. (sid() ? SID . '&' : '')
 	. (SERVER !== null ? DRIVER . "=" . urlencode(SERVER) . '&' : '')
 	. (isset($_GET["username"]) ? "username=" . urlencode($_GET["username"]) . '&' : '')
--- a/adminer/include/functions.inc.php
+++ b/adminer/include/functions.inc.php
@ -721,12 +721,19 @@ function format_time($start) {
 	return lang('%.3f s', max(0, microtime(true) - $start));
 }

+/** Get relative REQUEST_URI
+* @return string
+*/
+function relative_uri() {
+	return preg_replace('~^[^?]*/([^?]*)~', '\1', $_SERVER["REQUEST_URI"]);
+}
+
 /** Remove parameter from query string
 * @param string
 * @return string
 */
 function remove_from_uri($param = "") {
-	return substr(preg_replace("~(?<=[?&])($param" . (SID ? "" : "|" . session_name()) . ")=[^&]*&~", '', "$_SERVER[REQUEST_URI]&"), 0, -1);
+	return substr(preg_replace("~(?<=[?&])($param" . (SID ? "" : "|" . session_name()) . ")=[^&]*&~", '', relative_uri() . "&"), 0, -1);
 }

 /** Generate page number for pagination
--- a/changes.txt
+++ b/changes.txt
@ -1,4 +1,5 @@
 Adminer 4.7.7-dev:
+Fix open redirect if Adminer is accessible at //adminer.php%2F@

 Adminer 4.7.6 (released 2020-01-31):
 Speed up alter table form (regression from 4.4.0)