From a5b65fba5b4f420651a9e388c5702c101d85d7d9 Mon Sep 17 00:00:00 2001
From: Jakub Vrana <jakub@vrana.cz>
Date: Wed, 1 Jun 2016 09:05:16 -0700
Subject: [PATCH] Fix remote execution in SQLite query (thanks to Vincent
 Waart)

---
 adminer/sql.inc.php | 12 ++++++------
 changes.txt         |  1 +
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/adminer/sql.inc.php b/adminer/sql.inc.php
index 6e366502..fbecbfb2 100644
--- a/adminer/sql.inc.php
+++ b/adminer/sql.inc.php
@@ -45,7 +45,7 @@ if (!$error && $_POST) {
 			}
 		}
 
-		$space = "(?:\\s|/\\*.*\\*/|(?:#|-- )[^\n]*\n|--\r?\n)";
+		$space = "(?:\\s|/\\*[\s\S]*?\\*/|(?:#|-- )[^\n]*\n?|--\r?\n)";
 		$delimiter = ";";
 		$offset = 0;
 		$empty = true;
@@ -62,7 +62,7 @@ if (!$error && $_POST) {
 		unset($dump_format["sql"]);
 
 		while ($query != "") {
-			if (!$offset && preg_match("~^$space*DELIMITER\\s+(\\S+)~i", $query, $match)) {
+			if (!$offset && preg_match("~^$space*+DELIMITER\\s+(\\S+)~i", $query, $match)) {
 				$delimiter = $match[1];
 				$query = substr($query, strlen($match[0]));
 			} else {
@@ -94,7 +94,7 @@ if (!$error && $_POST) {
 						$q = substr($query, 0, $pos);
 						$commands++;
 						$print = "<pre id='sql-$commands'><code class='jush-$jush'>" . shorten_utf8(trim($q), 1000) . "</code></pre>\n";
-						if ($jush == "sqlite" && preg_match("~^$space*ATTACH\b~i", $q, $match)) {
+						if ($jush == "sqlite" && preg_match("~^$space*+ATTACH\\b~i", $q, $match)) {
 							// PHP doesn't support setting SQLITE_LIMIT_ATTACHED
 							echo $print;
 							echo "<p class='error'>" . lang('ATTACH queries are not supported.') . "\n";
@@ -110,7 +110,7 @@ if (!$error && $_POST) {
 							}
 							$start = microtime(true);
 							//! don't allow changing of character_set_results, convert encoding of displayed query
-							if ($connection->multi_query($q) && is_object($connection2) && preg_match("~^$space*USE\\b~isU", $q)) {
+							if ($connection->multi_query($q) && is_object($connection2) && preg_match("~^$space*+USE\\b~i", $q)) {
 								$connection2->query($q);
 							}
 
@@ -143,7 +143,7 @@ if (!$error && $_POST) {
 											. "<input type='hidden' name='query' value='" . h($q) . "'>"
 											. " <input type='submit' name='export' value='" . lang('Export') . "'><input type='hidden' name='token' value='$token'></span>\n"
 										;
-										if ($connection2 && preg_match("~^($space|\\()*SELECT\\b~isU", $q) && ($explain = explain($connection2, $q))) {
+										if ($connection2 && preg_match("~^($space|\\()*+SELECT\\b~i", $q) && ($explain = explain($connection2, $q))) {
 											$id = "explain-$commands";
 											echo ", <a href='#$id' onclick=\"return !toggle('$id');\">EXPLAIN</a>$export";
 											echo "<div id='$id' class='hidden'>\n";
@@ -156,7 +156,7 @@ if (!$error && $_POST) {
 									}
 
 								} else {
-									if (preg_match("~^$space*(CREATE|DROP|ALTER)$space+(DATABASE|SCHEMA)\\b~isU", $q)) {
+									if (preg_match("~^$space*+(CREATE|DROP|ALTER)$space++(DATABASE|SCHEMA)\\b~i", $q)) {
 										restart_session();
 										set_session("dbs", null); // clear cache
 										stop_session();
diff --git a/changes.txt b/changes.txt
index 986015f9..a073a70a 100644
--- a/changes.txt
+++ b/changes.txt
@@ -1,4 +1,5 @@
 Adminer 4.2.5-dev:
+Fix remote execution in SQLite query
 PostgreSQL: Support KILL
 
 Adminer 4.2.4 (released 2016-02-06):